LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   my server has been compromised, what next? (https://www.linuxquestions.org/questions/linux-security-4/my-server-has-been-compromised-what-next-750090/)

Kropotkin 08-25-2009 07:01 AM
my server has been compromised, what next?
 
Hi all,

I have an old P4 which serves as a home gateway/webserver/WAP.

Yesterday morning, I noticed a perl process using up excessive CPU time. After some investigation, I have determined that it is highly persistent, ie, it starts up after I kill it, even after rebooting.

This script runs as a webserver process (user www):
Code:
$ ps aux | grep www
www      116 100.0  0.7  5864  3588  ??  R    11:53AM  8:10.33 /usr/bin/web/httpd (perl5.8.9)
www      113  0.0  0.0    0    0  ??  Z    11:53AM  0:00.18 <defunct>
Interestingly enough, this file /usr/bin/web/httpd does not exist on my system.

From this:
Code:
$ sudo lsof | grep perl
[...]
perl5.8.9  4272    www    3u    IPv4 0xc33cf000        0t0    TCP
gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
it would appear to be talking to an IRC server at 94.102.51.57 on port 7000.

I am currently using the following bash command to keep it down while I decide what to do next:
Code:
$ while x=1 ; do sudo killall -9 perl5.8.9  && echo "killed..." ; sleep 15; done
Most likely I need to do a fresh reinstall. But obviously I need to find out where the vulnerability is so that it does not get reinstalled.

I am very much a parttime sysAdmin, and I have no experience with any kind of security forensics, hence I'd be most grateful for suggestions to point me in the right direction.

The server runs FreeBSD 7-stable i386, and has been kept fully up-to-date with security patches.

Thanks for any ideas.

repo 08-25-2009 07:04 AM
You should pull the network cable.

unSpawn 08-25-2009 08:28 AM
In short what you should do before doing anything else is do nothing but read. The CERT Intruder Detection Checklist (http://web.archive.org/web/200801092...checklist.html) may be outdated but still provides a good checklist if you have none.

Before you start your investigation it is advisable to
0) save a complete detailed listing of users, network connections, processes, open files and
1) raise the firewall to only allow traffic from and to your (management) IP (range) to mitigate damage and
2) save (copies of) logs and then stop services that are not vital for your investigation including databases, web, mail and other servers: basically all you need is SSH.

Because the process runs as user "www" the first question you want to ask yourself is who has, or rather: what has, allowed this process to run. To come up with an answer you will need to
3) verify the integrity of all directories and files owned (writable to) by user "www" ('find / -user www -ls'), including temporary directories and files in users homes,
4) (visually) inspect files and cronjobs that can not be verified using your distributions package manager or filesystem integrity checker and then
5) inspect auth databases, system, firewall and application logs.

Please be verbose in your reporting (the more information the better) and please ask question before you do anything if unsure / unclear.


Quote:
Originally Posted by Kropotkin (Post 3656655)
I have an old P4 which serves as a home gateway/webserver/WAP.
What products+versions exactly does it serve/run over HTTP? Who has access to the machine? Who has an account on the machine?


Quote:
Originally Posted by Kropotkin (Post 3656655)
After some investigation, I have determined that it is highly persistent, ie, it starts up after I kill it, even after rebooting.
Might be piggybacking onto another process or run as cronjob. Investigating all files owned by user "www" ('find / -user www -ls'), files in users homes, temporary directories is in order.

Quote:
Originally Posted by Kropotkin (Post 3656655)
This script runs as a webserver process (user www) Interestingly enough, this file /usr/bin/web/httpd does not exist on my system.
Might be a changed argv[0].


Quote:
Originally Posted by Kropotkin (Post 3656655)
sudo lsof | grep perl
Since you have the process' PID you can 'sudo lsof -p $PID' for details.


Quote:
Originally Posted by Kropotkin (Post 3656655)
it would appear to be talking to an IRC server at 94.102.51.57 on port 7000.
Raise firewall.


Quote:
Originally Posted by Kropotkin (Post 3656655)
Most likely I need to do a fresh reinstall. But obviously I need to find out where the vulnerability is so that it does not get reinstalled.
Since the process runs as user "www" lets see if we can verify integrity of the system before jumping to conclusions.



Quote:
Originally Posted by repo (Post 3656661)
You should pull the network cable.
Nice but that won't work for a remote machine. Please post a response in the way we may expect from senior LQ members with incident response knowledge or please abstain from posting a response. (If you have any questions about this you're invited to take it up with me by email.)

