server hacked using www-data exploit

Discussion in 'Server Operation' started by PermaNoob, Nov 2, 2013.

  1. PermaNoob

    PermaNoob Member

    server hacked using PHP 5.x Remote Code Execution Exploit

    Haven't been able to find much information on cleaning out this exploit.

    I believe it was a hack that allowed the server to be used in a botnet.

    There were several pids with www-data as the user using a lot of cpu.

    Here is what I got:

    netstat -tenp| grep $29148
    tcp 0 0 x.x.x.x:40088 42.121.128.166:5190 ESTABLISHED 33 909978212 29148/mingetty tty7

    netstat -tenp| grep $19611
    tcp 0 0 x.x.x.x:52626 209.124.41.251:80 ESTABLISHED 33 909251230 19611/sshd

    netstat -tenp| grep $10853
    tcp 0 0 x.x.x.x:60819 5.79.78.230:6667 ESTABLISHED 33 909453237 10853/xauditd

    I blocked those ip's and rebooted the server. I also added a password for user www-data just in case. Then an hour later another one showed up. I blocked that ip and killed the pid. Some hours later there was one more.

    Also, those ports, 60819, 52626, and 40088 are not open in the ispconfig firewall (the x.x.x.x are the server ip edited out).

    The hacker, logged in as www-data, tried to su to root but was unsuccessful.

    Nov 2 10:08:07 server su[25685]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/5 ruser=www-data rhost= user=root
    Nov 2 10:08:09 server su[25685]: pam_authenticate: Authentication failure
    Nov 2 10:08:09 server su[25685]: FAILED su for root by www-data
    Nov 2 10:08:09 server su[25685]: - pts/5 www-data:root

    I'm setting up a new server, but I'd like to identify where this is coming from before I copy any sites over.

    Any ideas?
     
    Last edited: Nov 4, 2013
  2. Quaxth

    Quaxth Member

    Your server is locate where? At your Office/Home or Data Center?

    If at your home, I would suggest you setup an extra computer to be used as Hardware-Firewall between your WAN and your LAN. That would gives you the ability for to control in- and outgoing traffic deeply and prevent what you didn't like.

    As software you could use Smoothwall Express (http://smoothwall.org) which is Freeware and need low grade computer only. Monnitor, Keyboard and Mouse are need for installation only and could be removed after that. The access for config etc. is done over web-browser, like ISPConfig etc. Also multiple WAN's are possible for to use more than 1 Internet account, just need to add additional NIC's.

    I use an old Intel 775 machine with just 2 GB Memory and 40GB HDD for it and even lower would no problem.

    If you Server is located at an Data Center, than you'll have to contact the Support people there and also provide them the required infos to to block those sources.
     
  3. PermaNoob

    PermaNoob Member

    It's at a datacenter.

    I blocked the whole range of ip's in China and it hasn't happened again.

    What I need to do is find out which files might be affected before I copy the sites to a new server, so if anyone has any advice on that, I would appreciate it.

    I figured it was a known exploit but maybe not.
     
  4. Quaxth

    Quaxth Member

    I could only think about to use different scanners for to check the whole server content. That's something which really need a lot of time and isn't done quickly!

    For to do that, you maybe need an other Linux driven computer for to run the check, special if you didn't have direct access to your server in Datacenter.
     
  5. PermaNoob

    PermaNoob Member

    You should be careful telling people to tell the data center--data centers will usually just disconnect the box right away and the person won't have access to their files or server, also they won't be able to investigate to find out what happened.
     
    Last edited: Nov 3, 2013
  6. Quaxth

    Quaxth Member

    Yes, in case you're using shared hosting, that could be the outcome. It's all about what kind of contract you have with the service provider. If the sever is your own property, just located at an Data Center, they couldn't just disconnect your server. That would be possible only in case of that you abuse and breach existing Law, like Copyright violations etc. and even than, there must be an Warrant or court order.
     
