stat running as www weirdness - genarting INCOMING traffic
Ruben Bloemgarten
ruben at bloemgarten.demon.nl
Thu Jun 23 23:07:03 GMT 2005
After I stopped being lazy ( my sincere apologies) and a little backtracking
I realized I had been seriously compromised.
A cronjob had been installed in /var/tmp/httpd.cron
This contained the following disturbing files :
drwxr-xr-x 3 www wheel 512B Jun 23 23:30 ../
-rw-r--r-- 1 www wheel 327M Jun 22 09:46
my.summer.of.love.2005.italian.md.ts.xvid-mcf.avi
drwxr-xr-x 4 www wheel 1.0K Jun 22 06:31 ./
-rw-r--r-- 1 www wheel 482M Jun 21 22:39
My.SuMMer.Of.LoVe.2005.iTaLiaN.MD.TS.XviD-MCF.avi
-rw-r--r-- 1 www wheel 1.1K Jun 21 07:08 Infodll.state
-rw-r--r-- 1 www wheel 1.1K Jun 21 07:05 Infodll.state~
-rw-r--r-- 1 www wheel 0B Jun 19 16:54 PROFONDO_BLU_.avi
-rw-r--r-- 1 www wheel 6.0K Jun 16 01:05 README.txt
-rw-r--r-- 1 www wheel 1.5K Jun 12 21:46 httpd.cron
-rwxr-xr-x 1 www wheel 207K Jun 10 18:52 stat*
drwxr-xr-x 2 www wheel 512B Jun 10 18:52 obj/
-rwxr-xr-x 1 www wheel 59.8K Jun 10 18:51 convertxdccfile*
-rw-r--r-- 1 www wheel 4.2K Jun 10 18:51 Makefile
drwxr-xr-x 2 www wheel 512B Jun 10 18:51 src/
-r--r--r-- 1 www wheel 22.6K Jan 17 00:17 sample.config
-r--r--r-- 1 www wheel 15.6K Jan 17 00:17 COPYING
-r--r--r-- 1 www wheel 23.0K Jan 17 00:17 WHATSNEW
-r--r--r-- 1 www wheel 4.0K Jan 17 00:17 Makefile.config
-r-xr-xr-x 1 www wheel 28.5K Jan 17 00:17 Configure*
-r-xr-xr-x 1 www wheel 857B Jan 17 00:17 iroffer.cron*
-r-xr-xr-x 1 www wheel 942B Jan 17 00:17 dynip.sh*
-r--r--r-- 1 www wheel 5.0K Jan 17 00:17 README
-rw-r--r-- 1 www wheel 15B Jan 17 00:17 .cset_number
Iroffer had been installed http://iroffer.org/
The cronjob did the following :
more httpd.cron
################### Logging #################
#pidfile Infodll.pid
#logfile Infodll.log
logstats no
logrotate weekly
statefile Infodll.state
###########################################
#################### Connessione #############
connectionmethod direct
server 66.225.223.54 6666
server 66.225.223.54 6669
server 66.225.223.54 6667
channel #Eternity -key otis
channel #Eternity.staff -key otis
user_realname ETE
user_modes +ix
loginname ETE
tcprangestart 4000
#usenatip 195.41.47.74
###########################################
#################### Slot e Code ##############
slotsmax 15
queuesize 25
nickserv_pass beatat
maxtransfersperperson 1
maxqueueditemsperperson 1
restrictlist yes
restrictsend yes
#restrictprivlist yes
############################################
##################### Headline ################
creditline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C
headline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C
############################################
############# Adminhost e download ###############
adminhost *!*@Eternity.Staff
adminhost *!*@Eternity.Staff
adminhost *!*@*Eternity.Staff*
uploadhost *!*@*
downloadhost *!*@*.*
downloadhost *!*@*
#firewall yes
hideos yes
#############################################
################ QUI VA ADMINPASS ##############
adminpass pYiNmgVwHKZHE
##############################################
####### RUNTIME ADDED #######
filedir /var/tmp/cron/httpd
uploaddir /var/tmp/cron/httpd
user_nick ETE|DivX-01
Using dynip to advertise my box .
Aaaargh !
Thanks for the help anyway.
Regards,
Ruben
-----Original Message-----
From: Chuck Swiger [mailto:cswiger at mac.com]
Sent: June 23, 2005 7:26 PM
To: ruben at bloemgarten.demon.nl
Cc: FreeBSD-questions at FreeBSD.org
Subject: Re: stat running as www weirdness - genarting INCOMING traffic
Ruben Bloemgarten wrote:
> I’m seeing weirdness of stat opening up port 4000+ and
generating/receiving
> enormous amounts of incoming traffic i.e. 400Gb over a 24hour time
> period.Does this sound familiar to anyone ? Thanks for any brain usage not
> my own.
Insufficient data. From which port(s) to which port(s), and are the IP
addresses on the other side the same or a random range (which would imply
your
machine has been hacked and is scanning outwards).
Showing a tcpdump of a few example connections would be really useful.
--
-Chuck
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005
More information about the freebsd-questions
mailing list