|
Network Security Warning - Important to all.
Hello everyone!
I would like to take a minute to alert everyone who may not already know that there is alot of activity right now with server exploits. There are ALOT of script kiddies running around hacking servers of those who are unaware of the problem. Please take a moment to check your server. Follow this list please: Check the contents of the /tmp directory for odd files. Namely hack kits and network scanners and SYN/DDOS attack programs. If it looks like it doesnt belong there, it problably doesnt. If you find a binary file with an odd name in there, do this: strings filenameHere in SSH, and it will show you the human readable portions of the file so you can determine what it might be. Next, in your apache logs, look for entries similar to this: Do this to see them if your logs are in /var/log/httpd... cd /var/log/httpd cat *log* | grep wget If you see output like this, you may have a problem: access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:26 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:27 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //stats/awstats.pl \"w;wget\" HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi-bin/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.1:202.125.40.149 yourservername - [04/Jun/2005:04:34:28 -0700] "GET //cgi/stats/awstats.pl \"w;wget\" HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:45 -0700] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:46 -0700] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:47 -0700] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" access_log.4:210.51.190.189 yourservername - [12/May/2005:09:42:48 -0700] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" I highly suggest everyone remove or rename their wget program on their server to something else. As you can see, alot of hackers try to send wget commands to your server to load up their root kits and other tools. In addition, you should port scan your servers from ANOTHER computer... Use nmap on another server and scan the ports of your server looking for ports that look abnormal. nmap -p 1-65535 yourServersIPHere These tips are presented due to an increase in port scans hitting my personal honeypot server that I run to watch for new exploits.... |
bump!!!!!!!!!!!!!!!
|
|
:-)
Thanks for the bump sumphatpimp Going to the show? |
LOL! The donkey or whatever it is made me laugh.
|
Quote:
|
A question I received:
is the primarily for awstats? Answer: no lots and lots of scripts are expolited this way. Some are php and some are perl and others are C. |
Heh, I just recommend take the correct security route and keep your server patched.
Quite frankly anyone affected by the above exploits are deserved of it. I just submitted some TGP's and i see 50% of the email confirm links coming from servers still running apache 1.3.27 which is quite halirious.... If you havent checked your server lately, then do so now, or don't come complaining later for help... If your host don't patch it, find a real one |
Depending on your server config, you may need to do a ls -a in your tmp directories since most of these guys install their crap in hidden directories
chmod 700 on wget and on your compilers will usually keep most of these assholes at bay, it prevents remote execution of those scripts but still allows programs like comus the abiliity to use them |
| All times are GMT -7. The time now is 02:54 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123