  7. PermaNoob

    PermaNoob Member

    very few people here use co-location
     
  8. PermaNoob

    PermaNoob Member

    I found the exploit, now I'm just trying to figure out the right way to prevent it.

    in the access log:

    176.9.28.244 - - [02/Nov/2013:16:04:00 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70%2D%63%67%69?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 213 "-" "Opera"

    which translates to

    cgi-bin/php-cgi?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n
     
  9. PermaNoob

    PermaNoob Member

    It appears to be a PHP 5.x Remote Code Execution Exploit

    I made these changes to the php.ini after using http://phpsec.org/projects/phpsecinfo/index.html--if any will cause a problem for ispconfig, please let me know:

    cgi.force_redirect = 1

    display_errors = Off

    expose_php = Off

    file_uploads = Off

    memory_limit = 128M changed to memory_limit = 8M

    post_max_size = 8M changed to 1m
     
    Last edited: Nov 4, 2013
  10. Steffen

    Steffen New Member

    Hi PermaNoob,

    During the last two days i've experieced this aswell on a few hosts im controlling - Debian 5 and 6 with Ispconfig 3.

    I've spotted similar POSTs in apache access logs like you:

    /cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

    Also i've found some suspicious identical perl scripts in the servers /tmp folder that might have been used to create the sshd process.

    Can you confirm if your php.ini modifications have prevented the intruders?
     
  11. PermaNoob

    PermaNoob Member

    Those changes didn't help--had another high-cpu use www-data process this morning--I killed the pid and blocked the ip.

    Still searching for a good solution. I'm stuck with lenny and php 5.3 right now, but my new server will be ready soon.

    The exploit was discussed in reddit and all the script kiddies have jumped on it.
     
    Last edited: Nov 4, 2013
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have apache mod_security installed? If not, I can highly recommed to install it to block such attacks.
     
  13. sergio.morales

    sergio.morales New Member

    Please verify

    Hello folks. Could you PLEASE verify that these changes have indeed stopped all the intrusions?

    Thanks in advance!
     
  14. sergio.morales

    sergio.morales New Member

    How do I get that?

    Hey Till. How do I check if I already have it installed, and if not, how can I get it?
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    The changes will stop lots of normal server applications:

    cgi.force_redirect = 1

    Thats ok. It should be like this by default and it might be the most important part of the changes.

    display_errors = Off
    expose_php = Off

    Is a good general security measure to not give an attacker morde details about your server. So thats uncritical as well.

    file_uploads = Off
    memory_limit = 128M changed to memory_limit = 8M
    post_max_size = 8M changed to 1m

    These settings are more critical, if you run any cms system, blogs or shops or even a webmail application, they will stop working if you reduce memory of the php processes like this and no uploads of images, email attachments etc. will be possible anymore when you deny uploads in php.
     
  16. toto64

    toto64 New Member

    Hello,

    I have just registered to the forum to tell you that I have add the same attack over the weekend (user www-data).

    I am using a dedicated server from OVH with ISPConfig 3 and Joomla 2.5

    Could you please tell me if this attack results in a weakness in ISPConfig or is it more something that have to do with the general server security and needs to be improved?

    I will have a look in mod_security like advised below.

    Thanks
    Cheers
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig runs under the user ispconfig" and not www-data, the issue is a general apache / php server issue and not ispconfig specific.
     
  18. toto64

    toto64 New Member

    Thanks for your answer.
    If I install mod_security, will this prevent this particular attack in the future?

    Thanks again
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    You will see it when it is installed. mod_security is a generic filter for various attacks.
     
  20. toto64

    toto64 New Member

    I have used your tutorial from this page to install mod-security (thanks for this!).
    http://www.faqforge.com/linux/apache-mod-security-installation-on-debian-6-0-squeeze/

    I have one question, when you say:
    Configure apache to load the activated mod-security rules
    vi /etc/apache2/conf.d/mod-security.conf
    Include /etc/apache2/mod-security/*.conf

    It means that I need to create this file "mod-security.conf" and add this command line inside "Include /etc/apache2/mod-security/*.conf"

    Also, is there a command to check if the module is working correctly?

    Thanks and sorry for hacking the thread, I will stop after this question.
     

Share This Page