Files deleted. What could have happened?

Posted by jjfine on Server Fault See other posts from Server Fault or by jjfine
Published on 2010-04-08T13:06:07Z Indexed on 2010/04/08 13:13 UTC
Read the original article Hit count: 287

Filed under:
|
|
|
|

I'm having a weird issue today. I was writing and testing out some simple cgi scripts this morning when I realized that I couldn't run them from one of the other computers on the (windows) network. So I had my network admin come in and take a look at what was going on. A few minutes later a co-worker came in and told me that a bunch of files he was working with as well as a bunch of others (all *.c files) on the network drive got deleted. He also noticed some strange apache_dump_500.log.txt files in the same directories where the files got deleted.

The apache_dump_500.log.txt files all look like this:

REDIRECT_HTTP_ACCEPT=*/*, image/gif, image/x-xbitmap, image/jpeg
REDIRECT_HTTP_USER_AGENT=Mozilla/1.1b2 (X11; I; HP-UX A.09.05 9000/712)
REDIRECT_PATH=.:/bin:/usr/local/bin:/etc
REDIRECT_QUERY_STRING=
REDIRECT_REMOTE_ADDR=<my computer's local ip>
REDIRECT_REMOTE_HOST=
REDIRECT_SERVER_NAME=<my computer's domain url>
REDIRECT_SERVER_PORT=
REDIRECT_SERVER_SOFTWARE=
REDIRECT_URL=/cgi-bin/trojan.py

I looked and I don't have any trojan.py in my cgi-bin folder. And all my apache logs are clean. Windows event logger seems to not have any traces of what happened either.

My httpd.conf: http://pastebin.com/Yny2Yh8v

I think we've got some kind of virus that added this trojan.py file to my cgi-bin, ran the script, and deleted the script and any traces from the logs. Is this a thing that happens?

Any ideas whatsoever would be much appreciated!

© Server Fault or respective owner

Related posts about apache

Related posts about virus