SplitInfinity

Hello everyone!

I would like to take a minute to alert everyone who may not already know
that there is alot of activity right now with server exploits.


There are ALOT of script kiddies running around hacking servers of those
who are unaware of the problem.

Please take a moment to check your server. Follow this list please:


Check the contents of the /tmp directory for odd files. Namely hack kits and
network scanners and SYN/DDOS attack programs.

If it looks like it doesnt belong there, it problably doesnt.

If you find a binary file with an odd name in there, do this:

strings filenameHere

in SSH, and it will show you the human readable portions of the file
so you can determine what it might be.

Next, in your apache logs, look for entries similar to this:

Do this to see them if your logs are in /var/log/httpd...

cd /var/log/httpd
cat *log* | grep wget

If you see output like this, you may have a problem:

access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //stats/awstats.pl \"w;wget\" HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi-bin/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:45 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:48 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


I highly suggest everyone remove or rename their wget program on their server to something else. As you can see, alot of hackers try to send wget commands to your server to load up their root kits and other tools.

In addition, you should port scan your servers from ANOTHER computer...
Use nmap on another server and scan the ports of your server looking for
ports that look abnormal.

nmap -p 1-65535 yourServersIPHere

These tips are presented due to an increase in port scans hitting my personal honeypot server that I run to watch for new exploits....

sumphatpimp

bump!!!!!!!!!!!!!!!

Juicy D. Links

SplitInfinity

:-)


Thanks for the bump sumphatpimp

Going to the show?

SplitInfinity

LOL! The donkey or whatever it is made me laugh.

ssp

Llama dude!

SplitInfinity

A question I received:
is the primarily for awstats?

Answer:
no
lots and lots of scripts are expolited this way. Some are php and some are perl and others are C.

teksonline

Heh, I just recommend take the correct security route and keep your server patched.
Quite frankly anyone affected by the above exploits are deserved of it.
I just submitted some TGP's and i see 50% of the email confirm links coming from servers still running apache 1.3.27 which is quite halirious....

If you havent checked your server lately, then do so now, or don't come complaining later for help... If your host don't patch it, find a real one

Nasty

Depending on your server config, you may need to do a ls -a in your tmp directories since most of these guys install their crap in hidden directories

chmod 700 on wget and on your compilers will usually keep most of these assholes at bay, it prevents remote execution of those scripts but still allows programs like comus the abiliity to use them

__________________

“Ours is a world of nuclear giants and ethical infants. We know more about war than we know about peace, more about killing than we know about living. If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.” ― Omar Bradley (1948)