GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Network Security Warning

SplitInfinity · 06-06-2005, 05:39 PM

Hello everyone!

I would like to take a minute to alert everyone who may not already know
that there is alot of activity right now with server exploits.

There are ALOT of script kiddies running around hacking servers of those
who are unaware of the problem.

Please take a moment to check your server. Follow this list please:

Check the contents of the /tmp directory for odd files. Namely hack kits and
network scanners and SYN/DDOS attack programs.

If it looks like it doesnt belong there, it problably doesnt.

If you find a binary file with an odd name in there, do this:

strings filenameHere

in SSH, and it will show you the human readable portions of the file
so you can determine what it might be.

Next, in your apache logs, look for entries similar to this:

Do this to see them if your logs are in /var/log/httpd...

cd /var/log/httpd
cat *log* | grep wget

If you see output like this, you may have a problem:

access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //stats/awstats.pl \"w;wget\" HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi-bin/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:45 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:48 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

I highly suggest everyone remove or rename their wget program on their server to something else. As you can see, alot of hackers try to send wget commands to your server to load up their root kits and other tools.

In addition, you should port scan your servers from ANOTHER computer...
Use nmap on another server and scan the ports of your server looking for
ports that look abnormal.

nmap -p 1-65535 yourServersIPHere

These tips are presented due to an increase in port scans hitting my personal honeypot server that I run to watch for new exploits....

06-06-2005, 05:39 PM
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Network Security Warning - Important to all. Hello everyone! I would like to take a minute to alert everyone who may not already know that there is alot of activity right now with server exploits. There are ALOT of script kiddies running around hacking servers of those who are unaware of the problem. Please take a moment to check your server. Follow this list please: Check the contents of the /tmp directory for odd files. Namely hack kits and network scanners and SYN/DDOS attack programs. If it looks like it doesnt belong there, it problably doesnt. If you find a binary file with an odd name in there, do this: strings filenameHere in SSH, and it will show you the human readable portions of the file so you can determine what it might be. Next, in your apache logs, look for entries similar to this: Do this to see them if your logs are in /var/log/httpd... cd /var/log/httpd cat log \| grep wget If you see output like this, you may have a problem: access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //stats/awstats.pl \"w;wget\" HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi-bin/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:45 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:48 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" I highly suggest everyone remove or rename their wget program on their server to something else. As you can see, alot of hackers try to send wget commands to your server to load up their root kits and other tools. In addition, you should port scan your servers from ANOTHER computer... Use nmap on another server and scan the ports of your server looking for ports that look abnormal. nmap -p 1-65535 yourServersIPHere These tips are presented due to an increase in port scans hitting my personal honeypot server that I run to watch for new exploits....