4

My provider informed that there is an outbound attack on my web server. On further inspection I saw this in my Apache error.log file:

--2012-02-04 04:40:59--  http://www.luxelivingforum.com/wp-content/themes/lifestyle/run
Resolving www.luxelivingforum.com... 184.168.113.199
Connecting to www.luxelivingforum.com|184.168.113.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68338 (67K) [text/plain]
Saving to: `./run'

     0K .......... .......... .......... .......... .......... 74% 61.8K 0s
    50K .......... ......                                     100% 11.1M=0.8s

2012-02-04 04:41:01 (82.4 KB/s) - `./run' saved [68338/68338]
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 174.
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 211.
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 244.
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 251.

What could the above thing mean ?

Ladadadada
  • 27,207
Proy
  • 43

2 Answers2

7

Your server must have been compromised and is now being remotely commanded to launch attacks. You should recover your last uncompromised backup and immediately patch your wordpress installation. You must monitor the security advisories for wordpress (and wordpress pluguins) on a daily basis.

drcelus
  • 1,254
0

That doesn't look like the sort of thing that should be in an Apache error log. Are you (or is your hosting provider) sending your logs through syslog ?

In any case, you have a clear indication of a compromise here. The file in question is a bot of some sort (I haven't had time to analyse it myself yet) and is probably running on your system right now and attacking other people's systems.

Two things you should do straight away, even before the standard advice of "wipe everything, reinstall from backups" is to find the pid of the bot using ps -ef | grep bot.pl and then kill it using kill -9 <the pid you found>. You may also want to delete the bot code which will be called "bot.pl". You can probably find it with locate bot.pl.

The bot doesn't look particularly clever or sophisticated and doesn't seem to have done anything to hide its tracks. After killing it and deleting the bot code, you are probably clean. But you can never be sure once you have been compromised until you do the wipe-and-reinstall procedure.

The last thing you should do is to try and figure out how they got in so you can close the hole. If you do the wipe-and-install, make sure to keep a copy of all your logs for analysis later. The Apache access logs for the same time period should give you a hint as to what they did.

Ladadadada
  • 27,207