Possible httpd server attack, may need to harden ISPCONFIG or apache

Discussion in 'Server Operation' started by isn, Nov 30, 2010.

  1. isn

    isn New Member

    I have been experiencing an issue with my httpd server configured to use ISPCONFIG 3

    ISPConfig Version: 3.0.2.2

    What happens is one of two things.

    Either a Joomla site 1.5.15 is being abused or apache is being abused directly.

    The result is:

    A large number of processes is being opened up transferring Gigabytes of data to IP addresses in China.

    I shut the attack down cold by dropping all outbound FTP traffic but still seem to be getting abused. Just now the nasty people are are not achieving their goal. Can't leave outbound ftp shut down forever, Wordpress uses it to take care of automatic updates.

    syslog shows:

    Nov 27 14:20:21 mercury pure-ftpd: (?@127.125.46.121) [INFO] New connection from 127.125.46.121
    Nov 27 14:20:22 mercury pure-ftpd: (?@127.144.46.72) [INFO] New connection from 127.144.46.72
    Nov 27 14:20:23 mercury pure-ftpd: (?@127.116.51.101) [INFO] New connection from 127.116.51.101
    Nov 27 14:20:25 mercury pure-ftpd: (?@127.146.54.81) [INFO] New connection from 127.146.54.81
    Nov 27 14:20:30 mercury pure-ftpd: (?@127.103.51.246) [INFO] New connection from 127.103.51.246
    Nov 27 14:20:31 mercury pure-ftpd: (?@127.147.37.9) [INFO] New connection from 127.147.37.9
    Nov 27 14:20:33 mercury pure-ftpd: (?@127.104.62.129) [INFO] New connection from 127.104.62.129
    Nov 27 14:20:38 mercury pure-ftpd: (?@127.126.47.102) [INFO] New connection from 127.126.47.102
    Nov 27 14:20:39 mercury pure-ftpd: (?@127.118.48.76) [INFO] New connection from 127.118.48.76
    Nov 27 14:20:42 mercury pure-ftpd: (?@127.116.52.194) [INFO] New connection from 127.116.52.194
    Nov 27 14:21:34 mercury pure-ftpd: (?@127.141.84.84) [INFO] New connection from 127.141.84.84

    Very interesting is a list of the open apache processes.


    apache 1133 1 0 Nov28 ? 00:00:11 ./nt -h 114.113.0.0 16 -u users
    -p pass -t 6 -c 20 -o log -d -k -C
    apache 1138 1 0 Nov28 ? 00:00:00 ./nt -h 114.118.0.0 16 -u users
    -p pass -t 6 -c 20 -o log -d -k -C
    apache 1300 1 0 Nov28 ? 00:00:00 ./nt -h 114.128.0.0 16 -u users
    -p pass -t 6 -c 20 -o log -d -k -C
    apache 1301 1 0 Nov28 ? 00:00:13 ./nt -h 114.129.0.0 16 -u users
    -p pass -t 6 -c 20 -o log -d -k -C

    That is a sample, but clearly apache is being hammered.

    What I'm looking for is some peer to peer detail on the attack, and some recommendations for how to plug the hole.

    Joomla is a client application and they are planning an upgrade. Their current login field permits unlimited character and may be vulnerable to sql injection.

    I saw some evidence of this in the apache server logs.

    173.201.187.118 - - [30/Nov/2010:12:15:13 -0600] "GET //index.php?option=com_ckforms&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 302 - "-" "libwww-perl/5.837"


    This is a cut and paste from a site that explains how to sql inject Joomla.

    I've actually used this code to block firewall access for the offending users.

    Any ideas help?

    Plans:
    1) Force the customer to upgrade Joomla to 1.5.22. Will this help?
    2) Upgrade ISPCONFIG three to most current version. (help, link please).
    3) Find a way to harden apache to prevent this abuse.
     
  2. isn

    isn New Member

    Is this also an abuse attempt?


    114.80.93.55 - - [30/Nov/2010:14:39:15 -0600] "GET /bsm/index.php HTTP/1.0" 200 49124 "-" "Sosospider+(+http://help.soso.com/webspider.htm)"


    This is an access attempt on http://bsg21.org

    Regards,
     
  3. falko

    falko Super Moderator

  4. isn

    isn New Member

    What about the ftp transfers?

    Is there an injection problem with older versions of Joomla?
     
  5. isn

    isn New Member

    [Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00
    [Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00
    [Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00
    208.65.90.7 - - [13/Jan/2010:01:53:52 -0600] "GET /bsm/administrator/components/com_joomgallery/assets/images/joom_ftpupload.png HTTP/1.1" 304 0 "http://www.bsg21.org/bsm/administrator/index.php?option=com_content&sectionid=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7"


    What is this, smoking gun? Looks like Joomla had an ftp upload flaw which was abused. More evidence for doing the upgrade
     
  6. falko

    falko Super Moderator

    These can be blocked with the route command as well. The route command blocks all traffic for an IP.
     
  7. isn

    isn New Member

    Via httpd abuse, probably a sql inject a folder /tmp/.nt was installed on the server. There was a zip file and several others owned by apache. That is how processes were started on the server.

    I've added mod_security and mod_evasive, hardened php and am hoping the Joomla upgrade proceeds.

    The problem is solved. I'm looking for more agile intrusion detection to prevent this from happening again.
     

Share This Page