httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeroen Geilman <jer...@adaptr.nl>
Subject Re: [users@httpd] Possible hack attempt
Date Fri, 28 Oct 2011 22:31:06 GMT
On 2011-10-28 21:46, Gary Smith wrote:
> I was tasked on tracking down the cause of a perl process that is hanging on a client
server.  The server is opensuse, pretty much out of the box, patched pretty current.  Anyway,
below is the first log entry where it looks like someone attempted to run a perl script. 
It also appears that a file was somehow saved.  Since I see that there is a url in it, I figured
I'd ask others if they have seen this attack vector recently and what resolution path I might
take.
>
> [Wed Sep 21 12:30:09 2011] [notice] Apache/2.2.15 (Linux/SUSE) mod_ssl/2.2.15 OpenSSL/1.0.0
PHP/5.3.3 configured -- resuming normal operations
> perl: no process found
> --2011-09-22 12:58:42--  http://joytalk.byethost4.com/uau
> Resolving joytalk.byethost4.com... 209.190.24.4
> Connecting to joytalk.byethost4.com|209.190.24.4|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [text/plain]
> Saving to: `uau'
>
>       0K .......... .......... .........                         185K=0.2s
>
> 2011-09-22 12:58:43 (185 KB/s) - `uau' saved [29702]
>
>    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                   Dload  Upload   Total   Spent    Left  Speed
> 100 29702    0 29702    0     0  73064      0 --:--:-- --:--:-- --:--:-- 91390
> --2011-10-03 12:32:31--  http://91.205.74.14/.xal/.ICE-un1x
> Connecting to 91.205.74.14:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 29710 (29K) [text/plain]
> Saving to: `.ICE-un1x'
>
>       0K .......... .......... .........                       100% 54.4K=0.5s
>
> 2011-10-03 12:32:31 (54.4 KB/s) - `.ICE-un1x' saved [29710/29710]
>

So go and see what is in those files.

Since they were kind enough to timestamp the download, you can correlate 
this with the access log and see the exact exploit used.


-- 
J.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message