Copy & Paste: ZmEu attack

FOR MEMO...

To check some service abnormal, and found lots of zmeu processes there ...

$ ps aux
:

:

root 3413 0.0 0.7 9024 7556 ? S Jul09 0:01 /bin/sh ./goa 70
root 6402 0.0 0.0 768 560 ? S Jul09 1:35 ./zmeu ip.80 vuln.txt 100 cgi
root 8742 0.0 0.0 772 580 ? S 13:23 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9011 0.0 0.0 772 580 ? S 13:23 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9649 0.0 0.0 772 580 ? S 13:27 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9700 89.5 0.0 772 576 ? R Jul08 6504:52 ./zmeu ip.80 vuln.txt 100 cgi
:
:
root 9930 0.0 0.0 772 580 ? S 13:28 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9932 0.0 0.0 772 580 ? S 13:28 0:00 ./zmeu ip.80 vuln.txt 100 cgi

$ find . | grep zmeu
./var/cache/man/. /pma/zmeu

$ cd ./var/cache/man/.\ /pma/zmeu

$ pwd
/var/cache/man/. /pma

$ tree
.
|-- PRIVATE
| |-- L
| |-- x
| `-- x.php
|-- cgi
|-- global
|-- goa
|-- gob
|-- ip.txt
|-- nohup.out
|-- rand
|-- ss
|-- x
`-- zmeu

$ cd ..

$ mv .\ / Zmmm

$ killall -9 zmeu

$ ps aux

root 11876 0.0 0.4 16964 4384 ? R 13:36 0:00 php PRIVATE/exploitx.php -a http://70.84.8.139/phpMyAdmin/

$ kill -9 11876

$ rm -rf Zmmm

====================================

$ vi .htaccess

RewriteEngine On

### ZmEu attack

RewriteCond %{HTTP_USER_AGENT} ^ZmEu

RewriteRule .* - [F]

Copy & Paste

2012/07/13

ZmEu attack

沒有留言: