Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hi, I've seen that someone installed 'rapidleech' on my server, and some vnware. The (web) server hosts a few domains, but their stuff is in two folders on the same domain. I've checked log files, and it seems they didn't really log on to the system. So I checked the upload folders of the software on the domain, as it runs tikiwiki, gallery2 and on other domains joomla and wordpress. I didn't find anything suspicious. Safe mod is off on the server, but before turning it on I'd like to find out how they got on to it. Sofar, (s)he is only using it to download files to the server and then downloading it from the server. If I delete the folders, (s)he knows I've seen it and might do something worse.
I guess my priority is finding out how (s)he got on the server.
My question: what would you people do if you were me in this case?
Thanks!
p.s. the server runs ubuntu, apache, mysql.
Last edited by lexthoonen; 01-08-2009 at 06:33 AM..
Usually one of the best places to start is the CERT checklist
From following similar threads here, I've seen that if you want to find out how you were compromised you need to preserve the situation (i.e. don't reboot, but pull the network plug and if you need to shut down, pull the power cord) and then find a way to either put this machine in a place where you can investigate or create a copy of the machine you can investigate. There are threads with advice from much more knowledgeable people than me, so have a search in this forum.
Last edited by Hangdog42; 01-08-2009 at 08:35 AM..
Are you sure that the software you found is installed and they are doing something with it? It's possible that the software was downloaded and not used.
Well, it hardly makes sense. If you don't see anyone had logged on to the system, no-one could have been logged on. Check the current user accounts. See if there is any unknown user installed. If not, they probably have your user credentials (your key or your password) so I suggest you change those. Or maybe someone else's user credentials from your server. Be sure no-one else has sudo access but you.
Also don't forget to get the latest security updates for your server.
Turn off the sshd service (or any remote access/log on system), see if that someone is still doing stuff on your server.
I would look at the versions of the installed apps on the server. My Joomla site was compromised recently and files were uploaded to the server and script was added to the sites front page, because the version of Joomla on the site was out of date.
(Version 1.51 vs 1.58) Per my host Joomla prior to 1.56 is unacceptable.
The other apps on your server are just as suspect if they are out of date.
I found r57 on my server, on more places. With r57, they've been able to install RapidLeech which seems all they are using (and the VMWare to cover their tracks). By the way, it's been since april that r57 has been installed...
Now I've got to find out how they were able to install r57...
Application vectors (ie, gaining access via a php-enabled website or via SQL) suck, but that's the risk you take in using such software. It is also the reason you didn't see anyone logging into your system...they didn't have to...they got in through an unsecure app. This could've happened because of buggy software, or the way you implemented the software.
Evidence? This is one situation where you shouldn't "think" you know something. If you're not dealing in facts, you stand a very, very good chance of going astray.
Quote:
i found lots of files in an 'image upload' section of tikiwiki, that shouldn't be there.
With all due respect, that is likely just a symptom. Like I said before, you need facts and analysis, not guesswork.
Quote:
so, next plan of action is probably disabling file uploads.
Uh, no. At this point, YOU HAVE ABSOLUTELY NO IDEA WHAT HAS HAPPENED. There could be multiple entry points that you don't know about and can't see. You simply cannot trust what your machine is telling you.
I would strongly suggest taking this machine offline, pulling the power plug and then figuring out the proper way to diagnose what has happened. Everything else is just wasting time.
Last edited by Hangdog42; 01-08-2009 at 05:09 PM..
My tip is sudo. I think that ubuntu uses sudo for all users by default and if you haven't changed that, all your local users have admin access.
Negative. Only the user you create at instalation has sudo priviledges.
Use the visudo/vimsudo command to edit the sudoers list.
In general, and on Ubuntu, only users part of a certain group have sudo rights.
This group is probably 'adm' or 'admin'. vimsudo should tell you.
To exit without saving once you run vimsudo, for vim non-aware people, press ESC once, type q! and press enter. TIP: only root can modify the sudoers list or someone with root priviledges.
HTH
Last edited by Worksman; 01-08-2009 at 06:15 PM..
Reason: another typo :)
With all due respect, that is likely just a symptom. Like I said before, you need facts and analysis, not guesswork.
Thanks for all your advice people. I have learnt quite a lot today, quite a bit thanks to you all.
I have to admit, I haven't been very clear. I guess (I still do as you can see ) I'm in the middle somewhere between where you think I am and where you think I should be.
In tikiwiki, in an upload part, I found r57, a pretty good program to do whatever you want on a server once you have access to it.
On the server, in php.ini "allow_url_fopen" was made available, not a very wise thing to do.
I found out, reading the logs, that 'RapidLeech' was a programme that has really been used a lot lately. No excessive amount of mails have been sent nor seem websites altered in any way compared to backups except for here and there a few extra "r57" or "c99" (similar program) folders. (By the way, these weren't called like that but with the find command they were easily spotted. As well it was a combination of checking owners/group, size and looking for standard files that I spotted.) I found them on 2 domains on the site.
So, in a few minutes, I'll switch off the webserver. Can't really pull the plug as the machine is more or less 4500 km away. I'll get rid of all instances I've found, I've already been updating the software on it to the latest versions, have deleted a lot of unused folders of old versions of the software. Once that's done, it'll have to go back online again. In the worst case, I got backups, but I can't let the sites be down for a long time you see. Then, I'll have to monitor them (and the logs) pretty good to see if anything suspicious is going on. I'll check if I can find a good virusscanner for the server and what more I can do, but for now, this to me seems the most logical step.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Advertisement
Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Click Here to receive a complimentary subscription courtesy of LQ.
) I'm in the middle somewhere between where you think I am and where you think I should be.
