Files deleted. What could have happened?
Posted
by jjfine
on Server Fault
See other posts from Server Fault
or by jjfine
Published on 2010-04-08T13:06:07Z
Indexed on
2010/04/08
13:13 UTC
Read the original article
Hit count: 287
I'm having a weird issue today. I was writing and testing out some simple cgi scripts this morning when I realized that I couldn't run them from one of the other computers on the (windows) network. So I had my network admin come in and take a look at what was going on. A few minutes later a co-worker came in and told me that a bunch of files he was working with as well as a bunch of others (all *.c files) on the network drive got deleted. He also noticed some strange apache_dump_500.log.txt files in the same directories where the files got deleted.
The apache_dump_500.log.txt files all look like this:
REDIRECT_HTTP_ACCEPT=*/*, image/gif, image/x-xbitmap, image/jpeg
REDIRECT_HTTP_USER_AGENT=Mozilla/1.1b2 (X11; I; HP-UX A.09.05 9000/712)
REDIRECT_PATH=.:/bin:/usr/local/bin:/etc
REDIRECT_QUERY_STRING=
REDIRECT_REMOTE_ADDR=<my computer's local ip>
REDIRECT_REMOTE_HOST=
REDIRECT_SERVER_NAME=<my computer's domain url>
REDIRECT_SERVER_PORT=
REDIRECT_SERVER_SOFTWARE=
REDIRECT_URL=/cgi-bin/trojan.py
I looked and I don't have any trojan.py in my cgi-bin folder. And all my apache logs are clean. Windows event logger seems to not have any traces of what happened either.
My httpd.conf: http://pastebin.com/Yny2Yh8v
I think we've got some kind of virus that added this trojan.py file to my cgi-bin, ran the script, and deleted the script and any traces from the logs. Is this a thing that happens?
Any ideas whatsoever would be much appreciated!
© Server Fault or respective owner