Date: Fri, 24 Jun 2005 01:06:59 +0200 From: "Ruben Bloemgarten" <ruben@bloemgarten.demon.nl> To: "'Chuck Swiger'" <cswiger@mac.com> Cc: FreeBSD-questions@FreeBSD.org Subject: RE: stat running as www weirdness - genarting INCOMING traffic Message-ID: <20050623230702.B4E7743D4C@mx1.FreeBSD.org> In-Reply-To: <42BAF0BF.8000200@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
After I stopped being lazy ( my sincere apologies) and a little = backtracking I realized I had been seriously compromised. A cronjob had been installed in /var/tmp/httpd.cron This contained the following disturbing files : drwxr-xr-x 3 www wheel 512B Jun 23 23:30 ../ -rw-r--r-- 1 www wheel 327M Jun 22 09:46 my.summer.of.love.2005.italian.md.ts.xvid-mcf.avi drwxr-xr-x 4 www wheel 1.0K Jun 22 06:31 ./ -rw-r--r-- 1 www wheel 482M Jun 21 22:39 My.SuMMer.Of.LoVe.2005.iTaLiaN.MD.TS.XviD-MCF.avi -rw-r--r-- 1 www wheel 1.1K Jun 21 07:08 Infodll.state -rw-r--r-- 1 www wheel 1.1K Jun 21 07:05 Infodll.state~ -rw-r--r-- 1 www wheel 0B Jun 19 16:54 PROFONDO_BLU_.avi -rw-r--r-- 1 www wheel 6.0K Jun 16 01:05 README.txt -rw-r--r-- 1 www wheel 1.5K Jun 12 21:46 httpd.cron -rwxr-xr-x 1 www wheel 207K Jun 10 18:52 stat* drwxr-xr-x 2 www wheel 512B Jun 10 18:52 obj/ -rwxr-xr-x 1 www wheel 59.8K Jun 10 18:51 convertxdccfile* -rw-r--r-- 1 www wheel 4.2K Jun 10 18:51 Makefile drwxr-xr-x 2 www wheel 512B Jun 10 18:51 src/ -r--r--r-- 1 www wheel 22.6K Jan 17 00:17 sample.config -r--r--r-- 1 www wheel 15.6K Jan 17 00:17 COPYING -r--r--r-- 1 www wheel 23.0K Jan 17 00:17 WHATSNEW -r--r--r-- 1 www wheel 4.0K Jan 17 00:17 Makefile.config -r-xr-xr-x 1 www wheel 28.5K Jan 17 00:17 Configure* -r-xr-xr-x 1 www wheel 857B Jan 17 00:17 iroffer.cron* -r-xr-xr-x 1 www wheel 942B Jan 17 00:17 dynip.sh* -r--r--r-- 1 www wheel 5.0K Jan 17 00:17 README -rw-r--r-- 1 www wheel 15B Jan 17 00:17 .cset_number Iroffer had been installed http://iroffer.org/ The cronjob did the following : more httpd.cron ################### Logging ################# #pidfile Infodll.pid #logfile Infodll.log logstats no logrotate weekly statefile Infodll.state ########################################### #################### Connessione ############# connectionmethod direct server 66.225.223.54 6666 server 66.225.223.54 6669 server 66.225.223.54 6667 channel #Eternity -key otis channel #Eternity.staff -key otis user_realname ETE user_modes +ix loginname ETE tcprangestart 4000 #usenatip 195.41.47.74 ########################################### #################### Slot e Code ############## slotsmax 15 queuesize 25 nickserv_pass beatat maxtransfersperperson 1 maxqueueditemsperperson 1 restrictlist yes restrictsend yes #restrictprivlist yes ############################################ ##################### Headline ################ creditline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C headline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C ############################################ ############# Adminhost e download ############### adminhost *!*@Eternity.Staff adminhost *!*@Eternity.Staff adminhost *!*@*Eternity.Staff* uploadhost *!*@* downloadhost *!*@*.* downloadhost *!*@* #firewall yes hideos yes ############################################# ################ QUI VA ADMINPASS ############## adminpass pYiNmgVwHKZHE ############################################## ####### RUNTIME ADDED ####### filedir /var/tmp/cron/httpd uploaddir /var/tmp/cron/httpd user_nick ETE|DivX-01 Using dynip to advertise my box . Aaaargh !=20 Thanks for the help anyway. Regards,=20 Ruben -----Original Message----- From: Chuck Swiger [mailto:cswiger@mac.com]=20 Sent: June 23, 2005 7:26 PM To: ruben@bloemgarten.demon.nl Cc: FreeBSD-questions@FreeBSD.org Subject: Re: stat running as www weirdness - genarting INCOMING traffic Ruben Bloemgarten wrote: > I=92m seeing weirdness of stat opening up port 4000+ and generating/receiving > enormous amounts of incoming traffic i.e. 400Gb over a 24hour time > period.Does this sound familiar to anyone ? Thanks for any brain usage = not > my own. Insufficient data. From which port(s) to which port(s), and are the IP=20 addresses on the other side the same or a random range (which would = imply your=20 machine has been hacked and is scanning outwards). Showing a tcpdump of a few example connections would be really useful. --=20 -Chuck --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: = 06/22/2005 --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: = 06/22/2005 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: = 06/22/2005 =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050623230702.B4E7743D4C>