Hack attempt

Discussion in 'General' started by alicumircea, Feb 2, 2014.

  1. alicumircea

    alicumircea New Member

    Hi all,
    I noticed that the past 4 hours the processor usage on one of my servers running wheezy up to date and latest ispconfig is spiking to about 60% while usually it stays at 10. The relevant info I could gather:

    Top:
    Code:
    20886 web2      20   0 96240  18m  12m S  23.8  0.9   0:04.57 php-cgi                                                                                                 
    20889 web2      20   0 96752  19m  12m S  23.0  1.0   0:05.10 php-cgi
    
    ls -l /proc/20886/exe
    Code:
    lrwxrwxrwx 1 web2 client3 0 Feb  2 18:26 /proc/20886/exe -> /usr/bin/php5-cgi
    Some of the Apache access log:
    Code:
    212.92.204.2 - - [02/Feb/2014:15:24:16 +0200] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%
    64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6
    F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%6
    6%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 495 "-" "Mozill
    a/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
    
    
    190.9.33.76 - - [02/Feb/2014:16:39:04 +0200] "POST //%63%67%69%2D%62%69%6E/%70%68%70/%70%68%70%35?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+
    %2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
    9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%7
    0%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+
    %61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-"
    The web2 client3 runs a Joomla website which is also up to date and it's configured in panel to run fast-cgi with suexec enabled
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. alicumircea

    alicumircea New Member

    Hi Till,

    I'm running php 5.4.4-14
    Is there a tutorial to upgrade to the latest version without affecting the ispconfig?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Which Linux distribution do you use?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, just seen that you use wheezy. the php version is ok and not vulnerable to that php cgi exploit.

    Have you checked the access.log of that site, maybe ther is just a lot of traffic. And have you checked the mailqueue, if there is a unusual amount of email in the queue.
     
  6. alicumircea

    alicumircea New Member

    mailqueue is empty, but there are indeed a lot of admin login attempts like:
    Code:
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:28 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:28 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:29 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:29 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:30 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:30 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:31 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:31 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:32 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:32 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:32 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:33 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:33 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:33 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:33 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:33 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:34 +0200] "GET /administrator/index.php HTTP/1.0" 200 4800 "-" "-"
    website.com:80 69.65.42.19 - - [02/Feb/2014:19:09:34 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    website.com:80 144.76.3.149 - - [02/Feb/2014:19:09:34 +0200] "POST /administrator/index.php HTTP/1.0" 200 4941 "-" "-"
    
    Majority comes from the same IP address which I will block for now
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, this looks like a brute foce attempt to get the admin password of that site. If thats the case, then your server is not hacked. The best you can do it to ban the ip address. There are also tools to do that automatically, do a search for apache mod_evasive module, it might help you to protect the site.
     
  8. alicumircea

    alicumircea New Member

    I blocked it from the router for now and the spikes went off.
    I will try also the apache module.
    Thanks for your help!
     
  9. sjau

    sjau Local Meanie Moderator

    shouldn't fail2ban be of help here?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Fail2ban can only help here if the cms is able to write a log file for failed login attempts that includes the IP of the attacker.
     
  11. lswebs

    lswebs New Member

    blocked by gmail

    Hello,
    I was checking the server logs untill I found this:

    Code:
    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
    BD88A401CA0 6815 Mon Feb 3 13:42:08 [email protected]
    (host alt1.gmail-smtp-in.l.google.com[74.125.143.26] said: 421-4.7.0 [149.210.159.9 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. ap10si13631220lac.35 - gsmtp (in reply to end of DATA command))
    [email protected]
    
    A809C401CDE 17007 Tue Feb 4 19:24:15 [email protected]
    (host alt1.gmail-smtp-in.l.google.com[173.194.71.26] said: 421-4.7.0 [149.210.159.9 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. oq4si13536098lbb.162 - gsmtp (in reply to end of DATA command))
    [email protected]
    
    -- 24 Kbytes in 2 Requests.
    How can I check where those emails come from? I do not want to be marked as a spammer!

    Any suggestions would be very much appreciated!
     
  12. anhlqn

    anhlqn New Member

    Do you provide SMTP service on your server. It appears that someone use your SMTP server to sent spam mail to google. You may also contact Google supports to request them to unblock your IP.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

  14. concept21

    concept21 Member

Share This Page