Welcome everyone.

I have got a question. I host a website which is running the latest version of Joomla 3.4.1. I constantly see this website being hacked by some weird way I don't really understand how this is happening. I dumped the network traffic to find out what they are actually trying to post etc but all POSTs seem to be empty but somehow they manage to run curl/wget and download LinuxNet perlbot conecting to the remote server on port 443 sending soem IRC commands.

So eventually I see this in the processlist:
# ps -u USER -o stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
STAT EUID RUID TT TPGID SESS PGRP PPID PID %CPU COMMAND
S XX XX ? -1 6349 6349 1 36492 1.9 -
R XX XX ? -1 6349 6349 1 36495 99.0 -


# lsof -n -p 36495
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
- 36495 USER cwd DIR 253,3 4096 8210 /var/tmp
- 36495 USER rtd DIR 253,0 4096 2 /
- 36495 USER txt REG 253,0 11400 789459 /usr/bin/perl
- 36495 USER mem REG 253,0 44520 1051267 /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
- 36495 USER mem REG 253,0 19800 1051434 /usr/lib64/perl5/auto/IO/IO.so
- 36495 USER mem REG 253,0 502040 787899 /usr/lib64/libfreebl3.so
- 36495 USER mem REG 253,0 2107600 787994 /usr/lib64/libc-2.17.so
- 36495 USER mem REG 253,0 141616 788020 /usr/lib64/libpthread-2.17.so
- 36495 USER mem REG 253,0 14608 788028 /usr/lib64/libutil-2.17.so
- 36495 USER mem REG 253,0 40816 787998 /usr/lib64/libcrypt-2.17.so
- 36495 USER mem REG 253,0 1141552 788002 /usr/lib64/libm-2.17.so
- 36495 USER mem REG 253,0 19512 788000 /usr/lib64/libdl-2.17.so
- 36495 USER mem REG 253,0 113320 788004 /usr/lib64/libnsl-2.17.so
- 36495 USER mem REG 253,0 110808 788022 /usr/lib64/libresolv-2.17.so
- 36495 USER mem REG 253,0 1643232 1051189 /usr/lib64/perl5/CORE/libperl.so
- 36495 USER mem REG 253,0 160240 788136 /usr/lib64/ld-2.17.so
- 36495 USER 0u unix 0xffff880516cb6540 0t0 200000086 /run/mod_fcgid/30670.650
- 36495 USER 1w FIFO 0,8 0t0 200007817 pipe
- 36495 USER 2w REG 253,2 176232 526348 /var/log/httpd/error_log
- 36495 USER 3u CHR 1,3 0t0 22 /null
- 36495 USER 4u IPv4 200000094 0t0 TCP SERVER_IP:56476->Y.Y.Y.Y:mysql (ESTABLISHED)
- 36495 USER 5u unix 0xffff8800bf8be540 0t0 200004349 /run/mod_fcgid/30670.650
- 36495 USER 6u sock 0,6 0t0 182741283 protocol: TCP
- 36495 USER 7u sock 0,6 0t0 182896831 protocol: TCP
- 36495 USER 8u sock 0,6 0t0 183100379 protocol: TCP

.....

- 36495 USER 51u IPv4 200006004 0t0 TCP Z.Z.Z.Z:47332->217.23.11.95:https (ESTABLISHED)
- 36495 USER 7698r FIFO 0,8 0t0 199904840 pipe
- 36495 USER 7701w FIFO 0,8 0t0 199904841 pipe

ngrep dump from when they actually tried to inject and execute the code:
# T ATTACKERS_IP:40652 -> SERVERS_IP:80 [AP]
POST / HTTP/1.1.
Accept-Encoding: identity.
Content-Length: 35.
Host: DOMAIN_NAME.
User-Agent: Python-urllib/2.6.
Connection: close.
Referer: http://DOMAIN_NAME.
Content-Type: application/x-www-form-urlencoded.
.
# T SERVERS_IP:80 -> ATTACKERS_IP:40652 [A]
HTTP/1.1 200 OK.
Server: nginx.
Date: Fri, 27 Mar 2015 09:06:06 GMT.
Content-Type: text/html; charset=utf-8.
Transfer-Encoding: chunked.
Connection: close.
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM".
Vary: User-Agent.
Expires: Mon, 1 Jan 2001 00:00:00 GMT.
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0.
Pragma: no-cache.
Set-Cookie: bd59e88f8a5db86aaa219a6cfda2d121=ltl6n0kgp5g5uhj56ojtcamdd3; path=/; HttpOnly.
Set-Cookie: currentURI=http%3A%2F%2FDOMAIN_NAME%2F; expires=Sat, 28-Mar-2015 09:06:06 GMT; path=/.
Last-Modified: Fri, 27 Mar 2015 09:06:06 GMT.
.
45aa.

