[BlueOnyx:12856] Blueonyx Backdoor:Perl/Shellbot
Senthil Ramasamy
samy at maxi.net.au
Mon Apr 15 21:21:33 -05 2013
Hi Everyone,
The server we are running is Blueonyx 5108R
Three days ago, we saw suspected files under
/tmp/css.jpg
/tmp/unix.jpg
/tmp/akas.jpg
/tmp/akas.php
/tmp/ramz.php
/tmp/java-site.php
and other files under one of the wordpress site.
/home/.sites/56/site60/web/wp-content/themes/kingsize/cache/f240a370b9924474
e0c45220fcc2bccb.jpg
/home/.sites/56/site60/web/wp-content/themes/kingsize/cache/f4ddcb6280e8951d
6ca2102851d8632f.jpg
/home/.sites/56/site60/web/wp-content/themes/kingsize/cache/read.php
/home/.sites/56/site60/web/wp-content/themes/kingsize/cache/xx.php
Virus Scanner pick them up as Backdoor:Perl/Shellbot and have removed the
above files and suspected backdoor entry was through wordpress. So, to avoid
future attacks we have implement .htaccess file to limit specific IP address
to access the wp-login.php as mentioned in
http://forums.whirlpool.net.au/forum-replies.cfm?t=2085205
Today again we are seeing same files re-appear. We have removed those files
again. But don't know how they are getting in?
Has anyone seen this before and have a solution? Or point us to right
direction?
So far,
Scanning FTP, HTTP, Mail Log looks clean.
Server SSH access is limited to limited static IP address.
Regards,
Samy
Senthil Ramasamy,
Sr. Technical Manager | Maxi Internet Services,
Suite 22, 36 East Street,
Five Dock, NSW 2046.
T: 02 9713 4066 | F: 02 9713 4077
M: 0434 484 577 | W: maxi.net.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130416/49c8062c/attachment.html>
More information about the Blueonyx
mailing list