Air Bud
Internet Superstar
 Some plants even masturbate into their own vaginas in order to reproduce.
Ballkicks: (+918 / -56)
Posts: 6785 (0.959)
Reg. Date: Sep 2001
Location: TEH INTARNET!
Gender: Male |
(Originally posted on: 03-21-06 07:15:39 AM)
Edit Post
| Edit History
| Send PM
| Change Title
| Reply w/Quote
| Report Post
| Ignore
| Show All Posts
If you have any questions as to why, please read below:
We have received reports of unauthorized traffic originating from this server. This indicates possible server compromise, and is your responsibility to investigate and resolve. However, should you require help, we are more than happy to assist you in any way we can.
------------------------------------------
(nnewton-03/09/2006 16:50:59):
An initial investigation revealed the following malicious processes running:
25569 www 25 0 2080 2080 240 R 49.5 0.2 617:46 0 perl
25201 www 25 0 452 452 392 R 43.5 0.0 1:52 0 pscan2
16966 www 15 0 748 748 632 S 0.0 0.0 0:00 0 ps
25160 www 16 0 340 340 292 S 0.0 0.0 0:00 0 ovi
25162 www 15 0 356 356 300 S 0.0 0.0 0:00 0 ovi
25163 www 15 0 1104 1104 940 S 0.0 0.1 0:00 0 sh
25200 www 15 0 900 900 792 S 0.0 0.0 0:00 0 wtf
I have kill –stop’d these processes and also found malicious scripts in the following directories:
/var/tmp
drwxrwxrwt 4 root root 4096 Mar 9 15:12 .
drwxr-xr-x 23 root root 4096 Apr 30 2004 ..
drwxr-xr-x 3 www www 4096 Mar 9 15:09 .. (renamed bad by us)
drwx------ 2 www www 4096 Mar 9 15:12 wtf
/var/tmp/wtf
drwx------ 2 www www 4096 Mar 9 15:12 .
drwxrwxrwt 4 root root 4096 Mar 9 15:12 ..
-rw-r--r-- 1 www www 131072 Mar 9 15:20 67.19.pscan.22
-rwx------ 1 www www 206 Jul 21 2004 auto
-rw------- 1 www www 22354 Dec 1 2004 common
-rwx------ 1 www www 265 Nov 24 2004 gen-pass.sh
-rwx------ 1 www www 92 Apr 6 2005 go.sh
-rw------- 1 www www 26939 Nov 25 19:50 pass_file
-rw------- 1 www www 2270 May 26 2005 pass_filees
-rwx------ 1 www www 21407 Jul 21 2004 pscan2
-rwx------ 1 www www 453972 Jul 12 2004 ss
-rwx------ 1 www www 842424 Sep 6 2004 sshf
-rwx------ 1 www www 842736 Dec 23 12:57 ssh-scan
-rwx------ 1 www www 440 Dec 4 09:09 wtf
/var/tmp/bad]
d--------- 3 root root 4096 Mar 9 15:09 .
drwxrwxrwt 4 root root 4096 Mar 9 15:43 ..
-rw-r--r-- 1 root root 233 Mar 6 11:09 1
-rwxr-xr-x 1 root root 25122 Sep 4 2005 ovi
-rwxr-xr-x 1 root root 169692 Mar 9 15:09 pico
-rwx------ 1 root root 612470 Mar 6 11:09 ps
drwxr-xr-x 2 root root 4096 Feb 23 2005 randfiles
-rw-r--r-- 1 root root 1043 May 14 2005 raw.levels
-rw------- 1 root root 6 Mar 9 15:08 raw.pid
-rw-r--r-- 1 root root 2405 Mar 6 11:10 raw.set
-rwxr-xr-x 1 root root 160 Mar 8 2005 shit
We have chown root.root and chmod 000 these files.
Please check these directories and secure them. If you need any assistance with this please let us know.
Thank you.
