Hi,
I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by
some hackers that are using a bug I can't track down to download perl
scripts into /tmp:
[EMAIL PROTECTED] 11:26]# cd /tmp/
[EMAIL PROTECTED] 11:26]# ls -lFa
total 76
drwxrwxrwt 2 root wheel 512 Mar 15 12:21 ./
drwxr-xr-x 22 root wheel 512 Jun 29 2005 ../
-rw-r--r-- 1 www wheel 0 Mar 14 22:14 .alekspwned2
-rw-r--r-- 1 www wheel 0 Mar 14 20:41 .balum
-rw-r--r-- 1 www wheel 0 Mar 13 22:36 .mladen3
-rw-r--r-- 1 www wheel 321 Mar 14 20:41 alekshah
-rw-r--r-- 1 www wheel 320 Mar 14 20:41 alekshah2
-rw-r--r-- 1 www wheel 3589 Mar 14 22:14 alekspwned
-rw-r--r-- 1 www wheel 19309 Mar 14 22:14 alekspwned2
I have lots of suspicious activity in /var/www/log/error_log:
0 19309 0 1222 0 0 1222 0 0:00:15 --:--:--
0:00:15 1222
0 19309 0 4142 0 0 4142 0 0:00:04 0:00:01
0:00:03 8414
100 19309 100 19309 0 0 19309 0 0:00:01 0:00:01
--:--:-- 17258 % Total % Received % Xferd Average Speed
Time Time Time Current
Dload Upload Total Spent
Left Speed
0 3589 0 1224 0 0 1224 0 0:00:02 --:--:--
0:00:02 1224
100 3589 100 3589 0 0 3589 0 0:00:01 --:--:--
0:00:01 2309k
Can't open perl script "/tmp/.alekspwned": No such file or
directory.Use -S to search $PATH for it. % Total % Received %
Xferd Average Speed Time Time Time Current
Dload Upload Total Spent
Left Speed
0 3589 0 1224 0 0 1224 0 0:00:02 --:--:--
0:00:02 1224
100 3589 100 3589 0 0 3589 0 0:00:01 --:--:--
0:00:01 384k
Can't open perl script "/tmp/.alekspwned": No such file or
directory.Use -S to search $PATH for it.
% Total % Received % Xferd Average Speed Time Time
Time Current Dload Upload Total
Spent Left Speed
0 3589 0 1224 0 0 1224 0 0:00:02 --:--:--
0:00:02 1224
100 3589 100 3589 0 0 3589 0 0:00:01 --:--:--
0:00:01 461k
Amongst other things, quite a few:
Can't open perl script "/tmp/.mladen": No such file or directory.Use -
S to search $PATH for it.Can't open perl script "/tmp/.mladen": No
such file or directory.
Use -S to search $PATH for it.Can't open perl script "/tmp/.mladen":
No such file or directory.Use -S to search $PATH for it.Can't open
perl script "/tmp/.mladen": No such file or directory.Use -S to
search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.Use
-S to search $PATH for it.Can't open perl script "/tmp/.mladen2": No
such file or directory.Use -S to search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.Use
-S to search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.Use
-S to search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.
Use -S to search $PATH for it.
I believe they're exploiting a bug in apache to do remote execution
of their code, which downloads something to /tmp (usually a script of
some sort). They were previously using wget, so I modified that to
log as much information is it could to a file, but this didn't yield
anything useful. Now I see from the logs that they're using ftp and
curl to download the files.
As in intermediate fix, I have mounted /tmp noexec, but this is not
an ideal solution, and I don't want to remove ftp and curl. I have
installed snort (from ports) with the latest rules but this has not
yielded much useful information. The latest attack did come up in
the snort logs, as a double decoding attack. I found some data in
the downloaded files that corresponded to a payload around the time
of the attack.
My questions are:
1. How do I find out their attack vector? I have had a nessus scan
performed on the machine, but it did not present any security (I can
supply on request). I've checked the security releases in
security.html and there are no pertinent ones for httpd. Snort has
provided little useful information (I can provide access to the snort
logs if required).
2. If I can't stop them getting in, is there any way to observe what
they're doing, or how they're doing it, so I can get a pointer to
the hole.
An upgrade is in the works, and right soon too, but I'd really like
to know what's going on here. Some useful links:
Nessus scan: http://vanhegan.net/openbsd/nessus.txt
dmesg: http://vanhegan.net/openbsd/dmesg.txt
httpd error_log: http://vanhegan.net/openbsd/error_log
httpd access_log: http://vanhegan.net/openbsd/access_log
pkg_info: http://vanhegan.net/openbsd/pkg.list
i've run out of ideas here. Can you help?
Gaby
--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/
