LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-25-2009, 07:01 AM   #1
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Rep: Reputation: 31
my server has been compromised, what next?


Hi all,

I have an old P4 which serves as a home gateway/webserver/WAP.

Yesterday morning, I noticed a perl process using up excessive CPU time. After some investigation, I have determined that it is highly persistent, ie, it starts up after I kill it, even after rebooting.

This script runs as a webserver process (user www):
Code:
$ ps aux | grep www
www       116 100.0  0.7  5864  3588  ??  R    11:53AM   8:10.33 /usr/bin/web/httpd (perl5.8.9)
www       113  0.0  0.0     0     0  ??  Z    11:53AM   0:00.18 <defunct>
Interestingly enough, this file /usr/bin/web/httpd does not exist on my system.

From this:
Code:
$ sudo lsof | grep perl
[...]
perl5.8.9  4272     www    3u    IPv4 0xc33cf000        0t0     TCP
gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
it would appear to be talking to an IRC server at 94.102.51.57 on port 7000.

I am currently using the following bash command to keep it down while I decide what to do next:
Code:
$ while x=1 ; do sudo killall -9 perl5.8.9  && echo "killed..." ; sleep 15; done
Most likely I need to do a fresh reinstall. But obviously I need to find out where the vulnerability is so that it does not get reinstalled.

I am very much a parttime sysAdmin, and I have no experience with any kind of security forensics, hence I'd be most grateful for suggestions to point me in the right direction.

The server runs FreeBSD 7-stable i386, and has been kept fully up-to-date with security patches.

Thanks for any ideas.
 
Old 08-25-2009, 07:04 AM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,480

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
You should pull the network cable.
 
Old 08-25-2009, 08:28 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
In short what you should do before doing anything else is do nothing but read. The CERT Intruder Detection Checklist (http://web.archive.org/web/200801092...checklist.html) may be outdated but still provides a good checklist if you have none.

Before you start your investigation it is advisable to
0) save a complete detailed listing of users, network connections, processes, open files and
1) raise the firewall to only allow traffic from and to your (management) IP (range) to mitigate damage and
2) save (copies of) logs and then stop services that are not vital for your investigation including databases, web, mail and other servers: basically all you need is SSH.

Because the process runs as user "www" the first question you want to ask yourself is who has, or rather: what has, allowed this process to run. To come up with an answer you will need to
3) verify the integrity of all directories and files owned (writable to) by user "www" ('find / -user www -ls'), including temporary directories and files in users homes,
4) (visually) inspect files and cronjobs that can not be verified using your distributions package manager or filesystem integrity checker and then
5) inspect auth databases, system, firewall and application logs.

Please be verbose in your reporting (the more information the better) and please ask question before you do anything if unsure / unclear.


Quote:
Originally Posted by Kropotkin View Post
I have an old P4 which serves as a home gateway/webserver/WAP.
What products+versions exactly does it serve/run over HTTP? Who has access to the machine? Who has an account on the machine?


Quote:
Originally Posted by Kropotkin View Post
After some investigation, I have determined that it is highly persistent, ie, it starts up after I kill it, even after rebooting.
Might be piggybacking onto another process or run as cronjob. Investigating all files owned by user "www" ('find / -user www -ls'), files in users homes, temporary directories is in order.

Quote:
Originally Posted by Kropotkin View Post
This script runs as a webserver process (user www) Interestingly enough, this file /usr/bin/web/httpd does not exist on my system.
Might be a changed argv[0].


Quote:
Originally Posted by Kropotkin View Post
sudo lsof | grep perl
Since you have the process' PID you can 'sudo lsof -p $PID' for details.


Quote:
Originally Posted by Kropotkin View Post
it would appear to be talking to an IRC server at 94.102.51.57 on port 7000.
Raise firewall.


Quote:
Originally Posted by Kropotkin View Post
Most likely I need to do a fresh reinstall. But obviously I need to find out where the vulnerability is so that it does not get reinstalled.
Since the process runs as user "www" lets see if we can verify integrity of the system before jumping to conclusions.



