Flooded by ./wssh process

Ok I disabled roundcube using this post here because I don't use it. Now the next question is, how do I clean the server? I too had a flood of wssh process but I have killed them all. However, I'm sure the files are there in the server... anyone have any more info on this wssh file?

Apache Error Log:

--05:06:01-- (try: 3) http://85.214.32.216/icons/wssh
Connecting to 85.214.32.216:80... --05:06:01-- (try: 3) http://85.214.32.216/icons/wssh
Connecting to 85.214.32.216:80... 200 OK
Length: 3569280 (3.4M) [text/plain]
Saving to: `wssh'

0K .......... .......... .......... .......... .......... 1% 90.3K 38s
50K .......... .......... .......... .......... .......... 2% 359K 23s
100K .......... .......... .......... .......... .......... 4% 364K 18s
150K .......... .......... .......... .......... .......... 5% 11.4M 14s
200K .......... .......... .......... .......... .......... 7% 366K 13s
250K .......... .......... .......... .......... .......... 8% 366K 12s
300K .......... .......... .......... .......... .......... 10% 10.8M 10s
350K .......... .......... .......... .......... .......... 11% 365K 10s
400K .......... .......... .......... .......... .......... 12% 365K 9s
450K .......... .......... .......... .......... .......... 14% 358K 9s
500K .......... .......... .......... .......... .......... 15% 6.15M 8s
550K .......... .......... .......... .......... .......... 17% 374K 8s
600K .......... .......... .......... .......... .......... 18% 366K 8s
650K .......... .......... .......... .......... .......... 20% 6.20M 7s
700K .......... .......... .......... .......... .......... 21% 366K 7s
750K .......... .......... .......... .......... .......... 22% 375K 7s
800K .......... .......... .......... .......... .......... 24% 363K 7s
850K .......... .......... .......... .......... .......... 25% 6.95M 6s
900K .......... .......... .......... .......... .......... 27% 371K 6s
950K .......... .......... .......... .......... .......... 28% 359K 6s
1000K .......... .......... .......... .......... .......... 30% 10.2M 6s
1050K .......... .......... .......... .......... .......... 31% 364K 6s
1100K .......... .......... .......... .......... .......... 32% 360K 6s
1150K .......... .......... .......... .......... .......... 34% 365K 6s
1200K .......... .......... .......... .......... .......... 35% 9.52M 5s
1250K .......... .......... .......... .......... .......... 37% 364K 5s
1300K .......... .......... .......... .......... .......... 38% 366K 5s
1350K .......... .......... .......... .......... .......... 40% 7.73M 5s
1400K .......... .......... .......... .......... .......... 41% 368K 5s
1450K .......... .......... .......... .......... .......... 43% 366K 5s
1500K .......... .......... .......... .......... .......... 44% 365K 5s
1550K .......... .......... .......... .......... .......... 45% 10.8M 4s
1600K .......... .......... .......... .......... .......... 47% 366K 4s
1650K .......... .......... .......... .......... .......... 48% 364K 4s
1700K .......... .......... .......... .......... .......... 50% 9.71M 4s
1750K .......... .......... .......... .......... .......... 51% 366K 4s
1800K .......... .......... .......... .......... .......... 53% 366K 4s
1850K .......... .......... .......... .......... .......... 54% 366K 4s
1900K .......... .......... .......... .......... .......... 55% 8.38M 3s
1950K .......... .......... .......... .......... .......... 57% 366K 3s
2000K .......... .......... .......... .......... .......... 58% 368K 3s
2050K .......... .......... .......... .......... .......... 60% 365K 3s
2100K .......... .......... .......... .......... .......... 61% 6.72M 3s
2150K .......... .......... .......... .......... .......... 63% 373K 3s
2200K .......... .......... .......... .......... .......... 64% 365K 3s
2250K .......... .......... .......... .......... .......... 65% 7.02M 3s
2300K .......... .......... .......... .......... .......... 67% 366K 2s
2350K .......... .......... .......... .......... .......... 68% 373K 2s
2400K .......... .......... .......... .......... .......... 70% 365K 2s
2450K .......... .......... .......... .......... .......... 71% 7.14M 2s
2500K .......... .......... .......... .......... .......... 73% 366K 2s
2550K .......... .......... .......... .......... .......... 74% 370K 2s
2600K .......... .......... .......... .......... .......... 76% 365K 2s
2650K .......... .......... .......... .......... .......... 77% 8.19M 2s
2700K .......... .......... .......... .......... .......... 78% 369K 2s
2750K .......... .......... .......... .......... .......... 80% 366K 1s
2800K .......... .......... .......... .......... .......... 81% 6.36M 1s
2850K .......... .......... .......... .......... .......... 83% 366K 1s
2900K .......... .......... .......... .......... .......... 84% 374K 1s
2950K .......... .......... .......... .......... .......... 86% 365K 1s
3000K .......... .......... .......... .......... .......... 87% 6.10M 1s
3050K .......... .......... .......... .......... .......... 88% 367K 1s
3100K .......... .......... .......... .......... .......... 90% 374K 1s
3150K .......... .......... .......... .......... .......... 91% 365K 1s
3200K .......... .......... .......... .......... .......... 93% 6.34M 1s
3250K .......... .......... .......... .......... .......... 94% 366K 0s
3300K .......... .......... .......... .......... .......... 96% 374K 0s
3350K .......... .......... .......... .......... .......... 97% 5.44M 0s
3400K .......... .......... .......... .......... .......... 98% 367K 0s
3450K .......... .......... .......... ..... 100% 271K=7.5s

