Download of ImageMagick 6.6.0-8 hacked?
Posted: 2010-03-21T13:40:08-07:00
Dear ImageMagick (users),
Today I downloaded the latest ImageMagick version from the mirror in The Netherlands that I found on http://www.imagemagick.org/script/download.php
ftp://ftp.nluug.nl/pub/ImageMagick/Imag ... 0-8.tar.gz
I followed the instructions on http://andrewduck.name/2009/01/imagemag ... -centos-5/
Then during the command make install I got diconnected from the internet.
After my connection was restored I could not login to SSH anymore using the root login. Also WinSCP (sFTP) did not accept my root password anymore.
The host has restored an old password so that I was able to login again, and then I discovered the following commands in the command log, as if someone has tried to hack the server.
The first questionable command I noticed was:
Can anyone confirm this hack could be caused by the ImageMagick installation? If more information is required, please let me know!
Best Regards,
Jan Jaap
Today I downloaded the latest ImageMagick version from the mirror in The Netherlands that I found on http://www.imagemagick.org/script/download.php
ftp://ftp.nluug.nl/pub/ImageMagick/Imag ... 0-8.tar.gz
I followed the instructions on http://andrewduck.name/2009/01/imagemag ... -centos-5/
Then during the command make install I got diconnected from the internet.
After my connection was restored I could not login to SSH anymore using the root login. Also WinSCP (sFTP) did not accept my root password anymore.
The host has restored an old password so that I was able to login again, and then I discovered the following commands in the command log, as if someone has tried to hack the server.
The first questionable command I noticed was:
The seccond shows someone trying to delete the history and access logs:
The most important thing is: this is a brand new server. Image Magick is the only and first thing that needed to be installed for a custom made script to get working on it. So there isn't any other possible cause, other then yum update (Cent OS) which probably should not be considdered as possible cause.rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r
Can anyone confirm this hack could be caused by the ImageMagick installation? If more information is required, please let me know!
Best Regards,
Jan Jaap