Quote:
Originally Posted by repo View Post
You should pull the network cable.
Nice but that won't work for a remote machine. Please post a response in the way we may expect from senior LQ members with incident response knowledge or please abstain from posting a response. (If you have any questions about this you're invited to take it up with me by email.)

Last edited by unSpawn; 08-25-2009 at 08:38 AM. Reason: //more *is* more
 
Old 08-25-2009, 08:44 AM   #4
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
Thanks unSpawn.

I will take the questions a few at a time.

First:

Quote:
3) verify the integrity of all directories and files owned (writable to) by user "www" ('find / -user www -ls'), including temporary directories and files in users homes,
OK, this looks suspicious. $sudo find / -user www -ls | grep /tmp returns:

Code:
     9      704 -rw-r--r--    1 www              wheel              337548 Feb 11  2009 /tmp/kas.tgz
    35        4 -rw-r--r--    1 www              wheel                 968 May  8 02:43 /tmp/nc
 16448        4 drwxr-xr-x    3 www              wheel                 512 Feb 12  2009 /tmp/.bash
 16470       12 -rwxr-xr-x    1 www              wheel                4574 Feb 11  2009 /tmp/.bash/inst
 16471        4 -rwxr-xr-x    1 www              wheel                  29 Oct 29  2006 /tmp/.bash/run
 16453        4 drwxr-xr-x    2 www              wheel                 512 Feb 12  2009 /tmp/.bash/r
 16472      112 -rw-r--r--    1 www              wheel               55316 Oct 29  2006 /tmp/.bash/r/rtsay.e
 16473        4 -rw-r--r--    1 www              wheel                 519 Oct 29  2006 /tmp/.bash/r/rnicks.e
 16474        8 -rw-r--r--    1 www              wheel                3651 Oct 29  2006 /tmp/.bash/r/rsignoff.e
 16475        8 -rw-r--r--    1 www              wheel                2495 Oct 29  2006 /tmp/.bash/r/rpickup.e
 16476        8 -rw-r--r--    1 www              wheel                3982 Oct 29  2006 /tmp/.bash/r/rinsult.e
 16477        4 -rw-r--r--    1 www              wheel                1465 Oct 29  2006 /tmp/.bash/r/rversions.e
 16478      112 -rw-r--r--    1 www              wheel               55316 Oct 29  2006 /tmp/.bash/r/rsay.e
 16479       12 -rw-r--r--    1 www              wheel                5195 Oct 29  2006 /tmp/.bash/r/raway.e
 16480        4 -rw-r--r--    1 www              wheel                 830 Oct 29  2006 /tmp/.bash/r/rkicks.e
 16481        4 -rwxr-xr-x    1 www              wheel                 317 Oct 29  2006 /tmp/.bash/autorun
 16482     1024 -rwxr-xr-x    1 www              wheel              492135 Oct 29  2006 /tmp/.bash/bash
 16483       48 -rwxr-xr-x    1 www              wheel               22882 Oct 29  2006 /tmp/.bash/m.help
 16484      332 -rwxr-xr-x    1 www              wheel              167964 Jun 27  2007 /tmp/.bash/pico
 16485       56 -rwxr-xr-x    1 www              wheel               28489 Oct 29  2006 /tmp/.bash/xh
 16486        4 -rwxr-xr-x    1 www              wheel                 715 Feb 11  2009 /tmp/.bash/start
 16487        4 -rwxr-xr-x    1 www              wheel                 178 Feb 11  2009 /tmp/.bash/update
    11        4 -rwxr-xr-x    1 www              wheel                 761 Nov  1  2008 /tmp/dc.pl
    33       60 -rw-r--r--    1 www              wheel               29722 May 19 23:25 /tmp/mind.txt
    32       56 -rw-r--r--    1 www              wheel               28625 Feb 27 16:33 /tmp/guestbook.php
 49346        4 drwxr-xr-x    3 www              wheel                 512 May 27 23:24 /tmp/.,
 49349     5600 -rw-r--r--    1 www              wheel             2844160 Mar 27 10:00 /tmp/.,/m.tgz
 49352        4 drwxr-xr-x    4 www              wheel                 512 Nov 10  2008 /tmp/.,/ml
 49353       20 -rwxr-xr-x    1 www              wheel               10240 Nov 10  2008 /tmp/.,/ml/m.tgz
