On Wed, Mar 15, 2006 at 12:31:06PM +0000, Gaby vanhegan wrote:
> Hi,
>
> I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by
> some hackers that are using a bug I can't track down to download perl
> scripts into /tmp:
>
> [EMAIL PROTECTED] 11:26]# cd /tmp/
> [EMAIL PROTECTED] 11:26]# ls -lFa
> total 76
> drwxrwxrwt 2 root wheel 512 Mar 15 12:21 ./
> drwxr-xr-x 22 root wheel 512 Jun 29 2005 ../
> -rw-r--r-- 1 www wheel 0 Mar 14 22:14 .alekspwned2
> -rw-r--r-- 1 www wheel 0 Mar 14 20:41 .balum
> -rw-r--r-- 1 www wheel 0 Mar 13 22:36 .mladen3
> -rw-r--r-- 1 www wheel 321 Mar 14 20:41 alekshah
> -rw-r--r-- 1 www wheel 320 Mar 14 20:41 alekshah2
> -rw-r--r-- 1 www wheel 3589 Mar 14 22:14 alekspwned
> -rw-r--r-- 1 www wheel 19309 Mar 14 22:14 alekspwned2
>
> I have lots of suspicious activity in /var/www/log/error_log:
>
> 0 19309 0 1222 0 0 1222 0 0:00:15 --:--:--
> 0:00:15 1222
> 0 19309 0 4142 0 0 4142 0 0:00:04 0:00:01
> 0:00:03 8414
> 100 19309 100 19309 0 0 19309 0 0:00:01 0:00:01
> --:--:-- 17258 % Total % Received % Xferd Average Speed
> Time Time Time Current
> Dload Upload Total Spent
> Left Speed
>
> 0 3589 0 1224 0 0 1224 0 0:00:02 --:--:--
> 0:00:02 1224
> 100 3589 100 3589 0 0 3589 0 0:00:01 --:--:--
> 0:00:01 2309k
> Can't open perl script "/tmp/.alekspwned": No such file or
> directory.Use -S to search $PATH for it. % Total % Received %
> Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent
> Left Speed
> 0 3589 0 1224 0 0 1224 0 0:00:02 --:--:--
> 0:00:02 1224
> 100 3589 100 3589 0 0 3589 0 0:00:01 --:--:--
> 0:00:01 384k
> Can't open perl script "/tmp/.alekspwned": No such file or
> directory.Use -S to search $PATH for it.
> % Total % Received % Xferd Average Speed Time Time
> Time Current Dload Upload Total
> Spent Left Speed
>
> 0 3589 0 1224 0 0 1224 0 0:00:02 --:--:--
> 0:00:02 1224
> 100 3589 100 3589 0 0 3589 0 0:00:01 --:--:--
> 0:00:01 461k
>
> Amongst other things, quite a few:
>
> Can't open perl script "/tmp/.mladen": No such file or directory.Use -
> S to search $PATH for it.Can't open perl script "/tmp/.mladen": No
> such file or directory.
> Use -S to search $PATH for it.Can't open perl script "/tmp/.mladen":
> No such file or directory.Use -S to search $PATH for it.Can't open
> perl script "/tmp/.mladen": No such file or directory.Use -S to
> search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.Use
> -S to search $PATH for it.Can't open perl script "/tmp/.mladen2": No
> such file or directory.Use -S to search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.Use
> -S to search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.Use
> -S to search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.
> Use -S to search $PATH for it.
>
> I believe they're exploiting a bug in apache to do remote execution
> of their code, which downloads something to /tmp (usually a script of
> some sort). They were previously using wget, so I modified that to
> log as much information is it could to a file, but this didn't yield
> anything useful. Now I see from the logs that they're using ftp and
> curl to download the files.
>
> As in intermediate fix, I have mounted /tmp noexec, but this is not
> an ideal solution, and I don't want to remove ftp and curl. I have
> installed snort (from ports) with the latest rules but this has not
> yielded much useful information. The latest attack did come up in
> the snort logs, as a double decoding attack. I found some data in
> the downloaded files that corresponded to a payload around the time
> of the attack.
>
> My questions are:
>
> 1. How do I find out their attack vector? I have had a nessus scan
> performed on the machine, but it did not present any security (I can
> supply on request). I've checked the security releases in
> security.html and there are no pertinent ones for httpd. Snort has
> provided little useful information (I can provide access to the snort
> logs if required).
>
> 2. If I can't stop them getting in, is there any way to observe what
> they're doing, or how they're doing it, so I can get a pointer to
> the hole.
>
> An upgrade is in the works, and right soon too, but I'd really like
> to know what's going on here. Some useful links:
>
> Nessus scan: http://vanhegan.net/openbsd/nessus.txt
> dmesg: http://vanhegan.net/openbsd/dmesg.txt
> httpd error_log: http://vanhegan.net/openbsd/error_log
> httpd access_log: http://vanhegan.net/openbsd/access_log
> pkg_info: http://vanhegan.net/openbsd/pkg.list
>
> i've run out of ideas here. Can you help?
php is old, and best avoided as a matter of general principle. There
have been several security bugs found and fixed since 4.3.8.
The same is true for several other installed packages. Generally, httpd
is not the attack vector - the most likely is some badly-written script,
or a bug in a popular language like PHP.
As has already been noted, your apache should be running chroot if at
all possible.
Lastly, posting this publicly isn't the smartest move possible. I have
all the knowledge I could want to root the box. Plus who your customers
are (if commercial), who visited your site, ...
There is a lot of interesting stuff in error_log. Looks like several
opportunities for arbitrary code execution in scripts - and what's with
the hundreds of lines of ls complaining, anyway? The same is true for
man.
It looks like an interesting problem, but since we've suffered a disk
crash monday I'm not capable of spending much time on other than my own
problems. If the files are still up next week sometime, I'll have
another look.
Joachim
