Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th September 2009, 23:03
Tipem Tipem is offline
Junior Member
 
Join Date: Jun 2008
Posts: 14
Thanks: 4
Thanked 0 Times in 0 Posts
Default Apache mysteriously downloading malicious files

Here's a message from my Apache error log (/etc/httpd/logs/error_log):

Code:
--13:47:57--  http://www.SITENAMEHERE.org/blog/directory/.blogpt/sobx.txt
 
Resolving www.SITENAMEHERE.org... 1.1.1.1
 
Connecting to www.SITENAMEHERE.org|1.1.1.1|:80... connected.
 
HTTP request sent, awaiting response... 200 OK
 
Length: 29720 (29K) [text/plain]
 
Saving to: `/tmp/bxbov.pl'
I viewed the script downloaded and it's a "shell bot" that allows the user to run shell commands, all under wraps (quietly, without detection). I am very concerned. I have deleted the file. I have noticed that there's been other files in /tmp as well and, as I scroll through the logs, more of these kinds of "auto download requests" are occurring. The downloads are random (at no apparent set time).

Could somebody here give me a list of "security checkpoints" I should go over? How could something like this be called? I have searched my sites and have seemingly secured every script and admin panel. We were hacked 6 months ago due to an insecure script though (which has been patched)... so could something be leftover from that hacking that causes this?

Most importantly -- why would this type of request appear in an APACHE error log? My sites are all PHP, so it's weird to me that this error would be logged here (I have never seen a PHP request/process logged to the Apache error log). So, does it have anything to do with my scripts since it's appearing in an Apache error log? Or something deeper at the server level?

Let me know... soon.
Reply With Quote
Sponsored Links
  #2  
Old 10th September 2009, 18:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

Did you check the server with chkrootkit and rkhunter?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 11th September 2009, 17:04
Tipem Tipem is offline
Junior Member
 
Join Date: Jun 2008
Posts: 14
Thanks: 4
Thanked 0 Times in 0 Posts
Default

Surprisingly, they come up clean.
Reply With Quote
  #4  
Old 12th September 2009, 12:17
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
 
Default

Then I guess that you have some vulnerable web applications on your server. Did you install the latest updates?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ffmpeg Video support for ubuntu 7.10 [suphp-ispconfig] amaurib Installation/Configuration 13 16th February 2010 17:26
Apache wont serve my files anymore:( wotIsCmd Server Operation 2 17th July 2009 20:24
problems with suexec gobokster Installation/Configuration 7 7th May 2009 13:33
The system is currently updating the configuration files. warlock General 8 21st February 2009 18:15
CENTOS 5 Ping Problem gAnDo Server Operation 11 28th March 2008 20:58


All times are GMT +2. The time now is 15:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.