 49354     1024 -rwxr-xr-x    1 www              wheel              505767 Aug  3  2008 /tmp/.,/ml/LinkEvents
 49355        4 -rwxr-xr-x    1 www              wheel                1320 Mar 27 09:56 /tmp/.,/ml/m.set
 49356        4 -rwxr-xr-x    1 www              wheel                1054 Aug  3  2008 /tmp/.,/ml/m.lev
 49357       48 -rwxr-xr-x    1 www              wheel               22882 May 16  2003 /tmp/.,/ml/m.h
 49358        4 drwxr-xr-x    2 www              wheel                1024 Dec  3  2005 /tmp/.,/ml/src
 49378      100 -rw----r--    1 www              wheel               50540 Dec  3  2005 /tmp/.,/ml/src/main.o
 49379       48 -rwxr-xr-x    1 www              wheel               23025 Mar  2  2005 /tmp/.,/ml/src/main.c
 49380       20 -rwxr-xr-x    1 www              wheel                9824 May 16  2003 /tmp/.,/ml/src/vars.c
 49381       24 -rwxr-xr-x    1 www              wheel               10391 May 16  2003 /tmp/.,/ml/src/structs.h
 49382       20 -rwxr-xr-x    1 www              wheel                8559 Dec  3  2005 /tmp/.,/ml/src/config.h
 49383       32 -rwxr-xr-x    1 www              wheel               15773 May 16  2003 /tmp/.,/ml/src/cfgfile.c
 49384       36 -rwxr-xr-x    1 www              wheel               17837 May 16  2003 /tmp/.,/ml/src/debug.c
 49385       24 -rwxr-xr-x    1 www              wheel               11267 May 16  2003 /tmp/.,/ml/src/global.h
 49386       44 -rwxr-xr-x    1 www              wheel               22036 May 16  2003 /tmp/.,/ml/src/userlist.c
 49387       32 -rwx---r-x    1 www              wheel               14987 Dec  3  2005 /tmp/.,/ml/src/gencmd
 49388        8 -rw----r--    1 www              wheel                3092 Dec  3  2005 /tmp/.,/ml/src/trivia.o
 49389       48 -rw----r--    1 www              wheel               24436 Dec  3  2005 /tmp/.,/ml/src/socket.o
 49390       24 -rw----r--    1 www              wheel               11781 Dec  3  2005 /tmp/.,/ml/src/mcmd.h
 49391       36 -rwxr-xr-x    1 www              wheel               17332 May 16  2003 /tmp/.,/ml/src/h.h
 49392       64 -rwxr-xr-x    1 www              wheel               32063 May 16  2003 /tmp/.,/ml/src/text.h
 49393       52 -rwxr-xr-x    1 www              wheel               24634 May 16  2003 /tmp/.,/ml/src/combot.c
 49394       84 -rw----r--    1 www              wheel               41572 Dec  3  2005 /tmp/.,/ml/src/channel.o
 49395      132 -rw----r--    1 www              wheel               66120 Dec  3  2005 /tmp/.,/ml/src/commands.o
 49396      108 -rw----r--    1 www              wheel               55040 Dec  3  2005 /tmp/.,/ml/src/link.o
 49397       20 -rwxr-xr-x    1 www              wheel                9857 May 16  2003 /tmp/.,/ml/src/gencmd.c
 49398       24 -rwxr-xr-x    1 www              wheel               11324 May 16  2003 /tmp/.,/ml/src/socket.c
 49399       52 -rwxr-xr-x    1 www              wheel               25743 May 16  2003 /tmp/.,/ml/src/channel.c
 49400        8 -rwxr-xr-x    1 www              wheel                3163 May 16  2003 /tmp/.,/ml/src/Makefile.in
 49401       56 -rw----r--    1 www              wheel               28116 Dec  3  2005 /tmp/.,/ml/src/debug.o
 49402       68 -rw----r--    1 www              wheel               33108 Dec  3  2005 /tmp/.,/ml/src/combot.o
 49403       48 -rwxr-xr-x    1 www              wheel               24142 Dec  3  2005 /tmp/.,/ml/src/parse.c
 49404      100 -rw----r--    1 www              wheel               50256 Dec  3  2005 /tmp/.,/ml/src/xmech.o
 49405      108 -rw----r--    1 www              wheel               54940 Dec  3  2005 /tmp/.,/ml/src/com-ons.o
 49406       84 -rw----r--    1 www              wheel               41916 Dec  3  2005 /tmp/.,/ml/src/parse.o
 49407       20 -rwxr-xr-x    1 www              wheel                8432 Mar  4  2005 /tmp/.,/ml/src/config.h.in
 49408       24 -rwxr-xr-x    1 www              wheel               10322 May 16  2003 /tmp/.,/ml/src/dcc.c
 49409       52 -rwxr-xr-x    1 www              wheel               25537 May 16  2003 /tmp/.,/ml/src/xmech.c
 49410       12 -rwxr-xr-x    1 www              wheel                4686 May 16  2003 /tmp/.,/ml/src/defines.h
 49411       52 -rw----r--    1 www              wheel               24620 Dec  3  2005 /tmp/.,/ml/src/dcc.o
 49412       72 -rw----r--    1 www              wheel               36196 Dec  3  2005 /tmp/.,/ml/src/cfgfile.o
 49413       76 -rw----r--    1 www              wheel               38104 Dec  3  2005 /tmp/.,/ml/src/userlist.o
 49414       80 -rwxr-xr-x    1 www              wheel               40092 May 16  2003 /tmp/.,/ml/src/link.c
 49415       84 -rwxr-xr-x    1 www              wheel               42743 May 16  2003 /tmp/.,/ml/src/commands.c
 49416       32 -rwxr-xr-x    1 www              wheel               14756 May 16  2003 /tmp/.,/ml/src/trivia.c
 49417       12 -rwxr-xr-x    1 www              wheel                5893 May 16  2003 /tmp/.,/ml/src/usage.h
 49418       56 -rwxr-xr-x    1 www              wheel               27892 May 16  2003 /tmp/.,/ml/src/com-ons.c
 49419       44 -rwxr-xr-x    1 www              wheel               20607 May 16  2003 /tmp/.,/ml/src/function.c
 49420        8 -rwxr-xr-x    1 www              wheel                3181 Dec  3  2005 /tmp/.,/ml/src/Makefile
 49421       76 -rw----r--    1 www              wheel               37908 Dec  3  2005 /tmp/.,/ml/src/function.o
 49422       44 -rw----r--    1 www              wheel               22464 Dec  3  2005 /tmp/.,/ml/src/vars.o
 49359        4 -rwxr-xr-x    1 www              wheel                 941 Dec  3  2005 /tmp/.,/ml/checkmech
 49360      332 -rwxr-xr-x    1 www              wheel              167964 Mar 16  2001 /tmp/.,/ml/pico
 49361        4 -rwx--x--x    1 www              wheel                   6 May 25  2008 /tmp/.,/ml/m.pid
 49362      832 -rwx--x--x    1 www              wheel              397274 Dec  3  2005 /tmp/.,/ml/crond
 49363        4 -rwxr-xr-x    1 www              wheel                 411 Mar 27 09:57 /tmp/.,/ml/1.user
 49364        4 -rwxr-xr-x    1 www              wheel                 422 Mar 27 09:57 /tmp/.,/ml/2.user
 49365       48 -rwxr-xr-x    1 www              wheel               23237 May 16  2003 /tmp/.,/ml/configure
 49366      864 -rwx--x--x    1 www              wheel              418490 Dec  3  2005 /tmp/.,/ml/bsd
 49367        8 -rwxr-xr-x    1 www              wheel                2154 May 16  2003 /tmp/.,/ml/Makefile
 49368        4 drwxr-xr-x    2 www              wheel                 512 Mar  4  2005 /tmp/.,/ml/r
 49369      112 -rwxr-xr-x    1 www              wheel               55316 Mar  4  2005 /tmp/.,/ml/r/rtsay.e
 49370      112 -rwxr-xr-x    1 www              wheel               55316 May 16  2003 /tmp/.,/ml/r/rsay.e
 49371       12 -rwxr-xr-x    1 www              wheel                5195 May 16  2003 /tmp/.,/ml/r/raway.e
 49372        4 -rwxr-xr-x    1 www              wheel                 519 May 16  2003 /tmp/.,/ml/r/rnicks.e
 49373        4 -rwxr-xr-x    1 www              wheel                 830 May 16  2003 /tmp/.,/ml/r/rkicks.e
 49374        8 -rwxr-xr-x    1 www              wheel                2495 May 16  2003 /tmp/.,/ml/r/rpickup.e
 49375        4 -rwxr-xr-x    1 www              wheel                1465 May 16  2003 /tmp/.,/ml/r/rversions.e
 49376        8 -rwxr-xr-x    1 www              wheel                3982 May 16  2003 /tmp/.,/ml/r/rinsult.e
 49377        8 -rwxr-xr-x    1 www              wheel                3651 May 16  2003 /tmp/.,/ml/r/rsignoff.e
 49423       88 -rw-r--r--    1 www              wheel               43419 May 27 23:22 /tmp/.,/scanxml.txt
    39       36 -rw-r--r--    1 www              wheel               17713 Jun 24 12:22 /tmp/tmpfile
    36     1120 -rwxr-xr-x    1 www              wheel              553666 Aug 20  2008 /tmp/owned
 
