Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th November 2010, 22:35
isn isn is offline
Member
 
Join Date: Oct 2009
Posts: 55
Thanks: 6
Thanked 2 Times in 2 Posts
Unhappy Possible httpd server attack, may need to harden ISPCONFIG or apache

I have been experiencing an issue with my httpd server configured to use ISPCONFIG 3

ISPConfig Version: 3.0.2.2

What happens is one of two things.

Either a Joomla site 1.5.15 is being abused or apache is being abused directly.

The result is:

A large number of processes is being opened up transferring Gigabytes of data to IP addresses in China.

I shut the attack down cold by dropping all outbound FTP traffic but still seem to be getting abused. Just now the nasty people are are not achieving their goal. Can't leave outbound ftp shut down forever, Wordpress uses it to take care of automatic updates.

syslog shows:

Nov 27 14:20:21 mercury pure-ftpd: (?@127.125.46.121) [INFO] New connection from 127.125.46.121
Nov 27 14:20:22 mercury pure-ftpd: (?@127.144.46.72) [INFO] New connection from 127.144.46.72
Nov 27 14:20:23 mercury pure-ftpd: (?@127.116.51.101) [INFO] New connection from 127.116.51.101
Nov 27 14:20:25 mercury pure-ftpd: (?@127.146.54.81) [INFO] New connection from 127.146.54.81
Nov 27 14:20:30 mercury pure-ftpd: (?@127.103.51.246) [INFO] New connection from 127.103.51.246
Nov 27 14:20:31 mercury pure-ftpd: (?@127.147.37.9) [INFO] New connection from 127.147.37.9
Nov 27 14:20:33 mercury pure-ftpd: (?@127.104.62.129) [INFO] New connection from 127.104.62.129
Nov 27 14:20:38 mercury pure-ftpd: (?@127.126.47.102) [INFO] New connection from 127.126.47.102
Nov 27 14:20:39 mercury pure-ftpd: (?@127.118.48.76) [INFO] New connection from 127.118.48.76
Nov 27 14:20:42 mercury pure-ftpd: (?@127.116.52.194) [INFO] New connection from 127.116.52.194
Nov 27 14:21:34 mercury pure-ftpd: (?@127.141.84.84) [INFO] New connection from 127.141.84.84

Very interesting is a list of the open apache processes.


apache 1133 1 0 Nov28 ? 00:00:11 ./nt -h 114.113.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1138 1 0 Nov28 ? 00:00:00 ./nt -h 114.118.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1300 1 0 Nov28 ? 00:00:00 ./nt -h 114.128.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1301 1 0 Nov28 ? 00:00:13 ./nt -h 114.129.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C

That is a sample, but clearly apache is being hammered.

What I'm looking for is some peer to peer detail on the attack, and some recommendations for how to plug the hole.

Joomla is a client application and they are planning an upgrade. Their current login field permits unlimited character and may be vulnerable to sql injection.

I saw some evidence of this in the apache server logs.

173.201.187.118 - - [30/Nov/2010:12:15:13 -0600] "GET //index.php?option=com_ckforms&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 302 - "-" "libwww-perl/5.837"


This is a cut and paste from a site that explains how to sql inject Joomla.

I've actually used this code to block firewall access for the offending users.

Any ideas help?

Plans:
1) Force the customer to upgrade Joomla to 1.5.22. Will this help?
2) Upgrade ISPCONFIG three to most current version. (help, link please).
3) Find a way to harden apache to prevent this abuse.
__________________
isn aka SEP from ITRC forums
Reply With Quote
Sponsored Links
  #2  
Old 30th November 2010, 22:43
isn isn is offline
Member
 
Join Date: Oct 2009
Posts: 55
Thanks: 6
Thanked 2 Times in 2 Posts
Default

Is this also an abuse attempt?


114.80.93.55 - - [30/Nov/2010:14:39:15 -0600] "GET /bsm/index.php HTTP/1.0" 200 49124 "-" "Sosospider+(+http://help.soso.com/webspider.htm)"


This is an access attempt on http://bsg21.org

Regards,
__________________
isn aka SEP from ITRC forums
Reply With Quote
  #3  
Old 1st December 2010, 14:33
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Quote:
Originally Posted by isn View Post
Is this also an abuse attempt?


114.80.93.55 - - [30/Nov/2010:14:39:15 -0600] "GET /bsm/index.php HTTP/1.0" 200 49124 "-" "Sosospider+(+http://help.soso.com/webspider.htm)"


This is an access attempt on http://bsg21.org

Regards,
I think this is just a search engine spider.

I'd upgrade Joomla to the latest version.

This link might help: http://www.howtoforge.com/forums/sho...t=route+reject
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 2nd December 2010, 23:45
isn isn is offline
Member
 
Join Date: Oct 2009
Posts: 55
Thanks: 6
Thanked 2 Times in 2 Posts
Default

What about the ftp transfers?

Is there an injection problem with older versions of Joomla?
__________________
isn aka SEP from ITRC forums
Reply With Quote
  #5  
Old 3rd December 2010, 00:52
isn isn is offline
Member
 
Join Date: Oct 2009
Posts: 55
Thanks: 6
Thanked 2 Times in 2 Posts
Default

[Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?option...p/x-treme%0000
[Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?option...p/x-treme%0000
[Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?option...p/x-treme%0000
208.65.90.7 - - [13/Jan/2010:01:53:52 -0600] "GET /bsm/administrator/components/com_joomgallery/assets/images/joom_ftpupload.png HTTP/1.1" 304 0 "http://www.bsg21.org/bsm/administrator/index.php?option=com_content&sectionid=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7"


What is this, smoking gun? Looks like Joomla had an ftp upload flaw which was abused. More evidence for doing the upgrade
__________________
isn aka SEP from ITRC forums
Reply With Quote
  #6  
Old 3rd December 2010, 18:13
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Quote:
Originally Posted by isn View Post
What about the ftp transfers?
These can be blocked with the route command as well. The route command blocks all traffic for an IP.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 7th December 2010, 12:56
isn isn is offline
Member
 
Join Date: Oct 2009
Posts: 55
Thanks: 6
Thanked 2 Times in 2 Posts
 
Default

Via httpd abuse, probably a sql inject a folder /tmp/.nt was installed on the server. There was a zip file and several others owned by apache. That is how processes were started on the server.

I've added mod_security and mod_evasive, hardened php and am hoping the Joomla upgrade proceeds.

The problem is solved. I'm looking for more agile intrusion detection to prevent this from happening again.
__________________
isn aka SEP from ITRC forums
Reply With Quote
The Following User Says Thank You to isn For This Useful Post:
falko (8th December 2010)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Centos5.4/ISPConfig 3--Virtual site not working MichaelCaditz Installation/Configuration 25 25th March 2011 12:37
SSL don't work please help me walner8080 Installation/Configuration 8 26th September 2010 13:07
ISPConfig3 Mail Warn Errors reason8 General 3 25th November 2009 14:58
Help! Why do I see message about Apache, CPanel & WHM. I don't run cpanel! websissy Installation/Configuration 3 18th November 2008 23:16
The Perfect Setup - Debian Etch (Debian 4.0) some trouble daniel80 HOWTO-Related Questions 26 1st February 2008 17:30


All times are GMT +2. The time now is 00:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.