Kropotkin 08-25-2009 08:44 AM
Thanks unSpawn.

I will take the questions a few at a time.

First:

Quote:
3) verify the integrity of all directories and files owned (writable to) by user "www" ('find / -user www -ls'), including temporary directories and files in users homes,
OK, this looks suspicious. $sudo find / -user www -ls | grep /tmp returns:

Code:
    9      704 -rw-r--r--    1 www              wheel              337548 Feb 11  2009 /tmp/kas.tgz
    35        4 -rw-r--r--    1 www              wheel                968 May  8 02:43 /tmp/nc
 16448        4 drwxr-xr-x    3 www              wheel                512 Feb 12  2009 /tmp/.bash
 16470      12 -rwxr-xr-x    1 www              wheel                4574 Feb 11  2009 /tmp/.bash/inst
 16471        4 -rwxr-xr-x    1 www              wheel                  29 Oct 29  2006 /tmp/.bash/run
 16453        4 drwxr-xr-x    2 www              wheel                512 Feb 12  2009 /tmp/.bash/r
 16472      112 -rw-r--r--    1 www              wheel              55316 Oct 29  2006 /tmp/.bash/r/rtsay.e
 16473        4 -rw-r--r--    1 www              wheel                519 Oct 29  2006 /tmp/.bash/r/rnicks.e
 16474        8 -rw-r--r--    1 www              wheel                3651 Oct 29  2006 /tmp/.bash/r/rsignoff.e
 16475        8 -rw-r--r--    1 www              wheel                2495 Oct 29  2006 /tmp/.bash/r/rpickup.e
 16476        8 -rw-r--r--    1 www              wheel                3982 Oct 29  2006 /tmp/.bash/r/rinsult.e
 16477        4 -rw-r--r--    1 www              wheel                1465 Oct 29  2006 /tmp/.bash/r/rversions.e
 16478      112 -rw-r--r--    1 www              wheel              55316 Oct 29  2006 /tmp/.bash/r/rsay.e
 16479      12 -rw-r--r--    1 www              wheel                5195 Oct 29  2006 /tmp/.bash/r/raway.e
 16480        4 -rw-r--r--    1 www              wheel                830 Oct 29  2006 /tmp/.bash/r/rkicks.e
 16481        4 -rwxr-xr-x    1 www              wheel                317 Oct 29  2006 /tmp/.bash/autorun
 16482    1024 -rwxr-xr-x    1 www              wheel              492135 Oct 29  2006 /tmp/.bash/bash
 16483      48 -rwxr-xr-x    1 www              wheel              22882 Oct 29  2006 /tmp/.bash/m.help
 16484      332 -rwxr-xr-x    1 www              wheel              167964 Jun 27  2007 /tmp/.bash/pico
 16485      56 -rwxr-xr-x    1 www              wheel              28489 Oct 29  2006 /tmp/.bash/xh
 16486        4 -rwxr-xr-x    1 www              wheel                715 Feb 11  2009 /tmp/.bash/start
 16487        4 -rwxr-xr-x    1 www              wheel                178 Feb 11  2009 /tmp/.bash/update
    11        4 -rwxr-xr-x    1 www              wheel                761 Nov  1  2008 /tmp/dc.pl
    33      60 -rw-r--r--    1 www              wheel              29722 May 19 23:25 /tmp/mind.txt
    32      56 -rw-r--r--    1 www              wheel              28625 Feb 27 16:33 /tmp/guestbook.php
 49346        4 drwxr-xr-x    3 www              wheel                512 May 27 23:24 /tmp/.,
 49349    5600 -rw-r--r--    1 www              wheel            2844160 Mar 27 10:00 /tmp/.,/m.tgz
 49352        4 drwxr-xr-x    4 www              wheel                512 Nov 10  2008 /tmp/.,/ml
 49353      20 -rwxr-xr-x    1 www              wheel              10240 Nov 10  2008 /tmp/.,/ml/m.tgz
 49354    1024 -rwxr-xr-x    1 www              wheel              505767 Aug  3  2008 /tmp/.,/ml/LinkEvents
 49355        4 -rwxr-xr-x    1 www              wheel                1320 Mar 27 09:56 /tmp/.,/ml/m.set
 49356        4 -rwxr-xr-x    1 www              wheel                1054 Aug  3  2008 /tmp/.,/ml/m.lev