Old 08-25-2009, 09:06 AM   #5
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by unSpawn View Post
Before you start your investigation it is advisable to
0) save a complete detailed listing of users, network connections, processes, open files and
1) raise the firewall to only allow traffic from and to your (management) IP (range) to mitigate damage and
2) save (copies of) logs and then stop services that are not vital for your investigation including databases, web, mail and other servers: basically all you need is SSH.
One problem: this box serves as my mailserver and also router. (I am beginning to see there might be a problem with this.)

I use PF as firewall. Essentially I block all incoming traffic unless explicitly allowed. Everything allowed out.

Code:
pass out quick on $ext_if proto 41
pass out quick on gif0 inet6
pass in quick on gif0 inet6 proto icmp6
block in log
Obviously I need to quickly block everything out, except that which I need to be able to access the web. Not sure how to proceed here.

For the time being, I am killing the script every 15 seconds, as I indicated above.

Quote:
What products+versions exactly does it serve/run over HTTP? Who has access to the machine? Who has an account on the machine?
I am running lighttpd-1.4.20
the box is sitting next to my desk; only one user, me.

Quote:
Might be piggybacking onto another process or run as cronjob. Investigating all files owned by user "www" ('find / -user www -ls'), files in users homes, temporary directories is in order.
done, see previous

