cancel
Showing results for 
Search instead for 
Did you mean: 

Warning for those running older Apache servers .....

picbits
Community Veteran
Posts: 3,428
Thanks: 22
Registered: ‎18-01-2013

Warning for those running older Apache servers .....

Watch out !!! There are some exploits which are going around at the moment targeting older Apache / PHP servers. I logged onto mine a couple of days ago and noticed one of my Virtual Machines was hitting 100% cpu usage. I logged on to that machine and found four instances of bitcoin mining software running. There were script files in the /tmp and /var/tmp folders and www-data had a cron job which checked if the "virus" was running and re-downloaded and installed it if it wasn't.
It took me a bit of time to work it out but it turns out there is a flaw in PHP / PHP5 which allows code to be downloaded and executed by www-data. I've upgraded my server to 12.04 LTS, applied all the updates then removed the PHP functionality from the CGI-BIN which results in the following hackers now appearing in the logs ......
[Sun Nov 10 19:54:04 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.6.4-pl2
[Sun Nov 10 19:54:05 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.6.4-pl3
[Sun Nov 10 19:54:06 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.6.4-pl4
[Sun Nov 10 19:54:07 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.6.4
[Sun Nov 10 19:54:09 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.7.0-beta1
[Sun Nov 10 19:54:10 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.7.0-rc1
[Sun Nov 10 19:54:11 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.7.0-pl1
[Sun Nov 10 19:54:12 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.7.0-pl2
[Sun Nov 10 19:54:14 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.7.0
[Sun Nov 10 19:54:15 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0-beta1
[Sun Nov 10 19:54:16 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0-rc1
[Sun Nov 10 19:54:18 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0-rc2
[Sun Nov 10 19:54:19 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0
[Sun Nov 10 19:54:20 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0.1
[Sun Nov 10 19:54:21 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0.2
[Sun Nov 10 19:54:23 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0.3
[Sun Nov 10 19:54:24 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.0.4
[Sun Nov 10 19:54:25 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.1-rc1
[Sun Nov 10 19:54:26 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.1
[Sun Nov 10 19:54:27 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpMyAdmin-2.8.2
[Sun Nov 10 19:54:28 2013] [error] [client 203.73.52.194] File does not exist: /var/www/sqlmanager
[Sun Nov 10 19:54:30 2013] [error] [client 203.73.52.194] File does not exist: /var/www/mysqlmanager
[Sun Nov 10 19:54:31 2013] [error] [client 203.73.52.194] File does not exist: /var/www/p
[Sun Nov 10 19:54:33 2013] [error] [client 203.73.52.194] File does not exist: /var/www/PMA2005
[Sun Nov 10 19:54:34 2013] [error] [client 203.73.52.194] File does not exist: /var/www/pma2005
[Sun Nov 10 19:54:35 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpmanager
[Sun Nov 10 19:54:37 2013] [error] [client 203.73.52.194] File does not exist: /var/www/php-myadmin
[Sun Nov 10 19:54:38 2013] [error] [client 203.73.52.194] File does not exist: /var/www/phpmy-admin
[Sun Nov 10 19:54:39 2013] [error] [client 203.73.52.194] File does not exist: /var/www/webadmin
[Sun Nov 10 19:54:40 2013] [error] [client 203.73.52.194] File does not exist: /var/www/sqlweb
[Sun Nov 10 19:54:41 2013] [error] [client 203.73.52.194] File does not exist: /var/www/websql
[Sun Nov 10 19:54:43 2013] [error] [client 203.73.52.194] File does not exist: /var/www/webdb
[Sun Nov 10 19:54:44 2013] [error] [client 203.73.52.194] File does not exist: /var/www/mysqladmin
[Sun Nov 10 19:54:46 2013] [error] [client 203.73.52.194] File does not exist: /var/www/mysql-admin
[Sun Nov 10 19:54:47 2013] [error] [client 203.73.52.194] File does not exist: /var/www/databaseadmin
[Sun Nov 10 19:54:48 2013] [error] [client 203.73.52.194] File does not exist: /var/www/admm
[Sun Nov 10 19:54:50 2013] [error] [client 203.73.52.194] File does not exist: /var/www/admn
[Mon Nov 11 00:24:30 2013] [error] [client 188.190.113.42] script not found or unable to stat: /usr/lib/cgi-bin/php
[Mon Nov 11 00:49:58 2013] [error] [client 186.235.65.104] script not found or unable to stat: /usr/lib/cgi-bin/php
[Mon Nov 11 00:49:58 2013] [error] [client 186.235.65.104] script not found or unable to stat: /usr/lib/cgi-bin/php5
[Mon Nov 11 00:49:58 2013] [error] [client 186.235.65.104] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Mon Nov 11 00:49:59 2013] [error] [client 186.235.65.104] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Mon Nov 11 00:49:59 2013] [error] [client 186.235.65.104] script not found or unable to stat: /usr/lib/cgi-bin/php4

Worth double checking your /tmp, /var/tmp, cronjobs and CPU usage if you're running an older server.
5 REPLIES 5
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Warning for those running older Apache servers .....

Plus ça change.  Sad
/dev/shm is another place they exploit. Clamscan's another line of defence.
Good luck.
Gabe
picbits
Community Veteran
Posts: 3,428
Thanks: 22
Registered: ‎18-01-2013

Re: Warning for those running older Apache servers .....

I've been running Clamscan and rkhunter and they are up to date.
I also run fail2ban so have been playing with that and hardening my defences there.  Time I could really have used for other work but I'll fight these scriptkiddies all the way  Grin
Anteaus
Grafter
Posts: 64
Thanks: 1
Registered: ‎02-08-2007

Re: Warning for those running older Apache servers .....

Seems to me there is something fundamentally wrong with a system which permits webserver scripts to be run from a temp folder. That surely ought not to be allowed, especially as it is outside the webroot.
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Warning for those running older Apache servers .....

Irrespective of webroot, the webserver needs full access to /tmp, etc. The usual fix is to mount it as a noexec, nosuid partition, but I assume Dom's just done that.
Gabe
picbits
Community Veteran
Posts: 3,428
Thanks: 22
Registered: ‎18-01-2013

Re: Warning for those running older Apache servers .....

I just killed the PHP under cgi-bin altogether. It isn't needed by this server and I'll be doing an upgrade soon anyway so the immediate danger has been stopped.
I can still see the hackers tying to get in but they get 404'd every time now and banned.