 49357      48 -rwxr-xr-x    1 www              wheel              22882 May 16  2003 /tmp/.,/ml/m.h
 49358        4 drwxr-xr-x    2 www              wheel                1024 Dec  3  2005 /tmp/.,/ml/src
 49378      100 -rw----r--    1 www              wheel              50540 Dec  3  2005 /tmp/.,/ml/src/main.o
 49379      48 -rwxr-xr-x    1 www              wheel              23025 Mar  2  2005 /tmp/.,/ml/src/main.c
 49380      20 -rwxr-xr-x    1 www              wheel                9824 May 16  2003 /tmp/.,/ml/src/vars.c
 49381      24 -rwxr-xr-x    1 www              wheel              10391 May 16  2003 /tmp/.,/ml/src/structs.h
 49382      20 -rwxr-xr-x    1 www              wheel                8559 Dec  3  2005 /tmp/.,/ml/src/config.h
 49383      32 -rwxr-xr-x    1 www              wheel              15773 May 16  2003 /tmp/.,/ml/src/cfgfile.c
 49384      36 -rwxr-xr-x    1 www              wheel              17837 May 16  2003 /tmp/.,/ml/src/debug.c
 49385      24 -rwxr-xr-x    1 www              wheel              11267 May 16  2003 /tmp/.,/ml/src/global.h
 49386      44 -rwxr-xr-x    1 www              wheel              22036 May 16  2003 /tmp/.,/ml/src/userlist.c
 49387      32 -rwx---r-x    1 www              wheel              14987 Dec  3  2005 /tmp/.,/ml/src/gencmd
 49388        8 -rw----r--    1 www              wheel                3092 Dec  3  2005 /tmp/.,/ml/src/trivia.o
 49389      48 -rw----r--    1 www              wheel              24436 Dec  3  2005 /tmp/.,/ml/src/socket.o
 49390      24 -rw----r--    1 www              wheel              11781 Dec  3  2005 /tmp/.,/ml/src/mcmd.h
 49391      36 -rwxr-xr-x    1 www              wheel              17332 May 16  2003 /tmp/.,/ml/src/h.h
 49392      64 -rwxr-xr-x    1 www              wheel              32063 May 16  2003 /tmp/.,/ml/src/text.h
 49393      52 -rwxr-xr-x    1 www              wheel              24634 May 16  2003 /tmp/.,/ml/src/combot.c
 49394      84 -rw----r--    1 www              wheel              41572 Dec  3  2005 /tmp/.,/ml/src/channel.o
 49395      132 -rw----r--    1 www              wheel              66120 Dec  3  2005 /tmp/.,/ml/src/commands.o
 49396      108 -rw----r--    1 www              wheel              55040 Dec  3  2005 /tmp/.,/ml/src/link.o
 49397      20 -rwxr-xr-x    1 www              wheel                9857 May 16  2003 /tmp/.,/ml/src/gencmd.c
 49398      24 -rwxr-xr-x    1 www              wheel              11324 May 16  2003 /tmp/.,/ml/src/socket.c
 49399      52 -rwxr-xr-x    1 www              wheel              25743 May 16  2003 /tmp/.,/ml/src/channel.c
 49400        8 -rwxr-xr-x    1 www              wheel                3163 May 16  2003 /tmp/.,/ml/src/Makefile.in
 49401      56 -rw----r--    1 www              wheel              28116 Dec  3  2005 /tmp/.,/ml/src/debug.o
 49402      68 -rw----r--    1 www              wheel              33108 Dec  3  2005 /tmp/.,/ml/src/combot.o
 49403      48 -rwxr-xr-x    1 www              wheel              24142 Dec  3  2005 /tmp/.,/ml/src/parse.c
 49404      100 -rw----r--    1 www              wheel              50256 Dec  3  2005 /tmp/.,/ml/src/xmech.o
 49405      108 -rw----r--    1 www              wheel              54940 Dec  3  2005 /tmp/.,/ml/src/com-ons.o
 49406      84 -rw----r--    1 www              wheel              41916 Dec  3  2005 /tmp/.,/ml/src/parse.o
 49407      20 -rwxr-xr-x    1 www              wheel                8432 Mar  4  2005 /tmp/.,/ml/src/config.h.in
 49408      24 -rwxr-xr-x    1 www              wheel              10322 May 16  2003 /tmp/.,/ml/src/dcc.c
 49409      52 -rwxr-xr-x    1 www              wheel              25537 May 16  2003 /tmp/.,/ml/src/xmech.c