Quote:
Since you have the process' PID you can 'sudo lsof -p $PID' for details.
Code:
sudo lsof -p 11544
COMMAND     PID USER   FD   TYPE     DEVICE SIZE/OFF    NODE NAME
perl5.8.9 11544  www  cwd   VDIR       0,76      512       2 /
perl5.8.9 11544  www  rtd   VDIR       0,76      512       2 /
perl5.8.9 11544  www  txt   VREG       0,82     4428 3015044 /usr/local/bin/perl5.8.9
perl5.8.9 11544  www  txt   VREG       0,76   171192   49360 /libexec/ld-elf.so.1
perl5.8.9 11544  www  txt   VREG       0,82  1229218   95150 /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so
perl5.8.9 11544  www  txt   VREG       0,76    92140      16 /lib/libm.so.5
perl5.8.9 11544  www  txt   VREG       0,76    31928      14 /lib/libcrypt.so.4
perl5.8.9 11544  www  txt   VREG       0,76    50496      74 /lib/libutil.so.7
perl5.8.9 11544  www  txt   VREG       0,76  1026604      13 /lib/libc.so.7
perl5.8.9 11544  www  txt   VREG       0,82    17427   94753 /usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so
perl5.8.9 11544  www  txt   VREG       0,82    24006   94951 /usr/local/lib/perl5/5.8.9/mach/auto/Socket/Socket.so
perl5.8.9 11544  www    0u  PIPE 0xc3296c60    16384         ->0xc3296d18
perl5.8.9 11544  www    1u  PIPE 0xc3296874        0         ->0xc32967bc
perl5.8.9 11544  www    2u  PIPE 0xc3296874        0         ->0xc32967bc
perl5.8.9 11544  www    3u  IPv4 0xc3332ae0      0t0     TCP gw:63626->190-202-104-194.genericrev.cantv.net:afs3-fileserver (ESTABLISHED)
Quote:
Raise firewall.
see above

Last edited by Kropotkin; 08-25-2009 at 09:10 AM.
 
Old 08-25-2009, 09:09 AM   #6
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
OK, I have found the cronjob that launches the script:

[root@venus /var/cron/tabs]# ls -l
Code:
total 12
-rw-------  1 root  wheel  3440 Aug 25 12:06 colin
-rw-------  1 root  wheel   240 Jul 28 23:49 www
[root@venus /var/cron/tabs]# less www
Code:
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.job installed on Tue Jul 28 23:49:28 2009)
# (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 2006/09/03 17:52:19 ru Exp $)
*/1 * * * * perl /tmp/tmpfile
 
Old 08-25-2009, 09:20 AM   #7
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
How do I disable the cronjob for user www? I can't login as www. Obviously just commenting out that line doesn't help:

Code:
[root@venus /var/cron/tabs]# cat www 
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.job installed on Tue Jul 28 23:49:28 2009)
# (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 2006/09/03 17:52:19 ru Exp $)
#*/1 * * * * perl /tmp/tmpfile
 
Old 08-25-2009, 09:27 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
* CYP contact me by email? I'd like a (tarball) copy of those contents.

Quote:
Originally Posted by Kropotkin View Post
One problem: this box serves as my mailserver and also router. (I am beginning to see there might be a problem with this.)
I use PF as firewall. Essentially I block all incoming traffic unless explicitly allowed. Everything allowed out.
Obviously I need to quickly block everything out, except that which I need to be able to access the web. Not sure how to proceed here.
you've got your priorities skewed. Right now the machine is being (partially) used by others to do their bidding, not yours. Whatever it is they do now or will do later might affect you but has the potential to affect others. So while I understand that email is "nice to have" it is not a valid argument to stop mitigating the current situation. Think "desperate diseases must have desperate cures".


Quote:
Originally Posted by Kropotkin View Post
I am running lighttpd-1.4.20
No, I mean what is publicly accessable or provided over HTTP? Forum software? Webmail? Web statistics software? What?


Quote:
Originally Posted by Kropotkin View Post
How do I disable the cronjob for user www? I can't login as www.
Move the spool file for user "www" out of the cron spool directory or remove it?


Quote:
Originally Posted by Kropotkin View Post
Code:
[root@venus /var/cron/tabs]# ls -l
Code:
total 12
-rw-------  1 root  wheel  3440 Aug 25 12:06 colin
-rw-------  1 root  wheel   240 Jul 28 23:49 www
Wait. Not good. Your temp files are owned by user "www" group "wheel" but this file (note the timestamp) could only be written to by root.
I suggest you bring the box down now and investigate using a Live CD.

