Results 1 to 7 of 7
  1. #1

    Complaints of BOTS on my server

    Hello, all!

    I just received two complaints that my server (71.6.197.244) is trying to run exploits on other people's servers.

    I have tried checking my access logs, but am not sure what to look for.
    Is this a process, or is it an exploit through a url or a php form?

    I have attached the e-mail complaints as txt.

    I would appreciate any information on where to start looking to resolve these issues.
    Thank you.
    Attached Files Attached Files

  2. #2
    Those complaints show that the server is trying to hack other servers using what is called Remote File Inclusion, which tries to inject code through PHP. This means your server could very well be rooted. At the very least they have installed a PHP Shell and your server is part of a botnet now which is being controlled by some kid probably. This was probably done by the same exploit it is now trying to do to others. If I were you, I would read about Remote File Inclusion so you can understand what it is and how to prevent it on your sever(s) as it is a very popular exploit atm.

    You should probably install CHKROOTKIT/rootkit.nl and scan the box and see what it finds. I personally would wipe/reinstall with an updated OS and get the PHP on the server configured to block RFI and PHP shells so you prevent this from occurring again. I would also recommend installing mod_security to help with the prevention of RFI.
    Last edited by ompp; 02-19-2008 at 12:29 PM.

  3. #3
    The file on your server (http://smolen.org/test.txt) is a file that is used for RFI bots on IRC networks, the bot uses test.txt to check whether the server its exploiting is safe mode on, or safe mode off.

    I suggest you get a experienced admin to look at /tmp, and /var/tmp.

    You may want to considering turning safe mode on for PHP, even if hackers get a RFI on your system, they won't be able to write/delete/upload/etc anything, only be able to read your files, which is still bad. So maybe do what ompp said, install mod_security and get some sort of script to block RFI.

    Joomla can be exploited and thats how the "hackers" as they like to be called (when there nothing but script kiddies) got into your system.

    If you do not have any important files, I would suggest you to reinstall your OS then secure it.

  4. #4

    Found something

    In both tmp/ and var/tmp I found these binary files:
    brk2
    kt2k7
    op
    w00t

    The one called "w00t" is probably a script/hack/virus.... I am not sure if the other ones are also bad, or if they are part of the system.

    Any ideas? Is it enough to delete these files?

    Thanks.

  5. #5
    Join Date
    Aug 2007
    Location
    Greece
    Posts
    390
    You would better delete these files.You should see if your server is rooted.If it is you would have to do an OS reload.
    Either way you will have to harden your server.
    NOT a webhost!helping here just for the fun of it!
    G(r)eek inside.

  6. #6
    Join Date
    Feb 2004
    Location
    New Zealand
    Posts
    1,202
    I agree, get your box offline asap. However backup your data, and scan via remote box.

    Also consider getting a full server hardening and vuln scan from a sysadmin.
    DigitalGoods.info
    FREE Shared, Mega Resellers + Dedicated Servers

  7. #7
    Just today noticed I had an intruder. They created a publicly accessible folder called "smolen.org", and another folder inside of it called "test.txt???". I didn't think much of it, until I googled it and found this.
    Last edited by Chris24; 03-03-2008 at 10:56 PM. Reason: Making Post a bit more private.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •