You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Peter B. West" <pb...@powerup.com.au> on 2002/12/16 05:33:24 UTC
[users@httpd] .cinik
Hello all.
Does anyone have any idea where .cinik comes from or what it is supposed
to be doing. I run an httpd on my linux system (Redhat 7.3, apache
1.3.23) at home, purely as a training exercise. I sometimes notice
unusual network activity while connected (dialup ppp), and on a couple
of occasions recently, the culprit has been .cinik, owned and run by
apache.apache. What's curious about .cinik is that it turns up in the
strangest places: /tmp/.font-unix/.cinik/.cinik,
/var/cache/httpd/.cinik, /var/lib/dav/.cinik. Does anyone know where
this thing comes from, or what it is doing?
Peter
--
Peter B. West pbwest@powerup.com.au http://www.powerup.com.au/~pbwest/
"Lord, to whom shall we go?"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] .cinik
Posted by JDeSalle <jd...@earthlink.net>.
Peter,
This is a "Worm" and it doesn't come with redhat 7.3 like was explained
by another person.
The first thing you need to do is yank the server from having access to
the internet.
This is an openssl exploit. You need to upgrade openssl 9.6g and
recompile your apps to use the
new version of openssl.
This is exploited through the web server but isn't a hole in apache
itself. It uses apache to look for port
443 or port 80 and checks the version of openssl. If it's a version
lower than 9.6e you are vulnerable.
If it finds the correct conditions it is able to deposit source files to
your /tmp and /var directories and
compile itself. look for .socket directories also. Once compiled it is
able to open all the ports on your box
and if you have iptables setup for your firewall it sets itself up there
too. So you will have to find all the
worm files or it will keep opening up all those ports in your firewall.
Your best bet is if you aren't sure if
any of the files are still present then blow away the box and reinstall.
And make sure you use openssl 9.6g or better.
jd
Peter B. West wrote:
> Hello all.
>
> Does anyone have any idea where .cinik comes from or what it is
> supposed to be doing. I run an httpd on my linux system (Redhat 7.3,
> apache 1.3.23) at home, purely as a training exercise. I sometimes
> notice unusual network activity while connected (dialup ppp), and on a
> couple of occasions recently, the culprit has been .cinik, owned and
> run by apache.apache. What's curious about .cinik is that it turns up
> in the strangest places: /tmp/.font-unix/.cinik/.cinik,
> /var/cache/httpd/.cinik, /var/lib/dav/.cinik. Does anyone know where
> this thing comes from, or what it is doing?
>
> Peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] .cinik
Posted by Wasiuddin Rajesh <ra...@ThePerfectIsp.Net>.
hi
the "cinik" comes with the redhat 7.3 distribution. I suffered a lot for
this. it comes with 7.3 redhats apache patch. starts trunsmitting to a
hell lot of servers, causing the network a heavy traffic to both the local
& remote server.
Thanks & Best Regards,
Mohammad Wasiuddin Rajesh
System Administrator.
Net Access Bangladesh
http://www.netaccessbd.com
ThePerfectIsp.Net
_________________________
On Mon, 16 Dec 2002, Peter B. West wrote:
> Hello all.
>
> Does anyone have any idea where .cinik comes from or what it is supposed
> to be doing. I run an httpd on my linux system (Redhat 7.3, apache
> 1.3.23) at home, purely as a training exercise. I sometimes notice
> unusual network activity while connected (dialup ppp), and on a couple
> of occasions recently, the culprit has been .cinik, owned and run by
> apache.apache. What's curious about .cinik is that it turns up in the
> strangest places: /tmp/.font-unix/.cinik/.cinik,
> /var/cache/httpd/.cinik, /var/lib/dav/.cinik. Does anyone know where
> this thing comes from, or what it is doing?
>
> Peter
> --
> Peter B. West pbwest@powerup.com.au http://www.powerup.com.au/~pbwest/
> "Lord, to whom shall we go?"
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org