 49410      12 -rwxr-xr-x    1 www              wheel                4686 May 16  2003 /tmp/.,/ml/src/defines.h
 49411      52 -rw----r--    1 www              wheel              24620 Dec  3  2005 /tmp/.,/ml/src/dcc.o
 49412      72 -rw----r--    1 www              wheel              36196 Dec  3  2005 /tmp/.,/ml/src/cfgfile.o
 49413      76 -rw----r--    1 www              wheel              38104 Dec  3  2005 /tmp/.,/ml/src/userlist.o
 49414      80 -rwxr-xr-x    1 www              wheel              40092 May 16  2003 /tmp/.,/ml/src/link.c
 49415      84 -rwxr-xr-x    1 www              wheel              42743 May 16  2003 /tmp/.,/ml/src/commands.c
 49416      32 -rwxr-xr-x    1 www              wheel              14756 May 16  2003 /tmp/.,/ml/src/trivia.c
 49417      12 -rwxr-xr-x    1 www              wheel                5893 May 16  2003 /tmp/.,/ml/src/usage.h
 49418      56 -rwxr-xr-x    1 www              wheel              27892 May 16  2003 /tmp/.,/ml/src/com-ons.c
 49419      44 -rwxr-xr-x    1 www              wheel              20607 May 16  2003 /tmp/.,/ml/src/function.c
 49420        8 -rwxr-xr-x    1 www              wheel                3181 Dec  3  2005 /tmp/.,/ml/src/Makefile
 49421      76 -rw----r--    1 www              wheel              37908 Dec  3  2005 /tmp/.,/ml/src/function.o
 49422      44 -rw----r--    1 www              wheel              22464 Dec  3  2005 /tmp/.,/ml/src/vars.o
 49359        4 -rwxr-xr-x    1 www              wheel                941 Dec  3  2005 /tmp/.,/ml/checkmech
 49360      332 -rwxr-xr-x    1 www              wheel              167964 Mar 16  2001 /tmp/.,/ml/pico
 49361        4 -rwx--x--x    1 www              wheel                  6 May 25  2008 /tmp/.,/ml/m.pid
 49362      832 -rwx--x--x    1 www              wheel              397274 Dec  3  2005 /tmp/.,/ml/crond
 49363        4 -rwxr-xr-x    1 www              wheel                411 Mar 27 09:57 /tmp/.,/ml/1.user
 49364        4 -rwxr-xr-x    1 www              wheel                422 Mar 27 09:57 /tmp/.,/ml/2.user
 49365      48 -rwxr-xr-x    1 www              wheel              23237 May 16  2003 /tmp/.,/ml/configure
 49366      864 -rwx--x--x    1 www              wheel              418490 Dec  3  2005 /tmp/.,/ml/bsd
 49367        8 -rwxr-xr-x    1 www              wheel                2154 May 16  2003 /tmp/.,/ml/Makefile
 49368        4 drwxr-xr-x    2 www              wheel                512 Mar  4  2005 /tmp/.,/ml/r
 49369      112 -rwxr-xr-x    1 www              wheel              55316 Mar  4  2005 /tmp/.,/ml/r/rtsay.e
 49370      112 -rwxr-xr-x    1 www              wheel              55316 May 16  2003 /tmp/.,/ml/r/rsay.e
 49371      12 -rwxr-xr-x    1 www              wheel                5195 May 16  2003 /tmp/.,/ml/r/raway.e
 49372        4 -rwxr-xr-x    1 www              wheel                519 May 16  2003 /tmp/.,/ml/r/rnicks.e
 49373        4 -rwxr-xr-x    1 www              wheel                830 May 16  2003 /tmp/.,/ml/r/rkicks.e
 49374        8 -rwxr-xr-x    1 www              wheel                2495 May 16  2003 /tmp/.,/ml/r/rpickup.e
 49375        4 -rwxr-xr-x    1 www              wheel                1465 May 16  2003 /tmp/.,/ml/r/rversions.e
 49376        8 -rwxr-xr-x    1 www              wheel                3982 May 16  2003 /tmp/.,/ml/r/rinsult.e
 49377        8 -rwxr-xr-x    1 www              wheel                3651 May 16  2003 /tmp/.,/ml/r/rsignoff.e
 49423      88 -rw-r--r--    1 www              wheel              43419 May 27 23:22 /tmp/.,/scanxml.txt
    39      36 -rw-r--r--    1 www              wheel              17713 Jun 24 12:22 /tmp/tmpfile
    36    1120 -rwxr-xr-x    1 www              wheel              553666 Aug 20  2008 /tmp/owned

