The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What are these logs?

Discussion in 'General Discussion' started by Secret Agent, May 22, 2005.

  1. Secret Agent

    Secret Agent Guest

    Due to the resent proftpd bug, I switched to pureftpd...now I see this in my logs / sent to me via email

    Code:
    May 22 11:21:56 server kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:12:3f:24:b3:0a:00:0e:d7:cf:fd:00:08:00 SRC=xxx.206.248.4 DST=147.202.64.157 LEN=48 TOS=0x04 PREC=0x00 TTL=113 ID=16556 DF PROTO=$
    May 22 11:21:56 server kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:12:3f:24:b3:0a:00:0e:d7:cf:fd:00:08:00 SRC=xxx.206.248.4 DST=147.202.64.158 LEN=48 TOS=0x04 PREC=0x00 TTL=113 ID=16557 DF PROTO=$
    May 22 11:21:59 server kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:12:3f:24:b3:0a:00:0e:d7:cf:fd:00:08:00 SRC=xxx.206.248.4 DST=147.202.64.154 LEN=48 TOS=0x04 PREC=0x00 TTL=113 ID=17105 DF PROTO=$
    May 22 11:21:59 server kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:12:3f:24:b3:0a:00:0e:d7:cf:fd:00:08:00 SRC=xxx.206.248.4 DST=147.202.64.156 LEN=48 TOS=0x04 PREC=0x00 TTL=113 ID=17110 DF PROTO=$
    May 22 11:24:51 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 11:24:51 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 11:33:12 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 11:33:12 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 11:41:32 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 11:41:32 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 11:49:52 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 11:49:52 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 11:58:13 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 11:58:13 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 12:06:34 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 12:06:34 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 12:16:14 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 12:16:14 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 12:26:25 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 12:26:25 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    May 22 12:37:50 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    May 22 12:37:50 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    
    Can someone please explain what is happening here?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That would be chkservd making sure it's running.
     
  3. Secret Agent

    Secret Agent Guest

    Thank you chirpy. I also noticed this in WHM's stats

    perl /tmp/udp.pl 200.203.141.6 0 400

    Causing major overload / sudden server spikes.

    I cleared out the /tmp and rebooted, same issue again.

    Would you happen to know what this is?

    I ran /scripts/securetmp again as well
     
  4. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
  5. Secret Agent

    Secret Agent Guest

    Unfortunately they do not as I already had /tmp secured

    I ran chkrootkit and rkhunter, both were fine.

    Any suggestions?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The script could be anything, you'd have to look at it to find out. I would suspect from the name it's a UDP flooding script used to DDos other peoples servers.

    If it's owned by nobody then it's been uploaded to your server through an exploitable PHP script on your server. "Securing" /tmp will make no difference, you need to find out which is the vulnerable script and remove it. Installing mod_security with a good set of filters may help and of course you should have an in and outgoing port filtering firewall installed.
     
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Locking down /tmp doesn't matter much, as the scripts can still be executed if compiled on a similar or compatable system. tmp is a common dumping ground, but far from the only / most popular. The name of the file itself, makes you wonder if it might be a dos script, of course the name of the file doesn't matter at all. I'd recommend you audit your system, and hire a capable system administrator to fix and help instruct you on how to better manage the security on your system. That is of course, if it is even worthwhile to fix it at this point. We don't know how or what got in, so going back and forth here on a forum isn't going to get you anywhere but a deeper hole. Best of luck!

    Remember, security is a 24/7/365 job, and if you're not keeping an eye on your boxes, someone else will.
     
  8. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    perl interpreter is being called so as already mentioned by others securing /tmp is not going to help in this case. As noted by Chirpy most likely it's a script for DDos'ing and in all likely hood it's through phpBB again.

    Check this article if everything is clean:

    http://www.whoopis.com/howtos/phpbb-viewtopic-hack/

    Anup
     
  9. Shinichi Kato

    Shinichi Kato Well-Known Member

    Joined:
    Mar 7, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Saitama-ken,japan

    Attached Files:

  10. RoboCop777

    RoboCop777 Member

    Joined:
    Dec 6, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
  11. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Or is it that udp.pl (on that page) is being detected as worm/virus?

    Anup
     
  12. Secret Agent

    Secret Agent Guest

    I already have APF, BFD, mod_security installed. I had a few other security layers done as well including masking Apache, BIND, secure tmp, disabled non-used services, disable direct root login, etc.

    Can someone *please* explain how to track this down? What script? I would really appreciate it.
     
  13. Secret Agent

    Secret Agent Guest

    If it may help, here is what I found in whm's addon script manager

    somedomain.com:/TechForums 2.0.10

    That is for phpBB.

    So, probably a wise guess the vulnerability is coming through this board right?

    So if I remove this account, clean up /tmp from the udp files again, this should more likely correct it?
     
Loading...

Share This Page