after countless attempts, of a friend, to get the support on icq i'm giving it a shot to ask for help here in this forum.
here we go:
all the copies are on 2x Ubuntu 8.04 LTS (Linux kernel 2.6.x - 64 bit) servers, 1x FreeBSD 6 and 1x Debian 5
the first issue is the MD5 file integrity check.
I (we) get on some TE v2 copies this message :
- admin.cgi md5 cheksum failed! Correct md5 for this file is '588a612542eda9409580ac4689fc923c'! Please update your system!
the problem is that the script is showing me this list of the checked files that passed the md5 check :
accept.cgi Passed 63b646a35c39da757cda1ef457a18484
admin.cgi Passed 61e69edc4cc0ceb8a0a26e40a999a919
image.cgi Passed c551a53cce2f15aacafdce5e88778624
in.cgi Passed cceed4e1145ae64bd3415a2032d2e35d
login.cgi Passed 8ae524f856f4e50b75802f66808bdf47
o.cgi Passed 4b99e95ebc9c3c55660c0cc2cc1fc409
plogin.cgi Passed 8c76e004b444d248444ea987fa81697f
rlogin.cgi Passed 09929208f37217672f99cce421a69e9e
webmaster.cgi Passed 5813714c0f9755cb8fd80a569849e947
woverview.cgi Passed 0b8f32f81a981d0dd5a0af32a20f55e1
wlogin.cgi Passed 80186ec427d7b5e08d8d9e03fdd45331
cstat_in Passed 7375582af9e4f25828acc6a637ed3d11
cping_in Passed 71253f40eb5e10c9b005f21e27847f06
rlookup Passed a58ac3427df728132662f510248e0aa3
and exactly the same MD5 hash on the failed :
accept.cgi Failed 63b646a35c39da757cda1ef457a18484
admin.cgi Failed 61e69edc4cc0ceb8a0a26e40a999a919
image.cgi Failed c551a53cce2f15aacafdce5e88778624
in.cgi Failed cceed4e1145ae64bd3415a2032d2e35d
login.cgi Failed 8ae524f856f4e50b75802f66808bdf47
o.cgi Failed 4b99e95ebc9c3c55660c0cc2cc1fc409
plogin.cgi Failed 8c76e004b444d248444ea987fa81697f
rlogin.cgi Failed 09929208f37217672f99cce421a69e9e
webmaster.cgi Failed 5813714c0f9755cb8fd80a569849e947
woverview.cgi Failed 0b8f32f81a981d0dd5a0af32a20f55e1
wlogin.cgi Failed 80186ec427d7b5e08d8d9e03fdd45331
cstat_in Failed 7375582af9e4f25828acc6a637ed3d11
cping_in Failed 71253f40eb5e10c9b005f21e27847f06
rlookup Failed a58ac3427df728132662f510248e0aa3
the second issue are the history stats :
i've done some research and i've seen this thread http://forum.tradeexpert.net/viewtopic.php?f=2&t=196
done that and it worked a bit. what means, the main history stats are on the same date 1st oct 2010, but i can see the history stats of every trader seperatly.
and the last issue is that i think that someone got in through the TE script on one of my ubuntu server !
you may say :"prove it" and i say:"o.k. here it is !"
- there is only one sitebuilding script on the server and it's a custom made script. so no one knows where to attack.the files are only on the server when there is a site update.
- the only trade script that is running on the server is Trade Expert V2.2
- the index listing is disabled on the server, and the server is updated+upgraded on a daily basis.
- done some research and only the owner of the cgi-bin/te folder was changed to 2775, that reminds me of a chmod and not of an owner that exist.
- i've seen an user account "`Zk" in files and folders that never been created by me neither by my friend.
cgi-bin/te/tdata/udata/`Zk
cgi-bin/te/tedata/idata/userdb -> one user data was duplicated from one of the accounts
cgi-bin/te/tedata/cust/cgraph/`Zk.dat
cgi-bin/te/tedata/cust/chist/`Zk.dat
cgi-bin/te/tedata/cust/chist_det/`Zk.dat
cgi-bin/te/tedata/cust/cstat/`Zk.dat
all account have very strong passwords, none of the computers has viruses, trojans etc.
the next thing is, there was a file in my /tmp/ folder, and here is the source code :
Code: Select all
#! /bin/sh
case /var/log/wtmp.1 in */log/*|*/logs/*) cat wtmp.1 ;; *) nroff -man wtmp.1 ;; esac | sensible-pager
/bin/rm -f /tmp/mc-root/mcextfk8509
and now it's your turn to explain me, why only a few copies on the same server are "corrupted", with the same rights and some not. but, what maybe the most important fact is, that on different servers the story continues.
regards