------------------------------------------
(jpoletes-03/10/2006 11:43:40):
Can you provide us with an update with resolution right away. An intruder on your system is attacking other The Planet customers. Thank you for your help.
------------------------------------------
(jbeall-03/13/2006 05:03:00):
Malicious files are still being ran from your server:
PROCESSES
16966 www 15 0 116 116 0 T 0.0 0.0 0:00 0 ps
25160 www 15 0 48 48 0 T 0.0 0.0 0:00 0 ovi
25162 www 15 0 56 56 0 T 0.0 0.0 0:00 0 ovi
25163 www 15 0 164 164 0 T 0.0 0.0 0:00 0 sh
25200 www 15 0 108 108 0 T 0.0 0.0 0:00 0 wtf
25201 www 25 0 60 60 0 T 0.0 0.0 3:15 0 pscan2
6813 www 16 0 7660 7544 3220 S 0.0 0.7 0:46 0 httpd
6814 www 16 0 7348 7232 3208 S 0.0 0.7 0:02 0 httpd
6838 www 15 0 7164 7048 3204 S 0.0 0.6 0:01 0 httpd
6939 www 16 0 7404 7288 3204 S 0.0 0.7 0:02 0 httpd
LOCATION
/tmp
/var/tmp/
/var/tmp/bad
/var/tmp/bad/ps
-rw-r--r-- 1 www www 332 Mar 12 11:12 bot.txt
-rwxrwxrwx 1 www www 19626 Mar 11 07:37 httpd
--------------------------------------
(c17114inte-03/13/2006 17:49:15):I have absolutely no idea what is going on with the server. I don't check this control panel regularly and haven't received any emails regarding this ticket, despite this ticket being opened for the last four days.
------------------------------------------
(rvera-03/13/2006 17:54:09):
It is likely one or more sites on your server is getting exploited. To help prevent these exploit we suggest you install mod_security. We have a great kb page at.
http://support.theplanet.com/knowledgebase/users/kb.php?id=10906
--------------------------------------
(c17114inte-03/13/2006 18:05:28):As soon as the server is brought back online, I will install mod_security and see what I can do about resecuring the server to avoid further exploits. If this situation arises again, I will just back up my data onto my personal computer and request an OS reload, then just restore my sites' data after the reload.
------------------------------------------
(channa-03/13/2006 20:24:51):
Thanks for keeping us updated. Let us know if you should have any questions.
------------------------------------------
(lcarter-03/14/2006 16:15:53):
/tmp
-rw-r--r-- 1 www www 332 Mar 12 11:12 bot.txt
the following processes were running -
2037 www 16 0 7708 7592 3220 S 15.7 0.7 0:03 0 /home/apache2/bin/httpd -k restart
1820 www 16 0 8172 8056 3220 S 4.9 0.7 0:02 0 /home/apache2/bin/httpd -k restart
16966 www 15 0 116 116 0 T 0.0 0.0 0:00 0 ps x
25160 www 15 0 48 48 0 T 0.0 0.0 0:00 0 bash
25162 www 15 0 56 56 0 T 0.0 0.0 0:00 0 bash
25163 www 15 0 164 164 0 T 0.0 0.0 0:00 0 sh -i
25200 www 15 0 108 108 0 T 0.0 0.0 0:00 0 /bin/bash ./wtf 67.19
25201 www 25 0 60 60 0 T 0.0 0.0 3:15 0 ./pscan2 67.19 22
1817 www 15 0 9568 9452 3224 S 0.0 0.9 0:02 0 /home/apache2/bin/httpd -k restart
1824 www 15 0 7580 7464 3208 S 0.0 0.7 0:03 0 /home/apache2/bin/httpd -k restart
1867 www 15 0 8452 8336 3220 S 0.0 0.8 0:02 0 /home/apache2/bin/httpd -k restart
1976 www 15 0 7260 7144 3204 S 0.0 0.6 0:01 0 /home/apache2/bin/httpd -k restart
2030 www 15 0 4284 4168 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart
2070 www 15 0 4292 4176 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart
2072 www 15 0 4292 4176 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart
2073 www 15 0 4276 4160 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart
ovi 25160 www cwd DIR 3,3 4096 2 /
ovi 25160 www rtd DIR 3,3 4096 2 /
ovi 25160 www txt REG 3,3 25122 8421536 /var/tmp/bad/ovi
ovi 25160 www mem REG 3,3 1573120 2261131 /lib/tls/libc-2.3.2.so
ovi 25160 www mem REG 3,3 106912 524354 /lib/ld-2.3.2.so
ovi 25160 www 0u CHR 1,3 67053 /dev/null
ovi 25160 www 1u CHR 1,3 67053 /dev/null
ovi 25160 www 2u CHR 1,3 67053 /dev/null
ovi 25160 www 3u IPv4 30610734 TCP *:1144 (LISTEN)
ovi 25160 www 4u IPv4 31733756 TCP *:1987 (LISTEN)
pscan2 25201 www cwd DIR 3,3 4096 7438377 /var/tmp/wtf
pscan2 25201 www rtd DIR 3,3 4096 2 /
pscan2 25201 www txt REG 3,3 21407 7438523 /var/tmp/wtf/pscan2
pscan2 25201 www mem REG 3,3 1573120 2261131 /lib/tls/libc-2.3.2.so
pscan2 25201 www mem REG 3,3 106912 524354 /lib/ld-2.3.2.so
pscan2 25201 www 0u CHR 3,0 72570 /dev/ttyp0
pscan2 25201 www 1u CHR 3,0 72570 /dev/ttyp0
pscan2 25201 www 2u CHR 3,0 72570 /dev/ttyp0
pscan2 25201 www 3u IPv4 30610734 TCP *:1144 (LISTEN)
pscan2 25201 www 4u IPv4 31733756 TCP *:1987 (LISTEN)
pscan2 25201 www 5w REG 3,3 131072 7438520 /var/tmp/wtf/67.19.pscan.22
I have nullified the files with chown root.root and chmod 000, and kill -STOP the processes.
Please let us know if you have any further questions.
------------------------------------------
(lcarter-03/15/2006 11:23:04):
I did not find any new malicious files or processes running today.
Please let us know if you have any questions or need any assistace.
Thank you
------------------------------------------
(rvera-03/16/2006 11:32:49):
We have found more malicious files in /tmp. Please look into this as soon as possible.
[root@intl tmp]# ls -la | grep www
-rwxr-xr-x 1 www www 105 Mar 15 13:40 cacti
-rwxr--r-- 1 www www 27551 Mar 16 00:04 foc
-rwxrwxrwx 1 www www 19626 Mar 11 07:37 httpd
-rwxr--r-- 1 www www 400972 Mar 15 13:06 iron
-rw-r--r-- 1 www www 293 Mar 15 23:40 listen.log
------------------------------------------
(codygee-03/17/2006 13:14:59):
You will need to audit your system for any installations of phpBB, PHPNuke, osTicket, My_eGallery, mambo, ModernBill, awstats, phpad, and any other popular PHP applications you might be running and ensure they are at their most current versions. This is something we can not do.
You can also install mod_security for apache to mitigate these attacks at apache:
http://www.modsecurity.org/projects/modsecurity/apache/index.html
http://eth0.us/mod_security
This link gives direction on how to use mod_security:
http://support.theplanet.com/knowledgebase/users/kb.php?id=10906
Please keep us updated.
------------------------------------------
(mavenna-03/18/2006 15:51:08):
Hello; Do you have any updates regarding this issue? Please let us know what steps you have taken to ensure this issue has been resolved. Thank you.
------------------------------------------
(channa-03/19/2006 20:11:11):
Were you able to look into this? Please update us as soon as possible. Thanks.
------------------------------------------
(jbeall-03/21/2006 03:07:20):
The request for an OS reload does not appear to have been resoled. Were you able to successfull install RDC.
|