I have been experiencing an issue with my httpd server configured to use ISPCONFIG 3 ISPConfig Version: 3.0.2.2 What happens is one of two things. Either a Joomla site 1.5.15 is being abused or apache is being abused directly. The result is: A large number of processes is being opened up transferring Gigabytes of data to IP addresses in China. I shut the attack down cold by dropping all outbound FTP traffic but still seem to be getting abused. Just now the nasty people are are not achieving their goal. Can't leave outbound ftp shut down forever, Wordpress uses it to take care of automatic updates. syslog shows: Nov 27 14:20:21 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.125.46.121 Nov 27 14:20:22 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.144.46.72 Nov 27 14:20:23 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.116.51.101 Nov 27 14:20:25 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.146.54.81 Nov 27 14:20:30 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.103.51.246 Nov 27 14:20:31 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.147.37.9 Nov 27 14:20:33 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.104.62.129 Nov 27 14:20:38 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.126.47.102 Nov 27 14:20:39 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.118.48.76 Nov 27 14:20:42 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.116.52.194 Nov 27 14:21:34 mercury pure-ftpd: ([email protected]) [INFO] New connection from 127.141.84.84 Very interesting is a list of the open apache processes. apache 1133 1 0 Nov28 ? 00:00:11 ./nt -h 114.113.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C apache 1138 1 0 Nov28 ? 00:00:00 ./nt -h 114.118.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C apache 1300 1 0 Nov28 ? 00:00:00 ./nt -h 114.128.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C apache 1301 1 0 Nov28 ? 00:00:13 ./nt -h 114.129.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C That is a sample, but clearly apache is being hammered. What I'm looking for is some peer to peer detail on the attack, and some recommendations for how to plug the hole. Joomla is a client application and they are planning an upgrade. Their current login field permits unlimited character and may be vulnerable to sql injection. I saw some evidence of this in the apache server logs. 173.201.187.118 - - [30/Nov/2010:12:15:13 -0600] "GET //index.php?option=com_ckforms&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 302 - "-" "libwww-perl/5.837" This is a cut and paste from a site that explains how to sql inject Joomla. I've actually used this code to block firewall access for the offending users. Any ideas help? Plans: 1) Force the customer to upgrade Joomla to 1.5.22. Will this help? 2) Upgrade ISPCONFIG three to most current version. (help, link please). 3) Find a way to harden apache to prevent this abuse.
Is this also an abuse attempt? 114.80.93.55 - - [30/Nov/2010:14:39:15 -0600] "GET /bsm/index.php HTTP/1.0" 200 49124 "-" "Sosospider+(+http://help.soso.com/webspider.htm)" This is an access attempt on http://bsg21.org Regards,
I think this is just a search engine spider. I'd upgrade Joomla to the latest version. This link might help: http://www.howtoforge.com/forums/showthread.php?t=13487&highlight=route+reject
[Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <[email protected]>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00 [Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <[email protected]>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00 [Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <[email protected]>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00 208.65.90.7 - - [13/Jan/2010:01:53:52 -0600] "GET /bsm/administrator/components/com_joomgallery/assets/images/joom_ftpupload.png HTTP/1.1" 304 0 "http://www.bsg21.org/bsm/administrator/index.php?option=com_content§ionid=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7" What is this, smoking gun? Looks like Joomla had an ftp upload flaw which was abused. More evidence for doing the upgrade
Via httpd abuse, probably a sql inject a folder /tmp/.nt was installed on the server. There was a zip file and several others owned by apache. That is how processes were started on the server. I've added mod_security and mod_evasive, hardened php and am hoping the Joomla upgrade proceeds. The problem is solved. I'm looking for more agile intrusion detection to prevent this from happening again.
