Possible httpd server attack, may need to harden ISPCONFIG or apache

I have been experiencing an issue with my httpd server configured to use ISPCONFIG 3

ISPConfig Version: 3.0.2.2

What happens is one of two things.

Either a Joomla site 1.5.15 is being abused or apache is being abused directly.

The result is:

A large number of processes is being opened up transferring Gigabytes of data to IP addresses in China.

I shut the attack down cold by dropping all outbound FTP traffic but still seem to be getting abused. Just now the nasty people are are not achieving their goal. Can't leave outbound ftp shut down forever, Wordpress uses it to take care of automatic updates.

syslog shows:

Nov 27 14:20:21 mercury pure-ftpd: (?@127.125.46.121) [INFO] New connection from 127.125.46.121
Nov 27 14:20:22 mercury pure-ftpd: (?@127.144.46.72) [INFO] New connection from 127.144.46.72
Nov 27 14:20:23 mercury pure-ftpd: (?@127.116.51.101) [INFO] New connection from 127.116.51.101
Nov 27 14:20:25 mercury pure-ftpd: (?@127.146.54.81) [INFO] New connection from 127.146.54.81
Nov 27 14:20:30 mercury pure-ftpd: (?@127.103.51.246) [INFO] New connection from 127.103.51.246
Nov 27 14:20:31 mercury pure-ftpd: (?@127.147.37.9) [INFO] New connection from 127.147.37.9
Nov 27 14:20:33 mercury pure-ftpd: (?@127.104.62.129) [INFO] New connection from 127.104.62.129
Nov 27 14:20:38 mercury pure-ftpd: (?@127.126.47.102) [INFO] New connection from 127.126.47.102
Nov 27 14:20:39 mercury pure-ftpd: (?@127.118.48.76) [INFO] New connection from 127.118.48.76
Nov 27 14:20:42 mercury pure-ftpd: (?@127.116.52.194) [INFO] New connection from 127.116.52.194
Nov 27 14:21:34 mercury pure-ftpd: (?@127.141.84.84) [INFO] New connection from 127.141.84.84

Very interesting is a list of the open apache processes.


apache 1133 1 0 Nov28 ? 00:00:11 ./nt -h 114.113.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1138 1 0 Nov28 ? 00:00:00 ./nt -h 114.118.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1300 1 0 Nov28 ? 00:00:00 ./nt -h 114.128.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1301 1 0 Nov28 ? 00:00:13 ./nt -h 114.129.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C

That is a sample, but clearly apache is being hammered.

What I'm looking for is some peer to peer detail on the attack, and some recommendations for how to plug the hole.

Joomla is a client application and they are planning an upgrade. Their current login field permits unlimited character and may be vulnerable to sql injection.

I saw some evidence of this in the apache server logs.

173.201.187.118 - - [30/Nov/2010:12:15:13 -0600] "GET //index.php?option=com_ckforms&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 302 - "-" "libwww-perl/5.837"


This is a cut and paste from a site that explains how to sql inject Joomla.

I've actually used this code to block firewall access for the offending users.

Any ideas help?

Plans:
1) Force the customer to upgrade Joomla to 1.5.22. Will this help?
2) Upgrade ISPCONFIG three to most current version. (help, link please).
3) Find a way to harden apache to prevent this abuse.

 

Is this also an abuse attempt?


114.80.93.55 - - [30/Nov/2010:14:39:15 -0600] "GET /bsm/index.php HTTP/1.0" 200 49124 "-" "Sosospider+(+http://help.soso.com/webspider.htm)"


This is an access attempt on http://bsg21.org

Regards,

 

I think this is just a search engine spider.

I'd upgrade Joomla to the latest version.

This link might help: http://www.howtoforge.com/forums/showthread.php?t=13487&highlight=route reject

 

What about the ftp transfers?

Is there an injection problem with older versions of Joomla?

 

[Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00
[Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00
[Sun Nov 28 18:23:14 2010] [error] [client 41.202.18.136] FTP & NT scanner by Lomax (credits Inode <inode@wayreth.eu.org>), referer: http://www.bsg21.org/bsm/////?optio...../../../../../../../../../..//tmp/x-treme00
208.65.90.7 - - [13/Jan/2010:01:53:52 -0600] "GET /bsm/administrator/components/com_joomgallery/assets/images/joom_ftpupload.png HTTP/1.1" 304 0 "http://www.bsg21.org/bsm/administrator/index.php?option=com_content&sectionid=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7"


What is this, smoking gun? Looks like Joomla had an ftp upload flaw which was abused. More evidence for doing the upgrade

 

These can be blocked with the route command as well. The route command blocks all traffic for an IP.

 

Via httpd abuse, probably a sql inject a folder /tmp/.nt was installed on the server. There was a zip file and several others owned by apache. That is how processes were started on the server.

I've added mod_security and mod_evasive, hardened php and am hoping the Joomla upgrade proceeds.

The problem is solved. I'm looking for more agile intrusion detection to prevent this from happening again.