Portal Home > Knowledgebase > Articles Database > Server sending bad requests

Server sending bad requests

Posted by mifbody, 07-25-2008, 06:21 PM
Well, guess my server is still effed up from the MPack attack that I received. I just received the following email, does anyone know what this means or how it could be done? The client IP is mine, so some how my server is sending that request? (malwarebytes.org) Server Log: [Thu Jul 24 13:05:07 2008] [error] [client] mod_security: Access denied with code 403. Pattern match "\\\\.\\\\.\\\\./" at THE_REQUEST [id "300006"] [rev "1"] [msg "Bogus Path denied"] [severity "CRITICAL"] [hostname "www.malwarebytes.org"] [uri "/errors.php?error=http://www.metal-headz.co.uk//modules/coppermine/include/ .../.../.../.../.../.../check.txt??"] [unique_id "tNAGeH8AAAEAAEsfD7wAAAAO"] [Thu Jul 24 13:05:07 2008] [error] [client] mod_security: Access denied with code 403. Pattern match "\\\\.\\\\.\\\\./" at THE_REQUEST [id "300006"] [rev "1"] [msg "Bogus Path denied"] [severity "CRITICAL"] [hostname "www.malwarebytes.org"] [uri "/forums/errors.php?error=http://www.metal-headz.co.uk//modules/coppermine/i nclude/.../.../.../.../.../.../check.txt??"] [unique_id "tNAPAn8AAAEAAD7mqWQAAAAl"] http://www.mediafire.com/?gmvjl7zbkzx is the RKHunter scan log http://www.mediafire.com/?gq1pmdi4sil is the ChkRootKit scan log. I'm going through this thread right now: http://www.webhostingtalk.com/showthread.php?t=607247 ("How-to detect a possible intruder?") and I've come across a handful of hidden directories: I was able to successfully delete all the files, but how do I now get rid of the directories themselves? When I do: rm -fr "/arcade/images/. /" and then locate ". " I still get: Last edited by P-nut; 07-27-2008 at 09:01 AM. Reason: Condense information

Posted by mifbody, 07-25-2008, 07:38 PM
I just used rpm -VA | less and got the following, does anyone know what this means? Last edited by P-nut; 07-27-2008 at 09:04 AM. Reason: Added [code] tags

Posted by chaosuk, 07-27-2008, 06:53 PM
unfortunately for you, the fact that you have most liekly been infected with a rootkit or trojan of some sort, means that the damage has already been done. Securing your system from the begining is so critical because once this happens, you are left with few options to give you peace of mind. The way i see it you hazve two options to ensure your server is clean and secured from this happening again. 1.) This is the fastest and most reliable way to ensure the server is cleaned properly. Reinstall it! 2.) Take all your services offline to do this. Install a rootkit checker, run it and see what it finds. Examine every find it makes and investigate/repair every oddity it comes up with. Then search your entire parition, including all hidden files, check each one and check the permissions of everything. Make sure all users and groups in /etc/passwd and shadow are correct and match accordingly. Clean up all log files, secure all daemon configuration files and turn on logging for all your web based services. Since this is rpm based im assuming you have selinux installed. Get it up and running and a nice configuration. Get iptables up and running and make sure in/out is fully authorised and only related to what you want to run. Check your /boot partition and do the same abov on there. Update your system packages to all the latest versions. Clear all and any temp areas of the machine up. Reboot it. Let all your services come back online. Monitor your log files like hell for the next week and investigate ANYTHING that appears unrelated to your normal operations. Personally I would go with option 1 only this time secure the box before you make it public. If you dont know how to do this effectively then you hire pople from here (like myself) for a one off fee to do it for you. Good luck.

Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
apache log (Views: 297)