Re: Weird message in my apache error log

To: debian-security@lists.debian.org
Subject: Re: Weird message in my apache error log
From: Brian Brazil <bbrazil@netsoc.tcd.ie>
Date: Tue, 31 Jan 2006 22:53:04 +0000
Message-id: <[🔎] 20060131225304.GB15992@netsoc.tcd.ie>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3537.192.168.0.97.1138745985.squirrel@montblanc.homeip.net>
References: <[🔎] 3537.192.168.0.97.1138745985.squirrel@montblanc.homeip.net>

On Tue, Jan 31, 2006 at 11:19:45PM +0100, Josep Serrano wrote:
> Hello all. I got some weird entries in my apache error log.
> Any clues about what/where/how ?
> 
> sh: -c: line 22: unexpected EOF while looking for matching ``'
> sh: -c: line 24: syntax error: unexpected end of file
> 
> sh: -c: line 0: unexpected EOF while looking for matching `"'
> sh: -c: line 1: syntax error: unexpected end of file

Looks like someone is trying to do arbritary commmand execution. You
probably have a script somewhere that says `command $_GET['var']`, and
someone is passing ';attack' as var, but it isn't quite working.

I suggest using the audit log feature of mod_security, or just grepping
through your access logs for anything odd ('wget' is a good search
term).

You might have a bot on the system, check for any odd network
connections, especially to port 6667 (IRC). Also look for www-data owned
files in /tmp.

Brian

-- 
Website: http://www.netsoc.tcd.ie/~bbrazil

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- RE: Weird message in my apache error log
  - From: "David Johnson" <djohnson@jsatech.com>

References:
- Weird message in my apache error log
  - From: "Josep Serrano" <mylists@montblanc.homeip.net>

Prev by Date: Weird message in my apache error log
Next by Date: RE: Weird message in my apache error log
Previous by thread: Weird message in my apache error log
Next by thread: RE: Weird message in my apache error log
Index(es):
- Date
- Thread