Welcome everyone.
I have got a question. I host a website which is running the latest version of Joomla 3.4.1. I constantly see this website being hacked by some weird way I don't really understand how this is happening. I dumped the network traffic to find out what they are actually trying to post etc but all POSTs seem to be empty but somehow they manage to run curl/wget and download LinuxNet perlbot conecting to the remote server on port 443 sending soem IRC commands.
So eventually I see this in the processlist:
# ps -u USER -o stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
STAT EUID RUID TT TPGID SESS PGRP PPID PID %CPU COMMAND
S XX XX ? -1 6349 6349 1 36492 1.9 -
R XX XX ? -1 6349 6349 1 36495 99.0 -
# lsof -n -p 36495
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
- 36495 USER cwd DIR 253,3 4096 8210 /var/tmp
- 36495 USER rtd DIR 253,0 4096 2 /
- 36495 USER txt REG 253,0 11400 789459 /usr/bin/perl
- 36495 USER mem REG 253,0 44520 1051267 /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
- 36495 USER mem REG 253,0 19800 1051434 /usr/lib64/perl5/auto/IO/IO.so
- 36495 USER mem REG 253,0 502040 787899 /usr/lib64/libfreebl3.so
- 36495 USER mem REG 253,0 2107600 787994 /usr/lib64/libc-2.17.so
- 36495 USER mem REG 253,0 141616 788020 /usr/lib64/libpthread-2.17.so
- 36495 USER mem REG 253,0 14608 788028 /usr/lib64/libutil-2.17.so
- 36495 USER mem REG 253,0 40816 787998 /usr/lib64/libcrypt-2.17.so
- 36495 USER mem REG 253,0 1141552 788002 /usr/lib64/libm-2.17.so
- 36495 USER mem REG 253,0 19512 788000 /usr/lib64/libdl-2.17.so
- 36495 USER mem REG 253,0 113320 788004 /usr/lib64/libnsl-2.17.so
- 36495 USER mem REG 253,0 110808 788022 /usr/lib64/libresolv-2.17.so
- 36495 USER mem REG 253,0 1643232 1051189 /usr/lib64/perl5/CORE/libperl.so
- 36495 USER mem REG 253,0 160240 788136 /usr/lib64/ld-2.17.so
- 36495 USER 0u unix 0xffff880516cb6540 0t0 200000086 /run/mod_fcgid/30670.650
- 36495 USER 1w FIFO 0,8 0t0 200007817 pipe
- 36495 USER 2w REG 253,2 176232 526348 /var/log/httpd/error_log
- 36495 USER 3u CHR 1,3 0t0 22 /null
- 36495 USER 4u IPv4 200000094 0t0 TCP SERVER_IP:56476->Y.Y.Y.Y:mysql (ESTABLISHED)
- 36495 USER 5u unix 0xffff8800bf8be540 0t0 200004349 /run/mod_fcgid/30670.650
- 36495 USER 6u sock 0,6 0t0 182741283 protocol: TCP
- 36495 USER 7u sock 0,6 0t0 182896831 protocol: TCP
- 36495 USER 8u sock 0,6 0t0 183100379 protocol: TCP
.....
- 36495 USER 51u IPv4 200006004 0t0 TCP Z.Z.Z.Z:47332->217.23.11.95:https (ESTABLISHED)
- 36495 USER 7698r FIFO 0,8 0t0 199904840 pipe
- 36495 USER 7701w FIFO 0,8 0t0 199904841 pipe
ngrep dump from when they actually tried to inject and execute the code:
# T ATTACKERS_IP:40652 -> SERVERS_IP:80 [AP]
POST / HTTP/1.1.
Accept-Encoding: identity.
Content-Length: 35.
Host: DOMAIN_NAME.
User-Agent: Python-urllib/2.6.
Connection: close.
Referer:
http://DOMAIN_NAME.
Content-Type: application/x-www-form-urlencoded.
.
# T SERVERS_IP:80 -> ATTACKERS_IP:40652 [A]
HTTP/1.1 200 OK.
Server: nginx.
Date: Fri, 27 Mar 2015 09:06:06 GMT.
Content-Type: text/html; charset=utf-8.
Transfer-Encoding: chunked.
Connection: close.
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM".
Vary: User-Agent.
Expires: Mon, 1 Jan 2001 00:00:00 GMT.
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0.
Pragma: no-cache.
Set-Cookie: bd59e88f8a5db86aaa219a6cfda2d121=ltl6n0kgp5g5uhj56ojtcamdd3; path=/; HttpOnly.
Set-Cookie: currentURI=http%3A%2F%2FDOMAIN_NAME%2F; expires=Sat, 28-Mar-2015 09:06:06 GMT; path=/.
Last-Modified: Fri, 27 Mar 2015 09:06:06 GMT.
.
45aa.
<DATA>
# T ATTACKERS_IP:40675 -> SERVERS_IP:80 [AP]
POST / HTTP/1.1.
Accept-Encoding: identity.
Content-Length: 521.
Connection: close.
User-Agent: Python-urllib/2.6.
Host: DOMAIN_NAME.
Referer:
http://DOMAIN_NAME.
Cookie: bd59e88f8a5db86aaa219a6cfda2d121=ltl6n0kgp5g5uhj56ojtcamdd3; path=/; HttpOnly, currentURI=http%3A%2F%2FDOMAIN_NAME%2F; expires=Sat, 28-Mar-2015 09:06:06 GMT; path=/.
Content-Type: application/x-www-form-urlencoded.
.
apache access log:
ATTACKERS_IP - - [27/Mar/2015:09:06:05 +0000] "POST / HTTP/1.0" 200 17834 "http://DOMAIN_NAME" "Python-urllib/2.6"
ATTACKERS_IP - - [27/Mar/2015:09:06:06 +0000] "POST / HTTP/1.0" 500 534 "http://DOMAIN_NAME" "Python-urllib/2.6"
apache error log:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M100 16334 100 16334 0 0 690k 0 --:--:-- --:--:-- --:--:-- 725k
--2015-03-27 09:06:07--
http://ATTACKERS_IP/is
Connecting to ATTACKERS_IP:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16334 (16K) [text/plain]
Saving to: 'is.1'
0K .......... ..... 100% 2.76M=0.006s
2015-03-27 09:06:07 (2.76 MB/s) - 'is.1' saved [16334/16334]
Of course tmp is empty also secured by noexec and nosuid. System is running on Centos 7 with SELinux enabled.
I'm just wondering how did they manage to run curl/wget and execute this file by just posting nothing to the index.php which is normal index.php doesn't have any dodgy code injected.
The only clue I found on the internet this hack is related to the Shellshock bash vulnerability but I have the latest patched bash installed:
# rpm -q bash
bash-4.2.45-5.el7_0.4.x86_64
MD5 sums matches so the file hasn't been changed.
Thank you for help in advance.
Regards,
Thorwald