Kropotkin 08-25-2009 09:06 AM
Quote:
Originally Posted by unSpawn (Post 3656741)
Before you start your investigation it is advisable to
0) save a complete detailed listing of users, network connections, processes, open files and
1) raise the firewall to only allow traffic from and to your (management) IP (range) to mitigate damage and
2) save (copies of) logs and then stop services that are not vital for your investigation including databases, web, mail and other servers: basically all you need is SSH.
One problem: this box serves as my mailserver and also router. (I am beginning to see there might be a problem with this.)

I use PF as firewall. Essentially I block all incoming traffic unless explicitly allowed. Everything allowed out.

Code:
pass out quick on $ext_if proto 41
pass out quick on gif0 inet6
pass in quick on gif0 inet6 proto icmp6
block in log
Obviously I need to quickly block everything out, except that which I need to be able to access the web. Not sure how to proceed here.

For the time being, I am killing the script every 15 seconds, as I indicated above.

Quote:
What products+versions exactly does it serve/run over HTTP? Who has access to the machine? Who has an account on the machine?
I am running lighttpd-1.4.20
the box is sitting next to my desk; only one user, me.

Quote:
Might be piggybacking onto another process or run as cronjob. Investigating all files owned by user "www" ('find / -user www -ls'), files in users homes, temporary directories is in order.
done, see previous

Quote:
Since you have the process' PID you can 'sudo lsof -p $PID' for details.
Code:
sudo lsof -p 11544
COMMAND    PID USER  FD  TYPE    DEVICE SIZE/OFF    NODE NAME
perl5.8.9 11544  www  cwd  VDIR      0,76      512      2 /
perl5.8.9 11544  www  rtd  VDIR      0,76      512      2 /
perl5.8.9 11544  www  txt  VREG      0,82    4428 3015044 /usr/local/bin/perl5.8.9
perl5.8.9 11544  www  txt  VREG      0,76  171192  49360 /libexec/ld-elf.so.1
perl5.8.9 11544  www  txt  VREG      0,82  1229218  95150 /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so
perl5.8.9 11544  www  txt  VREG      0,76    92140      16 /lib/libm.so.5
perl5.8.9 11544  www  txt  VREG      0,76    31928      14 /lib/libcrypt.so.4
perl5.8.9 11544  www  txt  VREG      0,76    50496      74 /lib/libutil.so.7
perl5.8.9 11544  www  txt  VREG      0,76  1026604      13 /lib/libc.so.7
perl5.8.9 11544  www  txt  VREG      0,82    17427  94753 /usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so
perl5.8.9 11544  www  txt  VREG      0,82    24006  94951 /usr/local/lib/perl5/5.8.9/mach/auto/Socket/Socket.so
perl5.8.9 11544  www    0u  PIPE 0xc3296c60    16384        ->0xc3296d18
perl5.8.9 11544  www    1u  PIPE 0xc3296874        0        ->0xc32967bc
perl5.8.9 11544  www    2u  PIPE 0xc3296874        0        ->0xc32967bc
perl5.8.9 11544  www    3u  IPv4 0xc3332ae0      0t0    TCP gw:63626->190-202-104-194.genericrev.cantv.net:afs3-fileserver (ESTABLISHED)
Quote:
Raise firewall.
see above

Kropotkin 08-25-2009 09:09 AM
OK, I have found the cronjob that launches the script:

[root@venus /var/cron/tabs]# ls -l
Code:
total 12
-rw-------  1 root  wheel  3440 Aug 25 12:06 colin
-rw-------  1 root  wheel  240 Jul 28 23:49 www
[root@venus /var/cron/tabs]# less www
Code:
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.job installed on Tue Jul 28 23:49:28 2009)
# (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 2006/09/03 17:52:19 ru Exp $)
*/1 * * * * perl /tmp/tmpfile

Kropotkin 08-25-2009 09:20 AM
How do I disable the cronjob for user www? I can't login as www. Obviously just commenting out that line doesn't help:

Code:
[root@venus /var/cron/tabs]# cat www
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.job installed on Tue Jul 28 23:49:28 2009)
# (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 2006/09/03 17:52:19 ru Exp $)
#*/1 * * * * perl /tmp/tmpfile

unSpawn 08-25-2009 09:27 AM
* CYP contact me by email? I'd like a (tarball) copy of those contents.

Quote:
Originally Posted by Kropotkin (Post 3656793)
One problem: this box serves as my mailserver and also router. (I am beginning to see there might be a problem with this.)
I use PF as firewall. Essentially I block all incoming traffic unless explicitly allowed. Everything allowed out.
Obviously I need to quickly block everything out, except that which I need to be able to access the web. Not sure how to proceed here.
you've got your priorities skewed. Right now the machine is being (partially) used by others to do their bidding, not yours. Whatever it is they do now or will do later might affect you but has the potential to affect others. So while I understand that email is "nice to have" it is not a valid argument to stop mitigating the current situation. Think "desperate diseases must have desperate cures".


Quote:
Originally Posted by Kropotkin (Post 3656793)
I am running lighttpd-1.4.20
No, I mean what is publicly accessable or provided over HTTP? Forum software? Webmail? Web statistics software? What?


Quote:
Originally Posted by Kropotkin (Post 3656793)
How do I disable the cronjob for user www? I can't login as www.
Move the spool file for user "www" out of the cron spool directory or remove it?


Quote:
Originally Posted by Kropotkin (Post 3656793)
Code:
[root@venus /var/cron/tabs]# ls -l
Code:
total 12
-rw-------  1 root  wheel  3440 Aug 25 12:06 colin
-rw-------  1 root  wheel  240 Jul 28 23:49 www
Wait. Not good. Your temp files are owned by user "www" group "wheel" but this file (note the timestamp) could only be written to by root.
I suggest you bring the box down now and investigate using a Live CD.

Kropotkin 08-25-2009 11:11 AM
OK. This machine is now physically offline. I have temporarily changed my mailserver to Rollernet.

I will now proceed to study it at leisure, and if I have to copy files I can use a USB stick

Quote:
Originally Posted by unSpawn (Post 3656836)
* CYP contact me by email? I'd like a (tarball) copy of those contents.
Just sent you a PM with my email address.

Kropotkin 08-25-2009 11:31 AM
Quote:
Originally Posted by unSpawn (Post 3656836)
No, I mean what is publicly accessable or provided over HTTP? Forum software? Webmail? Web statistics software? What?
Let's see. Beyond a large collection of static pages, I had Roundcube configured for Webmail. That's about it.

Kropotkin 08-25-2009 12:09 PM
Quote:
Originally Posted by unSpawn (Post 3656836)
Wait. Not good. Your temp files are owned by user "www" group "wheel" but this file (note the timestamp) could only be written to by root.
I am sure you know waaay more about this stuff than I do, but are you sure of this?

The file "colin" was also written by root. It contains the cron jobs I have configured in my non-root account by that name. I don't use root to edit that file, just crontab -e. Is there not some way the script could have executed that as user "www" as well?

unSpawn 08-25-2009 12:18 PM
Quote:
Originally Posted by Kropotkin (Post 3656982)
Let's see. Beyond a large collection of static pages, I had Roundcube configured for Webmail. That's about it.
Seen http://cve.mitre.org/cgi-bin/cvename...=CVE-2009-0413 ?

unSpawn 08-25-2009 12:27 PM
Quote:
Originally Posted by Kropotkin (Post 3657020)
I am sure you know waaay more about this stuff than I do, but are you sure of this?
No I dont and no I'm not. /usr/bin/crontab being setuid root and all that ;-p

Kropotkin 08-25-2009 02:06 PM
Quote:
Originally Posted by unSpawn (Post 3657025)
Yikes, I hadn't.

There are a fair number of hits for "roundcube" in my www logs in July and August. I'm going to take a closer look tomorrow.

Kropotkin 08-27-2009 04:30 AM
grepping my web logs for 2009, I see 226 lines pertaining to roundcube. Here is an example:
Code:
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:40 +0200] "GET /roundcube//bin/msgimport HTTP/1.1" 200 2730 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:41 +0200] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcubemail-0.1//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcubemail-0.2//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcube-0.1//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcube-0.2//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:01 +0200] "POST /roundcubemail/bin/html2text.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:05 +0200] "POST /roundcube/bin/html2text.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:20 +0200] "POST /roundcubemail-0.1/bin/html2text.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:21 +0200] "POST /roundcubemail-0.2/bin/html2test.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:22 +0200] "POST /roundcube-0.1/bin/html2test.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:23 +0200] "POST /roundcube-0.2/bin/html2test.php
Looks rather like a fishing expedition to me. they seem particularly interested in msgimport, which is a PHP script.

Can someone explain to me in generic terms approximately how an exploit like this works?

FWIW, "Toata dragostea mea pentru diavola" is Romanian and according to Google Translate means "All my love for the devil"


All times are GMT -5. The time now is 01:57 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page