<DATA>

# T ATTACKERS_IP:40675 -> SERVERS_IP:80 [AP]
POST / HTTP/1.1.
Accept-Encoding: identity.
Content-Length: 521.
Connection: close.
User-Agent: Python-urllib/2.6.
Host: DOMAIN_NAME.
Referer: http://DOMAIN_NAME.
Cookie: bd59e88f8a5db86aaa219a6cfda2d121=ltl6n0kgp5g5uhj56ojtcamdd3; path=/; HttpOnly, currentURI=http%3A%2F%2FDOMAIN_NAME%2F; expires=Sat, 28-Mar-2015 09:06:06 GMT; path=/.
Content-Type: application/x-www-form-urlencoded.
.

apache access log:
ATTACKERS_IP - - [27/Mar/2015:09:06:05 +0000] "POST / HTTP/1.0" 200 17834 "http://DOMAIN_NAME" "Python-urllib/2.6"
ATTACKERS_IP - - [27/Mar/2015:09:06:06 +0000] "POST / HTTP/1.0" 500 534 "http://DOMAIN_NAME" "Python-urllib/2.6"


apache error log:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M100 16334 100 16334 0 0 690k 0 --:--:-- --:--:-- --:--:-- 725k
--2015-03-27 09:06:07-- http://ATTACKERS_IP/is
Connecting to ATTACKERS_IP:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16334 (16K) [text/plain]
Saving to: 'is.1'

0K .......... ..... 100% 2.76M=0.006s

2015-03-27 09:06:07 (2.76 MB/s) - 'is.1' saved [16334/16334]


Of course tmp is empty also secured by noexec and nosuid. System is running on Centos 7 with SELinux enabled.

I'm just wondering how did they manage to run curl/wget and execute this file by just posting nothing to the index.php which is normal index.php doesn't have any dodgy code injected.

The only clue I found on the internet this hack is related to the Shellshock bash vulnerability but I have the latest patched bash installed:
# rpm -q bash
bash-4.2.45-5.el7_0.4.x86_64

MD5 sums matches so the file hasn't been changed.

Thank you for help in advance.

Regards,
Thorwald

Apply your shellshock patch
Stop being a hazard to others.

And you better stop posting without doing research first. The OP said he has bash-4.2.45-5.el7_0.4 installed which is the latest BASH upgrade for CentOS 7 mitigating all shellshock problems.

Read the link Junior.

He's a bot slave and a danger to everybody who deals with him.

Now, you know how I feel about you. Get out your little ban hammer or go play.

Tell us a bit more about this machine. Is it on a dedicated or a shared hosting server? Was it hardened according to the Joomla Security Checklist? Have you checked for related vulns in themes, plugins and whatnot? Did you check this?


The current working directory is one of the directories used for storing transient files, in this case /var/tmp. Please check for alien files and check 'lsof' output for deleted files.


It appears to be connecting to a remote host but TCP/3306 doesn't necessarily mean it's MySQL port.


"Python-urllib/2.6" could point to a ready-made exploit or a tool kit.


OK, so the perp makes some Joomla component download what presumably is a script...
*Please note your obfuscations make things unnecessarily harder. Yes, by all means you should obfuscate your servers IP address but nothing else.


Doesn't need to. If any Joomla component remains unpatched that's the ticket in.

1 members found this post helpful.

That's the result, yes. But proper analysis of presented facts is what should lead to conclusions. So where did you see the OP actually post "() { :;}; /bin/bash -c"-like evidence that could be unambiguously attributed to shellshock?..

Hi everyone.

System is definitely not vulnerable to Shellshock. All my previous readings about LinuxNet perlbot were related to that vulnerability and in fact in all cases you could see a bash commands being passed either in get or post or in any other way but this system has been patched against Shellshock. The server is a "shared hosting" box and that domain was previously hosted on CentOS 5 which has been also patched for Shellshock so then I moved them to CentOS 7. I did check Joomla vulnerability database but there is nothing for the latest version. Template even if vulnerable is not a case here I guess as the post goes straight to index.php but I could be wrong.

That's why this all makes me really confused as I also proved the POST form is empty (as you see on the attached ngrep output) but what is strange they send 2 POSTs one after another whereas the second one is causing 500 error and a second after that you can see the file being downloaded. The thing which makes me concerned is how is that the POST array is empty or hidden in the way I cannot see what's in it ? I would really like to find out what they send.

I will have a look at Joomla parts again and see what I can come up with.

Thank you for your help.

P.S.

Got the full ngrep for that attacking IP addres... got the full evidence now what they post etc. I will update this thread later. Thanks!

OK so you were right. JomSocial component is vulnerable. Found it finally by sniffing the traffic for the attacker's IP. I don't understand why the POST table content has been in separate TCP packet but now I have a full process tracked.

Because it's a bit long you can have a look at paste bin (2 weeks expiry date set) http://pastebin.com/dmZviV9n

So line 51 shows the packet which basically called curl to download the bot and when I looked at the internet to find that POST string I found this http://www.securityfocus.com/archive.../30/0/threaded.

I asked this website owner to patch all the Joomla components so for now I believe this problem has been resolved.

Thanks for input everyone!

Regards,
TH

1 members found this post helpful.

Drop traffic to/from 217.23.11.95 ?

And all *.ru and *.cn etc as well ?

Blocking the traffic is not sorting the problem out at all :-/.

Sorry about that. I'll butt out now.