On Friday 23 March 2007 13:40:45 Schnulli wrote: > Well, we got also infected with this "bastard" > ok, we´running Mandrake 10.2 (the good old one) but same probbs. > > How i found it? > i was looking what is running on this MDK... uuuuuuhhhhh whats that > => APACHE -DSSL ??? hmmm with high CPU Load.... i was wondering. > Also o had lately lags in our bandwidth.... alot spam Mails and a few > other strange things. > Ok.. time to do smth...... > In our case this is bastard tells you i am "APACHE -DSSL" WRONG!!!! > this is a Perl Deamon connecting to the Irc Network and spreading all > infos of ur sys, AND!!!! gives them full access to ur Server....... > What to do???? Where the heck does it load from? > Well.... it is a Exploit used by hackers to hijack Boards, no matter > if phpBB, Joomla or other.. its Code injection and execution !! once > u got infected u r having a probb we DONT know at time a solution to > kick this lil baby off, not yet..... > What we did? > well... this exploid needds to load external code to execute.... we > found where and how it starts up, in our case it is the file > "borek.txt" (search for it by google etc. and you will find similar > probbs;) ) > OK... we saw where this bastard tryed to load it´s code... so we > blocked this IP. This will give us now the time and chance to search > how it works and maybe find a solution to fix it and close this > backdoor/bug > When u deny/drop/reject access to the IP where the code is placed, > the deamon cant start up.. simple? yes, but no solution..... > > We´ll finger out how and what it is and by chance bring u all (and > us) a solution ti fix it > > cheers from Germany, > Schnulli > > By the way, when still someone has a solution feel free to post it > here or leave me a note > Sorry about reading you have been hacked. Well, it depends on the scenario, of course, but in mine, I have the public server with a restricted network policy, I mean, the only output connection allowed is the one made to the apt-get servers. Any other connection will be refused. So, in case we were hacked and that -DSSL running, it wouldn´t send any piece of information, at least. We´re also using Babel Enterprise ( http://babel.sf.net ) in order to keep our processes and services under control, so if there´s any other process running aside from the ones we already know and allow,it will be reported. Hope this helps. All the best. -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues.
