"w00tw00t.at.ISC.SANS.DFind": is my server hacked, again?

Aspegic

Verified User
Joined
Aug 4, 2005
Messages
283
A couple of weeks ago I discovered some software in a hidden folder in one of my clients subdirectories. He did not upload it there and had no idea where it came from (i believe him). The software appeared to be related to IRC (one of the files was called 'eggdrop'). I deleted the files and that was the end of it...

or so I thought...

Today, while checking the server, I found another hidden folder named '.SOCK'. this folder was inside the /tmp folder. Again this folder is filled with software that appears to be IRC related ("psyBNC").

Like the folder in the clients subdirectory, this folder also was created by user 'Apache'.

I then check the httpd access log for that date and time and found several peculiar entries, one of which was: "GET /w00tw00t.at.ISC.SANS.DFind: HTTP/1.1" 400 407 "-" "-"

Googling for '/w00tw00t.at.ISC.SANS.DFind' i found a few webpages that mention this line in combination with hacking attempts. Unfortunately there isn't much more info I could find. One site said it could often be accompanied by several searches for phpMyAdmin files, which appears to be exactly what this person was doing, according to the log:

Code:
[SIZE=2]
163.28.32.100 - - [22/Mar/2006:06:01:09 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 401 2463 "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:11 +0100] "GET /PMA/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:13 +0100] "GET /mysql/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:15 +0100] "GET /admin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:16 +0100] "GET /db/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:19 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:20 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:22 +0100] "GET /admin/pma/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:24 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:26 +0100] "GET /admin/mysql/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:28 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:30 +0100] "GET /mysqladmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:32 +0100] "GET /mysql-admin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:33 +0100] "GET /main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:35 +0100] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:37 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:39 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:41 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:43 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:45 +0100] "GET /myadmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:47 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:50 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:52 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:53 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:55 +0100] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:56 +0100] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 - "-" "-"
[/size]

someone appears to be 'guessing' for common names for phpMyAdmin folders?! And look at the time indexes, they all are 2 to 4 seconds apart. I'm guessing this was an automated attempt.

Because I found the software in the /tmp folder, as well as in the clients subdirectory a few weeks ago, it appears these attacks were somehow successful. But how? Does anyone know of any vulnerability in phpMyAdmin? What can I do to keep these as******s out??? Damn!
 
Last edited:
PS. I also see thousands of entries like this in the httpd error_log from many different IP addresses:

Code:
[size=2]
[Sun Mar 26 19:04:03 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/PMA/main.php
[Sun Mar 26 19:04:03 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:04 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/PMA/main.php
[Sun Mar 26 19:04:04 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:07 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql/main.php
[Sun Mar 26 19:04:07 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql/main.php
[Sun Mar 26 19:04:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:10 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/main.php
[Sun Mar 26 19:04:10 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:11 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/main.php
[Sun Mar 26 19:04:11 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:13 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/db/main.php
[Sun Mar 26 19:04:13 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/db/main.php
[Sun Mar 26 19:04:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/dbadmin/main.php
[Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/dbadmin/main.php
[Sun Mar 26 19:04:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:20 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/web/phpMyAdmin/main.php
[Sun Mar 26 19:04:20 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/web/phpMyAdmin/main.php
[Sun Mar 26 19:04:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/pma/main.php
[Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/pma/main.php
[Sun Mar 26 19:04:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:26 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/phpmyadmin/main.php
[Sun Mar 26 19:04:26 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:27 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/phpmyadmin/main.php
[Sun Mar 26 19:04:27 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:29 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/mysql/main.php
[Sun Mar 26 19:04:29 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:30 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/admin/mysql/main.php
[Sun Mar 26 19:04:30 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:32 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpmyadmin2/main.php
[Sun Mar 26 19:04:32 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysqladmin/main.php
[Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpmyadmin2/main.php
[Sun Mar 26 19:04:36 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql-admin/main.php
[Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysqladmin/main.php
[Sun Mar 26 19:04:39 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:42 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/main.php
[Sun Mar 26 19:04:42 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:43 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/mysql-admin/main.php
[Sun Mar 26 19:04:43 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.6/main.php
[Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/main.php
[Sun Mar 26 19:04:46 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.4/main.php
[Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.6/main.php
[Sun Mar 26 19:04:49 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.1/main.php
[Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.4/main.php
[Sun Mar 26 19:04:52 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:55 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.3/main.php
[Sun Mar 26 19:04:55 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:56 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.5.1/main.php
[Sun Mar 26 19:04:56 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.6/main.php
[Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.3/main.php
[Sun Mar 26 19:04:59 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/myadmin/main.php
[Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.2.6/main.php
[Sun Mar 26 19:05:02 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0/main.php
[Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/myadmin/main.php
[Sun Mar 26 19:05:05 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0-pl1/main.php
[Sun Mar 26 19:05:08 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:09 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0/main.php
[Sun Mar 26 19:05:09 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-pl1/main.php
[Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.0-pl1/main.php
[Sun Mar 26 19:05:12 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3/main.php
[Sun Mar 26 19:05:14 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:15 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-pl1/main.php
[Sun Mar 26 19:05:15 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-rc1/main.php
[Sun Mar 26 19:05:17 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:18 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3/main.php
[Sun Mar 26 19:05:18 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.2-rc1/main.php
[Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.3-rc1/main.php
[Sun Mar 26 19:05:21 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[Sun Mar 26 19:05:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/phpMyAdmin-2.6.2-rc1/main.php
[Sun Mar 26 19:05:24 2006] [error] [client 24.26.20.41] File does not exist: /var/www/html/404.shtml
[/size]

Looking back in my logs this all started several weeks ago. I'm pretty sure they're looking for vulnerabilities in certain versions of phpMyAdmin, but i also saw several searching for AWStats:

Code:
[size=2]
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/awstats.pl
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] Options ExecCGI is off in this directory: /var/www/html/awstats.pl
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/403.shtml
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats.pl
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/awstats.pl
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/awstats/awstats.pl
[Mon Mar 27 00:43:57 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/awstats
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/awstats/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/awstats/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi/awstats/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi/awstats/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi/awstats/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scripts/awstats.pl
[Mon Mar 27 00:43:58 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi/awstats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/awstats
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scripts/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/awstats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] script not found or unable to stat: /var/www/cgi-bin/stats
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/awstats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/stats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/cgi-bin/stats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/stats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/scgi-bin/stats/awstats.pl
[Mon Mar 27 00:43:59 2006] [error] [client 85.10.193.134] File does not exist: /var/www/html/404.shtml
[/size]

and also: Coppermine, Wordpress, xmlrpc, PHP groupware etc.
(i hate hackers!)
 
Yep, that server definately has issues.

If you need assistance clearing it out, I or any other seasoned DA user/administrator can help you out - most of us charge an hourly rate however.

Start by looking for commonly hacked scripts like awstats, phpBB, old versions of nuke and postnuke, etc. They'll be in that clients domain. One of those was likely exploited.

Now the real question is - did your entire server get compromised? no way to give you an answer on that without a look-see.

Joe
 
My philosophy has always been that if you're not sure, you rebuild from bare metal.

However that's not going to help if you've got a hole the hacker is getting in through.

The most important step you can take is making a separate /tmp partition, non executable.

Search these forums for more information.

Jeff
 
Good philosophy, but if you can't deteremine where or how they got in, you're going to be vulnerable all over again ... so it's best to try first, then reformat if necessary
 
Joe, I was agreeing with you.

And if you look at my first sentence, you'll see that you're agreeing with me.

:p

Jeff
 
Thanks for all the help guys!

I feel a bit reluctant to do a complete reformat now and installing everything all over again. I do not know how they got in so it is entirely possible that after the reinstall en restoring all user data they simply get access all over again...

I must first find out how they got access.

I did a search for "/tmp non-executable" and found a thread that mentioned this link: http://www.fedora-linux.org/content/view/26/33/
There is some really useful info in there! As per his suggestion I stopped the apache service and ran: ps aux
It turned out that there was indeed one process still running with the Apache username called /usr/sbin/atd

I don't know anything about the at demon, if I'm not mistaken it has something to do witch scheduling and spooling but that's about it.

I have killed the process so it's not running anymore.
However, is the atd process required for my server? Is it required by DirectAdmin? Is it supposed to be running on a normal DirectAdmin server? Is it supposed to be located in the /usr/sbin folder? Can I just delete it without any adverse sideeffects? And is there some way i can find out what it was doing??
 
Last edited:
Back
Top