05:07:11 (465 KB/s) - `wssh' saved [3569280/3569280]
Click to expand...

It doesn't say where it got saved. But I see a wssh and wssh.1 in the tmp folder. I deleted them. What else should I do? Any reply (bad or good) would be helpful :)
 
Just check /tmp and /var/tmp for unknown files. Make sure you use -a in ls like ls -a or I like ls -la. Look for ... or ,. or even a space.
 
I had the same issue. wssh was planted in /tmp/. Also, there was a php script called back.txt

These files had disappeared after rebooting the machine.

I banned the IP addresses in iptables. probably should ban an enitre range, though ...
 
A couple of lines above the dreaded upload in my apache error log there was a log entry like this:

--21:51:24-- http://85.214.32.216/icons/wssh
=> `wssh'
Connecting to 85.214.32.216:80... connected.

So I just blocked IP 85.214.32.216
 
You blocked one of the places where the script was being hosted but chances are that is not the ip of the attacker. That will keep an attacker from downloading from that one place but that is not the only place malicious scripts are hosted.

The best thing is to update roundcube and also run a script to detect processes that should not be running. Mine can stop it before it finishes downloading.
 
./wssh also

I also had the ./wssh running multiple times. I disabled roundcube and I deleted 120 wssh files from /tmp, but i notivced this entry in my /httpd/error_log.

--07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... --07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... --07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... --07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... --07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... --07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... --07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... --07:49:27-- http://85.214.64.225/wcube
--07:49:27-- http://85.214.64.225/wcube
Connecting to 85.214.64.225:80... Connecting to 85.214.64.225:80... 404 Not Found
07:49:27 ERROR 404: Not Found.

chmod: cannot access `wcube': No such file or directory
404 Not Found
07:49:28 ERROR 404: Not Found.





Could this be part of the roundube exploit? or something else?

What else should I do?
 
By disable, did you remove it from your server or rename it?

Also what time was that error, before or after you disabled roundcube?
 
floyd said:
You blocked one of the places where the script was being hosted but chances are that is not the ip of the attacker. That will keep an attacker from downloading from that one place but that is not the only place malicious scripts are hosted.

The best thing is to update roundcube and also run a script to detect processes that should not be running. Mine can stop it before it finishes downloading.
Click to expand...

By the way, is your anti download script open source? Where can I find it?
I am a newbie here
 
Also, it seems like the exploiter installed AtMail and started spamming from my machine. I suddenly got messages that I've never seen before on my server. (I removed the e-mailaddress) I removed atmail immediately. Don't think it was in my default installation.

Code: 
SQL Error = (select SpamEmail from SpamDB_t where Account=?)DB Error: no such table - select SpamEmail from SpamDB_t where Account='xxx@xxx.com' [nativecode=1146 ** Table 'da_atmail.SpamDB_t' doesn't exist]
 
By the way, is your anti download script open source?
Click to expand...

I have posted it here before. You can search the forum to find it. I am really just a hack programmer. I would like to clean it up a bit so that it easier to read and configure before officially releasing it.
 
Or you can just run "./build secure_php" with CustomBuild 1.1.17 or 1.2.11 :)
 
smtalk said:
Or you can just run "./build secure_php" with CustomBuild 1.1.17 or 1.2.11 :)
Click to expand...

What does this do exactly? What functions does it disable? I like to know what is going to be disabled before my customers tell me.
 
Code: 
exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source
 
You must log in or register to reply here.
Back
Top