You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Peter B. West" <pb...@powerup.com.au> on 2002/12/16 05:33:24 UTC

[users@httpd] .cinik

Hello all.

Does anyone have any idea where .cinik comes from or what it is supposed 
to be doing.  I run an httpd on my linux system (Redhat 7.3, apache 
1.3.23) at home, purely as a training exercise.  I sometimes notice 
unusual network activity while connected (dialup ppp), and on a couple 
of occasions recently, the culprit has been .cinik, owned and run by 
apache.apache.  What's curious about .cinik is that it turns up in the 
strangest places: /tmp/.font-unix/.cinik/.cinik, 
/var/cache/httpd/.cinik, /var/lib/dav/.cinik.  Does anyone know where 
this thing comes from, or what it is doing?

Peter
-- 
Peter B. West  pbwest@powerup.com.au  http://www.powerup.com.au/~pbwest/
"Lord, to whom shall we go?"


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] .cinik

Posted by JDeSalle <jd...@earthlink.net>.
Peter,
This is a "Worm" and it doesn't come with redhat 7.3 like was explained 
by another person.
The first thing you need to do is yank the server from having access to 
the internet.
This is an openssl exploit. You need to upgrade openssl 9.6g and 
recompile your apps to use the
new version of openssl.

This is exploited through the web server but isn't a hole in apache 
itself. It uses apache to look for port
443 or port 80 and checks the version of openssl. If it's a version 
lower than 9.6e you are vulnerable.
If it finds the correct conditions it is able to deposit source files to 
your /tmp and /var directories and
compile itself. look for .socket directories also. Once compiled it is 
able to open all the ports on your box
and if you have iptables setup for your firewall it sets itself up there 
too. So you will have to find all the
worm files or it will keep opening up all those ports in your firewall. 
Your best bet is if you aren't sure if
any of the files are still present then blow away the box and reinstall. 
And make sure you use openssl 9.6g or better.

jd




Peter B. West wrote:

> Hello all.
>
> Does anyone have any idea where .cinik comes from or what it is 
> supposed to be doing.  I run an httpd on my linux system (Redhat 7.3, 
> apache 1.3.23) at home, purely as a training exercise.  I sometimes 
> notice unusual network activity while connected (dialup ppp), and on a 
> couple of occasions recently, the culprit has been .cinik, owned and 
> run by apache.apache.  What's curious about .cinik is that it turns up 
> in the strangest places: /tmp/.font-unix/.cinik/.cinik, 
> /var/cache/httpd/.cinik, /var/lib/dav/.cinik.  Does anyone know where 
> this thing comes from, or what it is doing?
>
> Peter





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] .cinik

Posted by Wasiuddin Rajesh <ra...@ThePerfectIsp.Net>.
hi 

the "cinik" comes with the redhat 7.3 distribution. I suffered a lot for
this. it comes with 7.3 redhats apache patch. starts trunsmitting to a
hell lot of servers, causing the network a heavy traffic to both the local
& remote server. 

Thanks & Best Regards,

Mohammad Wasiuddin Rajesh 
System Administrator.

Net Access Bangladesh 
http://www.netaccessbd.com 
ThePerfectIsp.Net
_________________________

On Mon, 16 Dec 2002, Peter B. West wrote:

> Hello all.
> 
> Does anyone have any idea where .cinik comes from or what it is supposed 
> to be doing.  I run an httpd on my linux system (Redhat 7.3, apache 
> 1.3.23) at home, purely as a training exercise.  I sometimes notice 
> unusual network activity while connected (dialup ppp), and on a couple 
> of occasions recently, the culprit has been .cinik, owned and run by 
> apache.apache.  What's curious about .cinik is that it turns up in the 
> strangest places: /tmp/.font-unix/.cinik/.cinik, 
> /var/cache/httpd/.cinik, /var/lib/dav/.cinik.  Does anyone know where 
> this thing comes from, or what it is doing?
> 
> Peter
> -- 
> Peter B. West  pbwest@powerup.com.au  http://www.powerup.com.au/~pbwest/
> "Lord, to whom shall we go?"
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org