Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
FacedSID2014-03-25 23:34:04
Apache HTTP Server
FacedSID, 2014-03-25 23:34:04

Why is apache downloading some files from a remote server?

Guys, the trouble is that apache is downloading some obscure files. Here is an excerpt from the error-log

--2014-03-23 06:31:41--  http://78.70.29.192:58455/armeabi
Connecting to 78.70.29.192:58455...
connected.
HTTP request sent, awaiting response...
200 OK
Length: 131812 (129K)
Saving to: `/tmp/armeabi'

      0K .

This is not the first time. When I first encountered this, I forbade php to call the functions: exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, show_source
But after that, such entries still appear. And in / tmp there is nothing of the kind. The file itself is a binary. Moreover, the process of downloading files begins immediately after starting apache.
Who knows where to dig? Maybe someone came across?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
F
FacedSID, 2014-03-26
@FacedSID

Guys, I got advice from a specialist who suggested that I need to dig towards CGI scripts. In the virtual domain settings, the launch of CGI scripts was allowed. The POST request passed such data that forced apache to process this request and execute it as a cgi script. It is enough to disable cgi execution and the problem is solved.

Report
S
Stepan, 2014-03-26
@L3n1n

It is not Apache that downloads, but a php script .. The
log seems to be from wget. So apparently not all exec in php you banned.

Report
R
Roman Sivakov, 2014-03-30
@rsivakov

the backdoor can be updated, maybe he wanted)))
armeabi.so he might want to.
some isp manager updates, or someone else.
There you can see from the link what exactly he is downloading.
xs what it does, and at the end
information'№u'ЖРЖШД(=A'aeabi4T .shstrtab.init.text.fini.rodata.ARM.exidx.eh_frame.init_array.fini_array.jcr.data.bss.ARM.attributesіАі»A »ћЎФYФў®Y®ўl#%pВ}e0}e:AFARAW

Report
S
Sergey Brovko, 2014-04-11
@cyber01

I tried to download this file - the antivirus started swearing that it was a Linux/Darlloz.B worm Linux.Darlloz
- a network worm for Linux devices
Apache.
I also read here that he uses the Parallels Plesk Panel vulnerability and the PHP vulnerability, then rebuild / reinstall PHP as well.
PS also found information that this worm is used to mine *coin on the affected machine

Similar questions
M
mr_drinkens892015-04-11 23:57:39
How to make a newsletter from the site? 2Reply
A
Alexosplain2015-06-19 16:33:47
How to trigger Print Preview in Internet Explorer 10+ for an iframe in a document? 1Reply
O
OKNOZA2015-06-21 23:31:05
Can I not use NodeJS templating engine? 7Reply
B
Bagumices2014-06-17 06:15:06
How to give permission to execute a PHP script? 1Reply
M
muhasa2018-12-15 16:25:06
Why can't I block access to a specific file? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question