Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I woke up this morning and I noticed that my outgoing bandwidth was being used to the maximum. I did a "top" and 2 "perl" processes were running. I killed them and the "upload" stopped. I tried to see who was logged in to the system by doing a "ps aux" and other than me and the normal root and system accounts there was nobody else. I also stopped the httpd service and had a look at access_log and these seemed like interesting lines:
Am I just looking at attempts or have I been had? The style of my phpBB2 board has been changed to the default one also. What can I do to see what damage has been done? I changed most of the linux passwords this morning and left httpd off for now.
That doesn't look like it exploits this vulnerability. In fact it's likely the older "admin_styles" vuln. It is interesting that you see 4 identical sets of attacks from 2 separate IPs in close proximity, but that may not mean anything and the code itself doesn't look like it's a self-propagating worm. It just looks like the same script run several times.
As far as what happened, you can see the SQL injection attack that uses "admin_db_utilities" to drop the table holding your site data and the final URL that uses the "admin_styles.php?" vuln to upload and execute a perl script. Check the upload directory (/tmp) for a file named a.pl .
You've been running a seriously outdated version of phpBB that has several significant vulnerabilities in it and have been compromised at least once. Simply upgrading phpBB to a current version and removing any files related to the compromise may not be enough. You should really format the system and re-install from trusted media. In the future, make sure to keep up with security updates and patches, as it will save you a lot of headaches.
Darn, I had relied on the automatic vendor updates but I will not be doing that from now on. I had a look at the /tmp folder last night before formating and reinstalling and there was no .pl file. It must have been removed. Anyway, it was a learning experience. thank you!
Originally posted by chris_yumm Darn, I had relied on the automatic vendor updates but I will not be doing that from now on.
What version of Mandrake were you running?
I had a look at the /tmp folder last night before formating and reinstalling and there was no .pl file. It must have been removed.
That's definitely troublesome as it suggests there was more activity that did not appear in the logs. Reinstalling is definitely the right move.
Anyway, it was a learning experience. thank you!
No problem. Btw, welcome to linuxquestions.
Darn, I had relied on the automatic vendor updates but I will not be doing that from now on
PhpBB is a contrib package, ie. it was packaged by somebody outside of Mandrake. Mandrake doesn't provide updates for contrib packages between distro releases and never has.
However there are about 3500 packages in main in the latest Mandrake distro all of which they provide updates for. Your Mandrake installation
will still mostly consist of those so you should keep up with automatic updates otherwise you'll probably get into even more trouble.