Results 1 to 7 of 7

Thread: "w00tw00t.at.ISC.SANS.DFind": is my server hacked, again?

  1. #1
    Join Date
    Aug 2005
    Posts
    264

    Unhappy "w00tw00t.at.ISC.SANS.DFind": is my server hacked, again?

    A couple of weeks ago I discovered some software in a hidden folder in one of my clients subdirectories. He did not upload it there and had no idea where it came from (i believe him). The software appeared to be related to IRC (one of the files was called 'eggdrop'). I deleted the files and that was the end of it...

    or so I thought...

    Today, while checking the server, I found another hidden folder named '.SOCK'. this folder was inside the /tmp folder. Again this folder is filled with software that appears to be IRC related ("psyBNC").

    Like the folder in the clients subdirectory, this folder also was created by user 'Apache'.

    I then check the httpd access log for that date and time and found several peculiar entries, one of which was: "GET /w00tw00t.at.ISC.SANS.DFind: HTTP/1.1" 400 407 "-" "-"

    Googling for '/w00tw00t.at.ISC.SANS.DFind' i found a few webpages that mention this line in combination with hacking attempts. Unfortunately there isn't much more info I could find. One site said it could often be accompanied by several searches for phpMyAdmin files, which appears to be exactly what this person was doing, according to the log:

    Code:
    
    163.28.32.100 - - [22/Mar/2006:06:01:09 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 401 2463 "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:11 +0100] "GET /PMA/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:13 +0100] "GET /mysql/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:15 +0100] "GET /admin/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:16 +0100] "GET /db/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:19 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:20 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:22 +0100] "GET /admin/pma/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:24 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:26 +0100] "GET /admin/mysql/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:28 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:30 +0100] "GET /mysqladmin/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:32 +0100] "GET /mysql-admin/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:33 +0100] "GET /main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:35 +0100] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:37 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:39 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:41 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:43 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:45 +0100] "GET /myadmin/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:47 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:50 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:52 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:53 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:55 +0100] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 - "-" "-"
    163.28.32.100 - - [22/Mar/2006:06:01:56 +0100] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 - "-" "-"
    
    someone appears to be 'guessing' for common names for phpMyAdmin folders?! And look at the time indexes, they all are 2 to 4 seconds apart. I'm guessing this was an automated attempt.

    Because I found the software in the /tmp folder, as well as in the clients subdirectory a few weeks ago, it appears these attacks were somehow successful. But how? Does anyone know of any vulnerability in phpMyAdmin? What can I do to keep these as******s out??? Damn!
    Last edited by Aspegic; 03-27-2006 at 11:45 AM.

  2. #2
    Join Date
    Aug 2005
    Posts
    264
    PS. I also see thousands of entries like this in the httpd error_log from many different IP addresses:

    Code:
    
    [Sun Mar 26 19:04:03 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/PMA/main.php
    [Sun Mar 26 19:04:03 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:04 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/PMA/main.php
    [Sun Mar 26 19:04:04 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:07 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql/main.php
    [Sun Mar 26 19:04:07 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql/main.php
    [Sun Mar 26 19:04:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:10 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/main.php
    [Sun Mar 26 19:04:10 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:11 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/main.php
    [Sun Mar 26 19:04:11 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:13 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/db/main.php
    [Sun Mar 26 19:04:13 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/db/main.php
    [Sun Mar 26 19:04:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/dbadmin/main.php
    [Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/dbadmin/main.php
    [Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:20 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/web/phpMyAdmin/main.php
    [Sun Mar 26 19:04:20 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/web/phpMyAdmin/main.php
    [Sun Mar 26 19:04:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/pma/main.php
    [Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/pma/main.php
    [Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:26 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/phpmyadmin/main.php
    [Sun Mar 26 19:04:26 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:27 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/phpmyadmin/main.php
    [Sun Mar 26 19:04:27 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:29 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/mysql/main.php
    [Sun Mar 26 19:04:29 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:30 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/mysql/main.php
    [Sun Mar 26 19:04:30 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:32 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpmyadmin2/main.php
    [Sun Mar 26 19:04:32 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysqladmin/main.php
    [Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpmyadmin2/main.php
    [Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql-admin/main.php
    [Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysqladmin/main.php
    [Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:42 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/main.php
    [Sun Mar 26 19:04:42 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:43 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql-admin/main.php
    [Sun Mar 26 19:04:43 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.6/main.php
    [Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/main.php
    [Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.4/main.php
    [Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.6/main.php
    [Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.1/main.php
    [Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.4/main.php
    [Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:55 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.3/main.php
    [Sun Mar 26 19:04:55 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:56 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.1/main.php
    [Sun Mar 26 19:04:56 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.6/main.php
    [Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.3/main.php
    [Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/myadmin/main.php
    [Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.6/main.php
    [Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0/main.php
    [Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/myadmin/main.php
    [Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0-pl1/main.php
    [Sun Mar 26 19:05:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:09 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0/main.php
    [Sun Mar 26 19:05:09 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-pl1/main.php
    [Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0-pl1/main.php
    [Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3/main.php
    [Sun Mar 26 19:05:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:15 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-pl1/main.php
    [Sun Mar 26 19:05:15 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-rc1/main.php
    [Sun Mar 26 19:05:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:18 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3/main.php
    [Sun Mar 26 19:05:18 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.2-rc1/main.php
    [Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-rc1/main.php
    [Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    [Sun Mar 26 19:05:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.2-rc1/main.php
    [Sun Mar 26 19:05:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
    
    Looking back in my logs this all started several weeks ago. I'm pretty sure they're looking for vulnerabilities in certain versions of phpMyAdmin, but i also saw several searching for AWStats:

    Code:
    
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/awstats.pl
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] Options ExecCGI is off in this directory: /var/www/html/awstats.pl
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/403.shtml
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats.pl
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/awstats.pl
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/awstats/awstats.pl
    [Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/awstats
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/awstats/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/awstats/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi/awstats/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi/awstats/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi/awstats/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scripts/awstats.pl
    [Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi/awstats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/awstats
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scripts/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/awstats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/stats
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/stats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/stats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/stats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/stats/awstats.pl
    [Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
    
    and also: Coppermine, Wordpress, xmlrpc, PHP groupware etc.
    (i hate hackers!)

  3. #3
    Join Date
    Aug 2003
    Location
    Schenectady, NY
    Posts
    1,178
    Yep, that server definately has issues.

    If you need assistance clearing it out, I or any other seasoned DA user/administrator can help you out - most of us charge an hourly rate however.

    Start by looking for commonly hacked scripts like awstats, phpBB, old versions of nuke and postnuke, etc. They'll be in that clients domain. One of those was likely exploited.

    Now the real question is - did your entire server get compromised? no way to give you an answer on that without a look-see.

    Joe
    Joseph Mack http://www.hostpc.com Since November 1998
    DirectAdmin Hosting and Dedicated Servers Since August 2003

  4. #4
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    My philosophy has always been that if you're not sure, you rebuild from bare metal.

    However that's not going to help if you've got a hole the hacker is getting in through.

    The most important step you can take is making a separate /tmp partition, non executable.

    Search these forums for more information.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Aug 2003
    Location
    Schenectady, NY
    Posts
    1,178
    Good philosophy, but if you can't deteremine where or how they got in, you're going to be vulnerable all over again ... so it's best to try first, then reformat if necessary
    Joseph Mack http://www.hostpc.com Since November 1998
    DirectAdmin Hosting and Dedicated Servers Since August 2003

  6. #6
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    Joe, I was agreeing with you.

    And if you look at my first sentence, you'll see that you're agreeing with me.



    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  7. #7
    Join Date
    Aug 2005
    Posts
    264
    Thanks for all the help guys!

    I feel a bit reluctant to do a complete reformat now and installing everything all over again. I do not know how they got in so it is entirely possible that after the reinstall en restoring all user data they simply get access all over again...

    I must first find out how they got access.

    I did a search for "/tmp non-executable" and found a thread that mentioned this link: http://www.fedora-linux.org/content/view/26/33/
    There is some really useful info in there! As per his suggestion I stopped the apache service and ran: ps aux
    It turned out that there was indeed one process still running with the Apache username called /usr/sbin/atd

    I don't know anything about the at demon, if I'm not mistaken it has something to do witch scheduling and spooling but that's about it.

    I have killed the process so it's not running anymore.
    However, is the atd process required for my server? Is it required by DirectAdmin? Is it supposed to be running on a normal DirectAdmin server? Is it supposed to be located in the /usr/sbin folder? Can I just delete it without any adverse sideeffects? And is there some way i can find out what it was doing??
    Last edited by Aspegic; 03-27-2006 at 11:45 PM.

Similar Threads

  1. Replies: 2
    Last Post: 01-28-2013, 05:56 AM
  2. need help please "CONNECT login.icq.com:443 HTTP/1.0" Apache hacked
    By rndinit0 in forum General Technical Discussion & Troubleshooting
    Replies: 3
    Last Post: 07-10-2009, 11:37 AM
  3. got hacked "Defaced by ProgenTR JAWNAX TEAM"
    By na2thai in forum General Technical Discussion & Troubleshooting
    Replies: 5
    Last Post: 05-12-2008, 07:20 PM
  4. "Internal Server Error" After "Protect" folder
    By iceangel89 in forum General Technical Discussion & Troubleshooting
    Replies: 0
    Last Post: 11-26-2007, 02:57 AM
  5. server not allowing users to "overuse" or "oversell" resources
    By rszkutak in forum Admin-Level Difficulties
    Replies: 6
    Last Post: 08-13-2007, 09:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •