One site contaminated by r57shell

Discussion in 'Installation/Configuration' started by aceyzeriat, Dec 21, 2007.

  1. aceyzeriat

    aceyzeriat New Member

    I found that shit script on one of the joomla web sites, now I am trying to find if damages have been done to the config, any suggesitons ?
     
  2. falko

    falko Super Moderator

    You can install chkrootkit and rkhunter to find out if malware has been installed on your Linux system.
     
  3. aceyzeriat

    aceyzeriat New Member

    Thanks for the tip

    here is the result :

    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not found
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `crontab'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not found
    Checking `gpm'... not infected
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not found
    Checking `inetdconf'... not found
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... not infected
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not infected
    Checking `mingetty'... not infected
    Checking `netstat'... not infected
    Checking `named'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not found
    Checking `rshd'... not found
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not found
    Checking `timed'... not found
    Checking `traceroute'... not infected
    Checking `vdir'... not infected
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/firefox-1.5.0.10/.autoreg /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.state.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTableLock /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.4 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.5 /usr/lib/eclipse/configuration/org.eclipse.osgi/.bundledata.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.lazy.1 /usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.2.R322_v20061114/.options /usr/lib/eclipse/.eclipseextension /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt-3.3/etc/settings/.kstylerc.lock /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
    /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager
    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... nothing found
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for LOC rootkit... nothing found
    Searching for Romanian rootkit... nothing found
    Searching for HKRK rootkit... nothing found
    Searching for Suckit rootkit... nothing found
    Searching for Volc rootkit... nothing found
    Searching for Gold2 rootkit... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found
    Searching for ShKit rootkit default files and dirs... nothing found
    Searching for AjaKit rootkit default files and dirs... nothing found
    Searching for zaRwT rootkit default files and dirs... nothing found
    Searching for Madalin rootkit default files... nothing found
    Searching for Fu rootkit default files... nothing found
    Searching for ESRK rootkit default files... nothing found
    Searching for rootedoor... nothing found
    Searching for ENYELKM rootkit default files... nothing found
    Searching for anomalies in shell history files... Warning: `' is linked to another file
    Checking `asp'... not infected
    Checking `bindshell'... not infected
    Checking `lkm'... chkproc: nothing detected
    Checking `rexedcs'... not found
    Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
    eth0:0: PF_PACKET(/sbin/dhclient)
    Checking `w55808'... not infected
    Checking `wted'... chkwtmp: nothing deleted
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... chklastlog: nothing deleted
    Checking `chkutmp'... The tty of the following user process(es) were not found
    in /var/run/utmp !
    ! RUID PID TTY CMD
    ! root 3816 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
    chkutmp: nothing deleted
    Press ENTER to exit
     
  4. falko

    falko Super Moderator

    Did you try rkhunter as well? What's the output?
     
  5. aceyzeriat

    aceyzeriat New Member

    Hello Falko

    I have tried rkhunter and found some troubles ...
    where may I send you the output results for your advice ?


    regards,
     
  6. falko

    falko Super Moderator

    Can you post the output here?
     
  7. aceyzeriat

    aceyzeriat New Member

    Hello,

    Here is the output of rkhunter
    As you can see some commands seem to have been tampered, I need to find the original version for my FC6 and replace them, is there a "state of the art" way to do that or do I just go to RH mirror, download and copy ?

    I had to cut the log file to stay under 10,000 characters, I left the most interresting part.

    regards,
    Arnaud

    [10:10:18] Running Rootkit Hunter version 1.3.0 on server
    [10:10:18]
    [10:10:18] Info: Start date is Mon Dec 31 10:10:18 CET 2007
    [10:10:18]
    [10:10:18] Checking configuration file and command-line options...
    [10:10:18] Info: Detected operating system is 'Linux'
    [10:10:18] Info: Found O/S name: Fedora Core release 6 (Zod)
    [10:10:18] Info: Command line is /usr/local/bin/rkhunter --check
    [10:10:18] Info: Environment shell is /bin/bash; rkhunter is using bash
    [10:10:18] Info: Using configuration file '/etc/rkhunter.conf'
    [10:10:18] Info: Installation directory is '/usr/local'
    [10:10:18] Info: Using language 'en'
    [10:10:19] Info: Using '/var/lib/rkhunter/db' as the database directory
    [10:10:19] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script directory
    [10:10:19] Info: Using '/usr/lib/qt-3.3/bin /usr/kerberos/sbin /usr/kerberos/bin /usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin /usr/X11R6/bin /root/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
    [10:10:19] Info: Using '/' as the root directory
    [10:10:19] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
    [10:10:19] Info: No mail-on-warning address configured
    [10:10:19] Info: X will automatically be detected
    [10:10:19] Info: Using second color set
    [10:10:19] Info: Found the 'diff' command: /usr/bin/diff
    [10:10:19] Info: Found the 'file' command: /usr/bin/file
    [10:10:19] Info: Found the 'find' command: /usr/bin/find
    [10:10:19] Info: Found the 'ifconfig' command: /sbin/ifconfig
    [10:10:19] Info: Found the 'ip' command: /sbin/ip
    [10:10:19] Info: Found the 'ldd' command: /usr/bin/ldd
    [10:10:19] Info: Found the 'lsattr' command: /usr/bin/lsattr
    [10:10:19] Info: Found the 'lsmod' command: /sbin/lsmod
    [10:10:19] Info: Found the 'lsof' command: /usr/sbin/lsof
    [10:10:19] Info: Found the 'mktemp' command: /bin/mktemp
    [10:10:19] Info: Found the 'netstat' command: /bin/netstat
    [10:10:19] Info: Found the 'perl' command: /usr/bin/perl
    [10:10:19] Info: Found the 'ps' command: /bin/ps
    [10:10:19] Info: Found the 'pwd' command: /bin/pwd
    [10:10:19] Info: Found the 'readlink' command: /usr/bin/readlink
    [10:10:19] Info: Found the 'sort' command: /bin/sort
    [10:10:19] Info: Found the 'stat' command: /usr/bin/stat
    [10:10:19] Info: Found the 'strings' command: /usr/bin/strings
    [10:10:19] Info: Found the 'uniq' command: /usr/bin/uniq
    [10:10:19] Info: System is using prelinking
    [10:10:19] Info: Found the 'prelink' command: /usr/sbin/prelink
    [10:10:19] Info: Found the 'sestatus' command: /usr/sbin/sestatus

    .....

    ....

    [10:10:33] /usr/bin/file [ OK ]
    [10:10:33] /usr/bin/find [ OK ]
    [10:10:33] /usr/bin/GET [ Warning ]
    [10:10:33] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
    [10:10:33] /usr/bin/groups [ Warning ]
    [10:10:33] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    [10:10:33] /usr/bin/head [ OK ]
    [10:10:33] /usr/bin/id [ OK ]
    [10:10:34] /usr/bin/kill [ OK ]
    [10:10:34] /usr/bin/killall [ OK ]
    [10:10:34] /usr/bin/last [ OK ]
    [10:10:34] /usr/bin/lastlog [ OK ]
    [10:10:34] /usr/bin/ldd [ Warning ]
    [10:10:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    [10:10:34] /usr/bin/less [ OK ]
    [10:10:34] /usr/bin/links [ OK ]
    [10:10:35] /usr/bin/locate [ OK ]
    [10:10:35] /usr/bin/logger [ OK ]
    [10:10:35] /usr/bin/lsattr [ OK ]
    [10:10:35] /usr/bin/lynx [ OK ]
    [10:10:35] /usr/bin/md5sum [ OK ]
    [10:10:36] /usr/bin/newgrp [ OK ]
    [10:10:36] /usr/bin/passwd [ OK ]
    [10:10:36] /usr/bin/perl [ OK ]
    [10:10:36] /usr/bin/pstree [ OK ]
    [10:10:36] /usr/bin/readlink [ OK ]
    [10:10:36] /usr/bin/runcon [ OK ]
    [10:10:37] /usr/bin/sha1sum [ OK ]
    [10:10:37] /usr/bin/size [ OK ]
    [10:10:37] /usr/bin/stat [ OK ]
    [10:10:37] /usr/bin/strace [ OK ]
    [10:10:37] /usr/bin/strings [ OK ]
    [10:10:37] /usr/bin/sudo [ OK ]
    [10:10:38] /usr/bin/tail [ OK ]
    [10:10:38] /usr/bin/test [ OK ]
    [10:10:38] /usr/bin/top [ OK ]
    [10:10:38] /usr/bin/tr [ OK ]
    [10:10:38] /usr/bin/uniq [ OK ]
    [10:10:38] /usr/bin/users [ OK ]
    [10:10:39] /usr/bin/vmstat [ OK ]
    [10:10:39] /usr/bin/w [ OK ]
    [10:10:39] /usr/bin/watch [ OK ]
    [10:10:39] /usr/bin/wc [ OK ]
    [10:10:39] /usr/bin/wget [ OK ]
    [10:10:39] /usr/bin/whatis [ Warning ]
    [10:10:39] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    [10:10:39] /usr/bin/whereis [ OK ]
    [10:10:40] /usr/bin/which [ OK ]
    [10:10:40] /usr/bin/who [ OK ]
    [10:10:40] /usr/bin/whoami [ OK ]
    [10:10:40] /usr/bin/gawk [ OK ]
    [10:10:40] /sbin/chkconfig [ OK ]
    [10:10:40] /sbin/depmod [ OK ]
    [10:10:41] /sbin/ifconfig [ OK ]
    [10:10:41] /sbin/ifdown [ Warning ]
    [10:10:41] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    [10:10:41] /sbin/ifup [ Warning ]
    [10:10:41] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
    [10:10:41] /sbin/init [ OK ]
    [10:10:41] /sbin/insmod [ OK ]
    [10:10:41] /sbin/ip [ OK ]
    [10:10:42] /sbin/kudzu [ OK ]
    [10:10:42] /sbin/lsmod [ OK ]
    [10:10:42] /sbin/modinfo [ OK ]
    [10:10:42] /sbin/modprobe [ OK ]
    [10:10:42] /sbin/nologin [ OK ]
    [10:10:42] /sbin/rmmod [ OK ]
    [10:10:43] /sbin/runlevel [ OK ]
    [10:10:43] /sbin/sulogin [ OK ]
    [10:10:43] /sbin/sysctl [ OK ]
    [10:10:43] /sbin/syslogd [ OK ]
    [10:10:43] /usr/sbin/adduser [ OK ]
    [10:10:44] /usr/sbin/chroot [ OK ]
    [10:10:44] /usr/sbin/groupadd [ OK ]
    [10:10:44] /usr/sbin/groupdel [ OK ]
    [10:10:44] /usr/sbin/groupmod [ OK ]
    [10:10:44] /usr/sbin/grpck [ OK ]
    [10:10:45] /usr/sbin/kudzu [ OK ]
    [10:10:45] /usr/sbin/lsof [ OK ]
    [10:10:45] /usr/sbin/prelink [ OK ]
    [10:10:45] /usr/sbin/pwck [ OK ]
    [10:10:46] /usr/sbin/sestatus [ OK ]
    [10:10:46] /usr/sbin/tcpd [ OK ]
    [10:10:46] /usr/sbin/useradd [ OK ]
    [10:10:46] /usr/sbin/userdel [ OK ]
    [10:10:46] /usr/sbin/usermod [ OK ]
    [10:10:46] /usr/sbin/vipw [ OK ]
    [10:10:47] /usr/local/bin/rkhunter [ OK ]
    [10:11:31]

    ....
     
  8. till

    till Super Moderator

    If possible, I recommend that you reinstall your server, otherwise you will never be sure that you did not miss a part of the rootkit.

    If thats not possible, you can only try to reinstall all core packages from a trusted mirror.
     
  9. aceyzeriat

    aceyzeriat New Member

    Hello Till,

    I have to admit I am very disappointed by FC6, before that I had an FC4 and it also was corrupted. Do you know a safer distribution ?

    regards,
     
  10. falko

    falko Super Moderator

    There's no "safe" distribution out there. It all depends on how you set up the server. I recommend to install fail2ban/Bockhosts/Denyhosts to stop brute-force attacks.
     
  11. aceyzeriat

    aceyzeriat New Member

    Hello Falko,

    I also found some exploits installed in the backups of the web sites but not in the main web sites !
    Seems that my exclusion rules are not properly set up :confused:

    When I make a safe copy of the web sites I host I usually just make a brutal "cp" in a "backup" directory, seems that apache has access to that sub directory (I thought only document root was accessible).

    ideas ?
    regards,
    Arnaud
     
  12. falko

    falko Super Moderator

    Do you use vulnerable web applications? Do you use PHP Safe Mode?
     
  13. aceyzeriat

    aceyzeriat New Member

    I host a lot of joomla web sites which don't support PHP_SafeMode. The difficulty for a joomla web site is to find an hosting server with the SafeMode turned off.

    Now I believe I will reconsider those web sites and encourage the use of Drupal as CMS instead.


    regards,
    Arnaud
     
  14. till

    till Super Moderator

    I know this problem, its common with joomla. I had a joomla site on one of the servers that I maintained, the owner of the site did not install all joomla patches immediately when they get released. The website got hacked serveral times and only a strict php setup with safemode on prevented that the hackers were able to break out of the website directory. The last time it was a r57shell too if I remember correctly.
     
  15. aceyzeriat

    aceyzeriat New Member

    Hello Till,

    Do you mean he actually succeeded to make his joomla site operate with phpsafemode turned on ?

    I have a question concerning perl scripts ...

    The server has been used to run perl scripts sending phishing mail
    Since none of my sites actually use perl script I brutaly uninstalled mode_perl ... and still attacks have restarted using perl scripts !!

    I looked at http://perl.apache.org/docs/2.0/user/config/config.html

    To enable mod_perl built as DSO add to httpd.conf:
    LoadModule perl_module modules/mod_perl.so
    This setting specifies the location of the mod_perl module relative to the ServerRoot setting, therefore you should put it somewhere after ServerRoot is specified.
    If mod_perl has been statically linked it's automatically enabled.

    How do I know if it has been statically linked ?
    Anyway, removing mod_perl from the machine should have prevented the use of perl scripts, no ?

    regards,
    Arnaud
     
  16. till

    till Super Moderator

    Partially. But this guy did use joomla only for edit the text on some pages.

    I dont think that its statically linked in one of the common linux distributions.

    Do you have cgi support enabled for the website? Additionally, if php is run without safemode, it can be used to start a perl script even if mod_perl is not loaded.
     
  17. Ovidiu

    Ovidiu Active Member

    I just had a similar rkhunter report:

    this hapened while I was still setting up the serevr, I remember, I couldn't find chkconfig, had to look for the package containing it and install it. would rkhunter --propupd remove this warning? I am sure that was me who caused that warning...
     
  18. falko

    falko Super Moderator

    Which distribution are you using? How did you install rkhunter?
     
  19. Ovidiu

    Ovidiu Active Member

    its the perfect debian lenny setup for ispcfg3, didn't want to open a new thread as this topic seemed pretty close.
     
  20. falko

    falko Super Moderator

    Debian doesn't use /sbin/chkconfig (that's for RedHat-based distros only).
    How did you install rkhunter?
     

Share This Page