[BlueOnyx:08822] Re: vps hacked
Mike's List
mikelist at leawood.com
Thu Oct 13 09:17:37 -05 2011
The output seems like a script executing. Did you take a look at the
file below and see the content? Did you post some of the output into
google and see what returns? Did you dig more into your log files?
httpd access and error logs? past access and error logs?
/usr/sausalito/ui/web/error/fileNotFound.html
Mike
On Thu, 13 Oct 2011, Steffan wrote:
> I have looked in secure
> Used last
> Nothing
> No siteadmin logins
>
> Looks like they find a hole in some side I have no idée
>
>
>
> -----Oorspronkelijk bericht-----
> Van: blueonyx-bounces at mail.blueonyx.it
> [mailto:blueonyx-bounces at mail.blueonyx.it] Namens Mike's List
> Verzonden: donderdag 13 oktober 2011 15:29
> Aan: BlueOnyx General Mailing List
> Onderwerp: [BlueOnyx:08818] Re: vps hacked
>
>
> Have you look at /var/log/secure? Use the "last" command to see if any
> suspicious login via shell? (Might have to unzip those wtmp file/s for
> older/previous login. Is there a log for GUI login also that you can
> track?
>
> Run rkunter and chkrootkit for rootkit installation? Install ClamAV,
> Sophos, etc. for malware/antivirus scanning? RPMs for rkhunter and
> chkrootkit can be found below, download the appropriate version for your
> OS version, then "rpm -ivh <package.rpm>" and run "rkhunter -c" and/or
> "chkrootkit" to start scanning.
>
> http://pkgs.repoforge.org/rkhunter/
> http://pkgs.repoforge.org/chkrootkit/
>
>
> Mike
>
>
> On Thu, 13 Oct 2011, Steffan wrote:
>
>>
>> I still have a client with a BlueQuartz server (vps)
>>
>>
>>
>> This morning the virtual server was hacked
>>
>> I looked in the logs and found this in /var/log/httpd/error_log
>>
>>
>>
>>
>>
>>
>>
>> [Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] no acceptable
> variant: /usr/sausalito/ui/web/error/fileNotFound.html
>>
>> --00:07:40-- http://rapha.altervista.org/prv.txt
>>
>> => `prv.txt'
>>
>> Resolving rapha.altervista.org... 46.4.65.68
>>
>> Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
>>
>> HTTP request sent, awaiting response... 200 OK
>>
>> Length: 28,039 (27K) [text/plain]
>>
>>
>>
>> 0K .......... .......... ....... 100% 1015.53
> KB/s
>>
>>
>>
>> 00:07:40 (1015.53 KB/s) - `prv.txt' saved [28039/28039]
>>
>>
>>
>> sh: line 1: lwp-downlod: command not found
>>
>> sh: line 1: fetch: command not found
>>
>> sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
>>
>> % Total % Received % Xferd Average Speed Time Time Time
> Current
>>
>> Dload Upload Total Spent Left
> Speed
>>
>> ^M 14 28039 14 4097 0 0 98324 0 --:--:-- --:--:-- --:--:--
> 98324^M100 28039 100 28039 0 0 403k 0 --:--:-- --:--:--
> --:--:-- 899k
>>
>> sh: line 3: prv.txt: command not found
>>
>> --00:07:40-- http://rapha.altervista.org/prv.txt
>>
>> => `prv.txt'
>>
>> Resolving rapha.altervista.org... 46.4.65.68
>>
>> Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
>>
>> HTTP request sent, awaiting response... 200 OK
>>
>> Length: 28,039 (27K) [text/plain]
>>
>>
>>
>> 0K .......... .......... ....... 100% 1020.34
> KB/s
>>
>>
>>
>> 00:07:40 (1020.34 KB/s) - `prv.txt' saved [28039/28039]
>>
>>
>>
>> sh: line 1: lwp-downlod: command not found
>>
>> sh: line 1: fetch: command not found
>>
>> sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
>>
>> % Total % Received % Xferd Average Speed Time Time Time
> Current
>>
>> Dload Upload Total Spent Left
> Speed
>>
>> ^M 4 28039 4 1201 0 0 42493 0 --:--:-- --:--:-- --:--:--
> 42493^M100 28039 100 28039 0 0 507k 0 --:--:-- --:--:--
> --:--:-- 1048k
>>
>> sh: line 3: prv.txt: command not found
>>
>>
>>
>> I don?t see any admin logins
>>
>> How can I find out what happened
>> I dont see anything weird in the access log or message log
>>
>>
>>
>> Thanxs Steffan
>>
>>
>>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
More information about the Blueonyx
mailing list