Last edited by unSpawn; 08-25-2009 at 09:45 AM. Reason: //more *is* more
 
Old 08-25-2009, 11:11 AM   #9
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
OK. This machine is now physically offline. I have temporarily changed my mailserver to Rollernet.

I will now proceed to study it at leisure, and if I have to copy files I can use a USB stick

Quote:
Originally Posted by unSpawn View Post
* CYP contact me by email? I'd like a (tarball) copy of those contents.
Just sent you a PM with my email address.
 
Old 08-25-2009, 11:31 AM   #10
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by unSpawn View Post
No, I mean what is publicly accessable or provided over HTTP? Forum software? Webmail? Web statistics software? What?
Let's see. Beyond a large collection of static pages, I had Roundcube configured for Webmail. That's about it.
 
Old 08-25-2009, 12:09 PM   #11
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by unSpawn View Post
Wait. Not good. Your temp files are owned by user "www" group "wheel" but this file (note the timestamp) could only be written to by root.
I am sure you know waaay more about this stuff than I do, but are you sure of this?

The file "colin" was also written by root. It contains the cron jobs I have configured in my non-root account by that name. I don't use root to edit that file, just crontab -e. Is there not some way the script could have executed that as user "www" as well?

Last edited by Kropotkin; 08-25-2009 at 12:23 PM.
 
Old 08-25-2009, 12:18 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by Kropotkin View Post
Let's see. Beyond a large collection of static pages, I had Roundcube configured for Webmail. That's about it.
Seen http://cve.mitre.org/cgi-bin/cvename...=CVE-2009-0413 ?
 
Old 08-25-2009, 12:27 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by Kropotkin View Post
I am sure you know waaay more about this stuff than I do, but are you sure of this?
No I dont and no I'm not. /usr/bin/crontab being setuid root and all that ;-p
 
Old 08-25-2009, 02:06 PM   #14
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by unSpawn View Post
Yikes, I hadn't.

There are a fair number of hits for "roundcube" in my www logs in July and August. I'm going to take a closer look tomorrow.
 
Old 08-27-2009, 04:30 AM   #15
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 346

Original Poster
Rep: Reputation: 31
grepping my web logs for 2009, I see 226 lines pertaining to roundcube. Here is an example:
Code:
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:40 +0200] "GET /roundcube//bin/msgimport HTTP/1.1" 200 2730 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:41 +0200] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcubemail-0.1//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcubemail-0.2//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcube-0.1//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:42 +0200] "GET /roundcube-0.2//bin/msgimport HTTP/1.1" 404 345 "-" "Toata dragostea mea pentru diavola"
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:01 +0200] "POST /roundcubemail/bin/html2text.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:05 +0200] "POST /roundcube/bin/html2text.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:20 +0200] "POST /roundcubemail-0.1/bin/html2text.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:21 +0200] "POST /roundcubemail-0.2/bin/html2test.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:22 +0200] "POST /roundcube-0.1/bin/html2test.php
 HTTP/1.0" 400 349 "-" "-"11.112.229.3 - - [27/Jun/2009:02:22:23 +0200] "POST /roundcube-0.2/bin/html2test.php
Looks rather like a fishing expedition to me. they seem particularly interested in msgimport, which is a PHP script.

Can someone explain to me in generic terms approximately how an exploit like this works?

FWIW, "Toata dragostea mea pentru diavola" is Romanian and according to Google Translate means "All my love for the devil"

Last edited by unSpawn; 08-27-2009 at 06:07 AM. Reason: //Replaced victim IP with "n.n.n.n"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server Compromised? lss1 Linux - Security 7 12-16-2005 12:49 AM
Server Compromised? stlyz3 Linux - Security 6 09-07-2005 04:28 PM
Gentoo's server compromised? Couldn't be, right? jon_k Linux - Security 1 06-12-2005 06:46 PM
Apache server compromised? lacerto Linux - Security 3 04-13-2005 03:26 PM
Server was compromised, need help Asiana Linux - Security 3 06-02-2004 12:39 PM


All times are GMT -5. The time now is 11:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration