[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Sun Jun 14 05:37:08 UTC 2009
Linux Advocate <linuxhousedn at yahoo.com>

replies below...



----- Original Message ----
> From: Filipe Brandenburger <filbranden at gmail.com>
> To: CentOS mailing list <centos at centos.org>
> Sent: Saturday, June 13, 2009 9:58:51 PM
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

> 
> I suggest you start by looking at Apache's logs, 

Filipe, good idea. will do.

>look for very strange
> URLs hat have nothing to do with the applications you have there, like
> .exe files (IIS attacks) or other .cgi or .php files that will give
> you 404 errors. Also look for things in the error_log file. And then
> look for other accesses from the same IP (assuming it's always from
> the same IP) to files that do exist, this will probably lead you to
> what was used to break in. Continue the investigation from there.

A.  I have found  susicious ip around the dates ( based on the dates of files in the atack folder) when i think this break-in could hv hapened

86.126.71.74 <--- frm romania ( i am in singapore )

This ip seemed to have generated the most error messages. they are other not-frm-country IPs but way way less errors frm them.

They are many error messages (generated by 86.126.71.74) in the apache error log as below;

[Mon May 18 05:39:39 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer:
 http://ip.of.machine.i.removed.for.this.post/horde/admin/cmdshell.php
./x: line 19: log: No such file or directory

[Tue May 19 02:27:32 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer:
 http://60.54.174.146/horde/admin/cmdshell.php?Horde=e20jlll1ds0eudvsdqrsrbb7c2

[Thu May 21 19:29:52 2009] [error] [client 80.179.16.201] script '/var/www/html/sys_to_server.php' not found or unable to stat

 http://60.54.174.146/horde/admin/cmdshell.php?Horde=f49bd7r2sb0ut885k3t5vq0ns0
cat: vuln.txt: No such file or directory  

  <--- this vuln.txt is in the /dev/shm/unix/atack folder and also in the /var/tmp/unix/atack folder. Was the atacker looking for this file and then plant it later? or something like that ?


[Wed May 27 12:20:28 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer:
 http://60.54.174.146/horde/admin/cmdshell.php
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256
Len 255 < 256


What does Len 255 < 256 indicate? Some kind of buffer overflow?

B .Can i conclude that the attacker  came through the   horde framework ( cmdshell.php) ? The horde framework was  installed from the centos repo.....!!!

[root at fwg]# yum info horde

Name       : horde
Arch       : noarch
Version    : 3.1.7
Release    : 1.el5.centos
Size       : 18 M
Repo       : installed
Summary    : The common Horde Framework for all Horde modules.
URL        : http://www.horde.org/

There are some google hits on cmdshell.php being used to execute arbitrary commands? 
There is some exploit called "CmdShell.Horde.ExploitCheck.Decoy"
i havent found more info yet. Any tips on this would be most welcome. 


There is also this line in the error log;

[Fri May 22 18:26:56 2009] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t


Is the line above normal?


C. BUT THE WORST THING OF ALL IS THESE LINES BELOW....

Mon May 25 14:46:50 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer:
 http://my.machine.ip.again/horde/admin/cmdshell.php?Horde=7blkurngfdeqsgorrkqobldem7
--14:47:00--  http://mv.do.am/unix.tgz
Rezolvare mv.do.am... 208.100.61.101
Connecting to mv.do.am|208.100.61.101|:80... conectat.
Cerere HTTP trimisă, se aşteaptă răspuns... 200 OK
Dimensiune: 1614224 (1,5M) [application/octet-stream]
Saving to: `unix.tgz'

     0K .......... .......... .......... .......... ..........  3% 17,6K 87s
    50K .......... .......... .......... .......... ..........  6% 33,7K 64s
   100K .......... .......... .......... .......... ..........  9% 33,5K 55s
   150K .......... .......... .......... .......... .......... 12% 45,6K 48s
   200K .......... .......... .......... .......... .......... 15% 52,8K 42s
   250K .......... .......... .......... .......... .......... 19% 50,3K 38s
   300K .......... .......... .......... .......... .......... 22% 47,9K 35s
   350K .......... .......... .......... .......... .......... 25% 54,8K 32s
   400K .......... .......... .......... .......... .......... 28% 48,7K 30s
   450K .......... .......... .......... .......... .......... 31% 36,9K 28s
   500K .......... .......... .......... .......... .......... 34% 34,6K 27s
   550K .......... .......... .......... .......... .......... 38% 32,9K 26s
   600K .......... .......... .......... .......... .......... 41% 28,4K 26s
   650K .......... .......... .......... .......... .......... 44% 36,7K 24s
   700K .......... .......... .......... .......... .......... 47% 34,3K 23s
   750K .......... .......... .......... .......... .......... 50% 34,0K 22s
   800K .......... .......... .......... .......... .......... 53% 33,1K 20s
   850K .......... .......... .......... .......... .......... 57% 47,7K 19s
   900K .......... .......... .......... .......... .......... 60% 27,4K 18s
   950K .......... .......... .......... .......... .......... 63% 13,0K 18s
  1000K .......... .......... .......... .......... .......... 66% 28,3K 16s
 1050K .......... .......... .......... .......... .......... 69% 38,1K 15s
  1100K .......... .......... .......... .......... .......... 72% 29,3K 13s
  1150K .......... .......... .......... .......... .......... 76% 44,1K 11s
  1200K .......... .......... .......... .......... .......... 79% 56,6K 10s
  1250K .......... .......... .......... .......... .......... 82% 44,7K 8s
  1300K .......... .......... .......... .......... .......... 85% 39,8K 7s
  1350K .......... .......... .......... .......... .......... 88% 50,8K 5s
  1400K .......... .......... .......... .......... .......... 91% 40,2K 4s
  1450K .......... .......... .......... .......... .......... 95% 37,3K 2s
  1500K .......... .......... .......... .......... .......... 98% 43,1K 1s
  1550K .......... .......... ......                          100% 44,5K=45s

14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]


DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? 
AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????

Was this why rkhunter popped out with this warning?

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning! ]
---------------
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
---------------
Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression)  /dev/.udev (directory)

Should i delete these files? are the man files nromally .gz or .bz2 ?

There is also a similar entry, where another file called unix2.tgz was downloaded....

But i cant find these files on the HDisk?
guys i am out of my league here. All assistance is deeply appreciated.


> 
> HTH,
> Filipe
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos