Shellbot on ISPConfig website

Discussion in 'Installation/Configuration' started by timontomi, May 11, 2016.

  1. timontomi

    timontomi New Member

    Hi,
    i have problem with shellbot on ispconfig for one website. As i know this can be Backdoor.Perl.Shellbot.a
    In logs for this website i see these infos. How to block it or some solution for it ?

    Code:
    [Tue May 10 13:53:25 2016] [error] [client 91.121.254.1] --2016-05-10 13:53:25--  http://themilliononline.com/ecommerce/catalog/ext/config
    [Tue May 10 13:53:25 2016] [error] [client 91.121.254.1] Resolving themilliononline.com (themilliononline.com)...
    [Tue May 10 13:53:25 2016] [error] [client 91.121.254.1] 65.99.251.73
    [Tue May 10 13:53:25 2016] [error] [client 91.121.254.1] Connecting to themilliononline.com (themilliononline.com)|65.99.251.73|:80...
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] connected.
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] HTTP request sent, awaiting response...
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] 200 OK
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] Length: 33377 (33K) [text/plain]
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] Saving to: `config'
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1]
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1]      0K ...
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] ...
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] ...
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] . .
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] ..
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] .
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] .
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] ..
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] .
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] .. .
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] ...
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] ..
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] ...
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] . ..
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1]                    100%  155K=0.2s
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1]
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] 2016-05-10 13:53:26 (155 KB/s) - `config' saved [33377/33377]
    [Tue May 10 13:53:26 2016] [error] [client 91.121.254.1] 
     
  2. Jesse Norell

    Jesse Norell Active Member

    A quick do-it-yourself cleanup: start recording your login session (in your terminal program, or just run "script site-cleanup.out" or similar). take a backup of the entire site real quick for reference later.

    it looks like it saved that as filename 'config'; a 30 second glance at that script looks like it's an irc client that disguises its process name ... start by finding that, see what timestamp it has. Use lsof to see if any running processes have that file open (lsof ./config), and examine those (eg. run lsof -p ### on their pid) - see if they have any open filehandles for further stuff to dig into, and also see what network sockets are open (probably will be connected to an irc server). Look for child processes started by those, and repeat (ie. see if they have open filehandles, network sockets and/or child processes). Once you're done digging into any processes you just found, kill them and cleanup any suspect files you may have identified. Firewall off any ip addrs those processes would be connected to (and check the config script too, eg. right now it has $servidor='marijuana.school.cl', but that could surely change on the next download).

    check your webserver logs for what happened just prior to the timestamp you identified above, to try to identify what was exploited to download that 'config' script, and what ip address(es) were involved. Then look through logs again for those ip addrs, and see what else you find. You might block these ip addrs real quick (in iptables or network firewall), too.

    If you have a recent backup of your site that you suspect is clean, you could start with restoring that, then dig into the vulnerabilities used (all found above), to fix the problem. You might simply need to update website software if it's pretty clearly a known vulnerability.

    Whether you were able to restore a backup or not, you probably want to run some scans on your site to see if you find further indicators of compromise. You may need to reinstall software from clean sources, or attempt manual cleanup of files, depending on what you find. There are tools you can run on the server back-end (https://www.howtoforge.com/tutorial/how-to-scan-linux-for-malware-and-rootkits/), and tools/services which will scan from the internet side, use both types. Definitely check out ispprotect (support some of the ispconfig developers). If this happens to be a wordpress site, wordfence has a good scanner and makes some of the cleanup pretty easy (click to fix wp core and public plugins/themes).

    Also make sure your server software is up to date. Eg. the recent "imagetragick" vulnerability could do this if the website processes image files with imagemagick.
     
    Last edited: May 12, 2016

Share This Page