server hacked using www-data exploit

server hacked using PHP 5.x Remote Code Execution Exploit

Haven't been able to find much information on cleaning out this exploit.

I believe it was a hack that allowed the server to be used in a botnet.

There were several pids with www-data as the user using a lot of cpu.

Here is what I got:

netstat -tenp| grep $29148
tcp 0 0 x.x.x.x:40088 42.121.128.166:5190 ESTABLISHED 33 909978212 29148/mingetty tty7

netstat -tenp| grep $19611
tcp 0 0 x.x.x.x:52626 209.124.41.251:80 ESTABLISHED 33 909251230 19611/sshd

netstat -tenp| grep $10853
tcp 0 0 x.x.x.x:60819 5.79.78.230:6667 ESTABLISHED 33 909453237 10853/xauditd

I blocked those ip's and rebooted the server. I also added a password for user www-data just in case. Then an hour later another one showed up. I blocked that ip and killed the pid. Some hours later there was one more.

Also, those ports, 60819, 52626, and 40088 are not open in the ispconfig firewall (the x.x.x.x are the server ip edited out).

The hacker, logged in as www-data, tried to su to root but was unsuccessful.

Nov 2 10:08:07 server su[25685]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/5 ruser=www-data rhost= user=root
Nov 2 10:08:09 server su[25685]: pam_authenticate: Authentication failure
Nov 2 10:08:09 server su[25685]: FAILED su for root by www-data
Nov 2 10:08:09 server su[25685]: - pts/5 www-data:root

I'm setting up a new server, but I'd like to identify where this is coming from before I copy any sites over.

Any ideas?

 

Your server is locate where? At your Office/Home or Data Center?

If at your home, I would suggest you setup an extra computer to be used as Hardware-Firewall between your WAN and your LAN. That would gives you the ability for to control in- and outgoing traffic deeply and prevent what you didn't like.

As software you could use Smoothwall Express (http://smoothwall.org) which is Freeware and need low grade computer only. Monnitor, Keyboard and Mouse are need for installation only and could be removed after that. The access for config etc. is done over web-browser, like ISPConfig etc. Also multiple WAN's are possible for to use more than 1 Internet account, just need to add additional NIC's.

I use an old Intel 775 machine with just 2 GB Memory and 40GB HDD for it and even lower would no problem.

If you Server is located at an Data Center, than you'll have to contact the Support people there and also provide them the required infos to to block those sources.

 

It's at a datacenter.

I blocked the whole range of ip's in China and it hasn't happened again.

What I need to do is find out which files might be affected before I copy the sites to a new server, so if anyone has any advice on that, I would appreciate it.

I figured it was a known exploit but maybe not.

 

I could only think about to use different scanners for to check the whole server content. That's something which really need a lot of time and isn't done quickly!

For to do that, you maybe need an other Linux driven computer for to run the check, special if you didn't have direct access to your server in Datacenter.

 

You should be careful telling people to tell the data center--data centers will usually just disconnect the box right away and the person won't have access to their files or server, also they won't be able to investigate to find out what happened.

 

Yes, in case you're using shared hosting, that could be the outcome. It's all about what kind of contract you have with the service provider. If the sever is your own property, just located at an Data Center, they couldn't just disconnect your server. That would be possible only in case of that you abuse and breach existing Law, like Copyright violations etc. and even than, there must be an Warrant or court order.

 

very few people here use co-location

 

I found the exploit, now I'm just trying to figure out the right way to prevent it.

in the access log:

176.9.28.244 - - [02/Nov/2013:16:04:00 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70%2D%63%67%69?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 213 "-" "Opera"

which translates to

cgi-bin/php-cgi?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n

 

It appears to be a PHP 5.x Remote Code Execution Exploit

I made these changes to the php.ini after using http://phpsec.org/projects/phpsecinfo/index.html--if any will cause a problem for ispconfig, please let me know:

cgi.force_redirect = 1

display_errors = Off

expose_php = Off

file_uploads = Off

memory_limit = 128M changed to memory_limit = 8M

post_max_size = 8M changed to 1m

 

Hi PermaNoob,

During the last two days i've experieced this aswell on a few hosts im controlling - Debian 5 and 6 with Ispconfig 3.

I've spotted similar POSTs in apache access logs like you:

/cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

Also i've found some suspicious identical perl scripts in the servers /tmp folder that might have been used to create the sshd process.

Can you confirm if your php.ini modifications have prevented the intruders?

 

Those changes didn't help--had another high-cpu use www-data process this morning--I killed the pid and blocked the ip.

Still searching for a good solution. I'm stuck with lenny and php 5.3 right now, but my new server will be ready soon.

The exploit was discussed in reddit and all the script kiddies have jumped on it.

 

Please verify

Hello folks. Could you PLEASE verify that these changes have indeed stopped all the intrusions?

Thanks in advance!

 

How do I get that?

Hey Till. How do I check if I already have it installed, and if not, how can I get it?

 

Hello,

I have just registered to the forum to tell you that I have add the same attack over the weekend (user www-data).

I am using a dedicated server from OVH with ISPConfig 3 and Joomla 2.5

Could you please tell me if this attack results in a weakness in ISPConfig or is it more something that have to do with the general server security and needs to be improved?

I will have a look in mod_security like advised below.

Thanks
Cheers

 

Thanks for your answer.
If I install mod_security, will this prevent this particular attack in the future?

Thanks again

 

I have used your tutorial from this page to install mod-security (thanks for this!).
http://www.faqforge.com/linux/apache-mod-security-installation-on-debian-6-0-squeeze/

I have one question, when you say:
Configure apache to load the activated mod-security rules
vi /etc/apache2/conf.d/mod-security.conf
Include /etc/apache2/mod-security/*.conf

It means that I need to create this file "mod-security.conf" and add this command line inside "Include /etc/apache2/mod-security/*.conf"

Also, is there a command to check if the module is working correctly?

Thanks and sorry for hacking the thread, I will stop after this question.