View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Apache compromised
Log in to Ask a Question

Apache compromised

development

Hi,

In my apache2 error logs I noticed that a script is automatically being downloaded and run. Due to this the cpu usage goes to 100% when this perl script runs. I checked http://brk1.home.ro/perl in my browser and it shows the perl script which shows that it is a LinuxNet perlbot. Inside the script there's a mention of an IP: 209.114.36.218 to which it tries to connect. Now this IP belongs to slicehost and some time ago before moving to linode I was with slicehost.

Please have a look at my apache error log snippet below. I've checked my older logs and this same snippet shows once in a while -

--2011-12-06 08:00:45-- http://brk1.home.ro/perl
Resolving brk1.home.ro... --2011-12-06 08:00:45-- http://brk1.home.ro/perl
--2011-12-06 08:00:45-- http://brk1.home.ro/perl
Resolving brk1.home.ro... Resolving brk1.home.ro... --2011-12-06 08:00:45-- http://brk1.home.ro/perl
Resolving brk1.home.ro... 81.196.20.133
Connecting to brk1.home.ro|81.196.20.133|:80... 81.196.20.133
Connecting to brk1.home.ro|81.196.20.133|:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16186 (16K) [text/plain]
Saving to: `perl.1'

0K ..200 OK
Length: 16186 (16K) [text/plain]
Saving to: `perl.1.1'

0K ................ ..... 100% 49.4K=0.3s

.. ..... 100% 48.3K=0.3s

2011-12-06 08:00:46 (48.3 KB/s) - `perl.1.1' saved [16186/16186]

2011-12-06 08:00:46 (49.4 KB/s) - `perl.1' saved [16186/16186]

I believe that this is related to apache but I am don't know how this perl script is being automatically downloaded and run.

Any help would be greatly appreciated.

2 Replies

That looks like the output from wget, do you have any php scripts on your site or something similar? Check your access logs for what pages are being run at the same time as that's appearing in your error logs.

I checked the apache access log for the same date/time and found this:

mywebsite.ca:80 80.86.82.40 - - [06/Dec/2011:08:00:41 -0500] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 200 14839 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Op$
mywebsite.ca:80 80.86.82.40 - - [06/Dec/2011:08:00:41 -0500] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 200 14839 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Op$
mywebsite.ca:80 80.86.82.40 - - [06/Dec/2011:08:00:41 -0500] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 200 14838 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Op$
mywebsite.ca:80 80.86.82.40 - - [06/Dec/2011:08:00:41 -0500] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 200 14842 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Op$
AnotherWebsite.com:80 ::1 - - [06/Dec/2011:08:00:44 -0500] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.16 (Debian) (internal dummy connection)"
AnotherWebsite.com:80 ::1 - - [06/Dec/2011:08:00:45 -0500] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.16 (Debian) (internal dummy connection)"

I had already removed phpmyadmin2 folder and also changed privilege of wget so only root can run it.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct