> -----Original Message----- > From: fedora-list-bounces@xxxxxxxxxx > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Levent Duymus > Sent: Wednesday, July 20, 2005 11:39 AM > To: For users of Fedora Core releases > Subject: Re: Strange connection > > > also you should give much more detailed report about the suspicious > activity if exists. Conclusion. This is what I've found. I'm not running awstats, so it's not responsible. As it transpired phpBB must have been used. phpBB 2.0.8, "forgot" it was there, it was only used for testing purposes, But someone found it. Firstly I noticed that I had a strange connection when I ran "netstat -a -v -p -t" It said that I was connected to 193.110.95.1:ircd, "carouge.ch.eu.undernet.org" In the httpd access log I found: 172.149.xxx.xxx - r57 [02/Jul/2005:16:05:10 +0200] "POST /phpBB2/r57shell.php HTTP/1.1" 200 11581 This is a backdoor trojan. It is not linked to any file, so it must been used by the hacker to gain access to my server In the httpd error logs I found this: --21:34:47-- http://www.xxxx.ro/www/gulie.tgz => `gulie.tgz' Slår upp www.xxxx.ro... 217.10.xxx.xxx (Finding.....) Ansluter till www.xxxxx.ro[217.10.xxx.xxx]:80... ansluten. (Connecting to.......connected) HTTP-begäran skickad, väntar på svar... 200 OK (HTTP request sent, waiting for answer) Längd: 229,187 [application/x-tar] (Length....) 0K .......... .......... .......... .......... .......... 22% 119.67 KB/s 50K .......... .......... .......... .......... .......... 44% 279.43 KB/s 100K .......... .......... .......... .......... .......... 67% 358.69 KB/s 150K .......... .......... .......... .......... .......... 89% 304.26 KB/s 200K .......... .......... ... 100% 406.82 KB/s 21:34:48 (233.38 KB/s) - "gulie.tgz" sparad [229187/229187] Warning: bad syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html Warning: bad syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html This one was responsible for the connection to 193.110.95.1:ircd, "carouge.ch.eu.undernet.org" It was located in /var/tmp I also found this in the error-logs --16:02:53-- http://www.yyyy.us/cycomm.tar.gz => `cycomm.tar.gz' Slår upp www.yyyy.us... 69.9.yyy.yy Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten. HTTP-begäran skickad, väntar på svar... 200 OK Längd: 8,179 [application/x-tar] 0K ....... 100% 53.66 KB/s 16:02:55 (53.66 KB/s) - "cycomm.tar.gz" sparad [8179/8179] --16:02:55-- http://www.yyyy.us/cycomm.tar.gz => `cycomm.tar.gz' Slår upp www.yyyy.us... 69.9.yyy.yy Ansluter till www.yyyy.us[69.9.yyy.yy]:80... ansluten. HTTP-begäran skickad, väntar på svar... 200 OK Längd: 8,179 [application/x-tar] 0K ....... 100% 49.24 KB/s 16:02:56 (49.24 KB/s) - "cycomm.tar.gz" sparad [8179/8179] bind: Address already in use --16:03:36-- http://www.yyyy.us/roots.tar => `roots.tar' Slår upp www.yyyy.us... 69.9.yyy.yyy Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten. HTTP-begäran skickad, väntar på svar... 200 OK Längd: 30,720 [application/x-tar] 0K .......... .......... .......... 100% 75.51 KB/s 16:03:37 (75.51 KB/s) - "roots.tar" sparad [30720/30720] --16:03:37-- http://www.yyyy.us/roots.tar => `roots.tar' Slår upp www.yyyy.us... 69.9.yyy.yyy Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten. HTTP-begäran skickad, väntar på svar... 200 OK Längd: 30,720 [application/x-tar] 0K .......... .......... .......... 100% 68.40 KB/s 16:03:38 (68.40 KB/s) - "roots.tar" sparad [30720/30720] error: 'kern.ostype' is an unknown key error: 'kern.osrelease' is an unknown key error: 'kern.ostype' is an unknown key error: 'kern.osrelease' is an unknown key error: 'kern.ostype' is an unknown key error: 'kern.osrelease' is an unknown key error: 'kern.ostype' is an unknown key error: 'kern.osrelease' is an unknown key Cant open port Warning: bad syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html error: 'kern.ostype' is an unknown key error: 'kern.osrelease' is an unknown key These last ones has left no trace on the hd's at all. Anyway, backed up the serve for now, reinstal in the near future I think, need to download the latest cor though. With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
