Well continuing from yesterdays post, I spent more time hunting for what the hell was going on in my server. I didn’t think that anyone had managed to actually comprimise my server, yet — but something was still going on. I looked in the apache logs and found that /cbs.pl was requested from my server by 127.0.0.1 — which is exactly as I expected (Since I aliased that host name to 127.0.0.1). I found the same requests on a second site of mine also, but… there was no explanation what was trying to wget. Anyways, I looked through the logs of other sites running fancy software — and I found my culprit. Drupal has been exploited (see log below). And the last “request” time coincides with the get requests.
217.160.141.45 — — [06/Feb/2006:02:37:09 -0800] “GET /comment/reply/1 HTTP/1.1” 200 19034 “-” “Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!”
217.160.141.45 — — [06/Feb/2006:02:37:10 -0800] “POST /comment/reply/1 HTTP/1.1” 200 19041 “-” “Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!”
217.160.141.45 — — [06/Feb/2006:02:37:11 -0800] “POST /comment/reply/1 HTTP/1.1” 200 17249 “-” “Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!”
217.160.141.45 — — [06/Feb/2006:02:37:32 -0800] “GET /comment/reply/1 HTTP/1.1” 200 19034 “-” “Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!”
217.160.141.45 — — [06/Feb/2006:02:37:32 -0800] “POST /comment/reply/1 HTTP/1.1” 200 19031 “-” “Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!”
217.160.141.45 — — [06/Feb/2006:02:37:33 -0800] “POST /comment/reply/1 HTTP/1.1” 200 17255 “-” “Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!”
I’ve banned my favorite block of IPs (Class A 200-222) and contacted the site admin — hopefully we can get this delt with and fixed (aka upgraded, as this is Drupal 4.6.0). Sigh, thats the one problem with fancy software — always exploited.