Re: [rlug] ce vulnerabilitate e asta ?

Radu Oprisan Mon, 21 Jan 2008 01:39:48 -0800

Mihai Voica wrote:

Sorry pt wrap dar am dat paste. Imi poate da cineva o ideea de unde e
chestia asta si cum o pot remedia fara reinstall ? Serverul a fost
instalat de altcineva, teoretic doar httpd e serviciu public, se pare
ca pe acolo e o buba. Distro centOS 4.6


[EMAIL PROTECTED] netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             
State       PID/Program name
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   
LISTEN      11437/vsftpd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   
LISTEN      11453/sendmail: acc
tcp        0      0 192.168.100.10:55031        69.42.218.68:6667           
ESTABLISHED 5763/ssh
tcp        0      0 192.168.100.10:39788        69.42.218.68:6667           
ESTABLISHED 5660/ssh
tcp        0      0 :::80                       :::*                        
LISTEN      5660/ssh

tcp 0 0 :::22

Frumos. Eu as incepe prin a studia logurile de acces. Undeva o sa aiprobabil ceva la modul de "=http://blablabla";. Adica ai intr-un script(ma repet, probabil) un remote file inclusion, ceea ce inseamna ca alaaccepta ca parametru orice iar cum php e baiat destept, iti deschidefisiere, pagini web & so on. Rezolva problema asta si asteapta sa maiapara altele (e stiut ca dupa ce rezolvi o problema apar 100).

(vezi ssh pe port 80 si conexiunile established)

[EMAIL PROTECTED] ps aux
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  1692  612 ?        Ss   Jan18   0:00 init [3]
apache    5656  0.0  0.0     0    0 ?        Z    03:43   0:00 [sh] <defunct>
apache    5660 99.9  0.1  4948 3012 ?        R    03:43 431:51 ssh
apache    5759  0.0  0.0     0    0 ?        Z    03:51   0:00 [sh] <defunct>
apache    5763 99.9  0.1  4944 3008 ?        R    03:51 423:32 ssh
root     11415  0.0  0.0  1596  544 ?        Ss   Jan18   0:00 syslogd -m 0
root     11425  0.0  0.0  4064 1140 ?        Ss   Jan18   0:00 /usr/sbin/sshd
root     11437  0.0  0.0  3780 1012 ?        S    Jan18   0:00 /usr/sbin/vsftpd 
/etc/vsftpd/vsftpd.conf
root     11453  0.0  0.0  7340 1824 ?        Ss   Jan18   0:00 sendmail: 
accepting connections
smmsp    11462  0.0  0.0  6488 1636 ?        Ss   Jan18   0:00 sendmail: Queue 
[EMAIL PROTECTED]:00:00 for /var/spool/clientmqueue
root     11480  0.0  0.3 19748 6372 ?        Ss   Jan18   0:00 /usr/sbin/httpd
apache   11487  0.0  0.2 19888 4940 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   11488  0.0  0.2 19992 5324 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   11489  0.0  0.2 19996 5180 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   11490  0.0  0.2 19888 4940 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   11491  0.0  0.2 19868 4632 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   11492  0.0  0.2 19864 4996 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   11493  0.0  0.2 20000 5284 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   11494  0.0  0.2 19888 4624 ?        S    Jan18   0:00 /usr/sbin/httpd
apache   22409  0.0  0.1 19748 3712 ?        S    10:20   0:00 /usr/sbin/httpd
root     23993  0.0  0.0  1856  308 ?        Ss   10:26   0:00 vzctl: pts/0
root     23994  0.0  0.0  2216 1276 pts/0    Ss   10:26   0:00 -bash
root     25831  0.0  0.0  2372  756 pts/0    R+   10:55   0:00 ps aux
apache   30358  0.0  0.2 19888 4612 ?        S    01:05   0:00 /usr/sbin/httpd

Este bine ca procesele infiltrate ruleaza ca apache. Asta inseamna cacel mai probabil nu a fost compromis tot sistemul ci doar userul de apache.Daca e asa vezi pasul de mai sus si pe urma verifica toate directoarelein care are acces de scriere userul apache. Cel mai probabil ceea cecauti va fi in /tmp sau /var/tmp (la -la is your friend, fi atent ladirectoare de genul " "(spatiu) "..." etc.)

(vezi cele 2 procese de 99%)


[EMAIL PROTECTED] top -b -n1
top - 11:03:12 up 15:50,  0 users,  load average: 2.00, 2.00, 2.00
Tasks:  24 total,   3 running,  19 sleeping,   0 stopped,   2 zombie
Cpu(s): 10.9% us,  1.5% sy,  0.0% ni, 87.6% id,  0.1% wa,  0.0% hi,  0.0% si
Mem:   2067756k total,  2007924k used,    59832k free,   211024k buffers
Swap:  2031608k total,       72k used,  2031536k free,   825952k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 5660 apache    25   0  4948 3012 1244 R 99.6  0.1 439:43.42 perl
 5763 apache    25   0  4944 3008 1248 R 97.6  0.1 431:24.66 perl
    1 root      15   0  1692  612  528 S  0.0  0.0   0:00.10 init
 5656 apache    16   0     0    0    0 Z  0.0  0.0   0:00.00 sh <defunct>
 5759 apache    16   0     0    0    0 Z  0.0  0.0   0:00.00 sh <defunct>
11415 root      23   0  1596  544  456 S  0.0  0.0   0:00.02 syslogd
11425 root      20   0  4064 1140  836 S  0.0  0.1   0:00.06 sshd
11437 root      18   0  3780 1012  772 S  0.0  0.0   0:00.00 vsftpd
11453 root      18   0  7340 1824  864 S  0.0  0.1   0:00.01 sendmail
11462 smmsp     15   0  6488 1636  820 S  0.0  0.1   0:00.00 sendmail
11480 root      18   0 19748 6372 3960 S  0.0  0.3   0:00.07 httpd
11487 apache    15   0 19888 4940 2352 S  0.0  0.2   0:00.15 httpd
11488 apache    15   0 19992 5324 2676 S  0.0  0.3   0:00.13 httpd
11489 apache    15   0 19996 5180 2544 S  0.0  0.3   0:00.10 httpd
11490 apache    15   0 19888 4940 2352 S  0.0  0.2   0:00.11 httpd
11491 apache    18   0 19868 4632 2040 S  0.0  0.2   0:00.11 httpd
11492 apache    18   0 19864 4996 2384 S  0.0  0.2   0:00.14 httpd
11493 apache    15   0 20000 5284 2624 S  0.0  0.3   0:00.14 httpd
11494 apache    18   0 19888 4624 2056 S  0.0  0.2   0:00.12 httpd
22409 apache    19   0 19748 3712 1260 S  0.0  0.2   0:00.00 httpd
23993 root      15   0  1856  308  208 S  0.0  0.0   0:00.19 vzctl
23994 root      16   0  2216 1276 1052 S  0.0  0.1   0:00.12 bash
26044 root      15   0  1944  856  684 R  0.0  0.0   0:00.00 top
30358 apache    16   0 19888 4612 2036 S  0.0  0.2   0:00.02 httpd

(vezi primele 2 procese)


Am incercat tot ce am putut fara reinstall (updates, audit), dar
serverul web trebuia sa fie rapid up asa ca i-am dat drumul din nou
urmand sa fac investigatii a doua zi

A doua zi ... din nou:

[EMAIL PROTECTED] ~]# netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             
State       PID/Program name
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   
LISTEN      11418/vsftpd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   
LISTEN      11434/sendmail: acc
tcp        0      0 192.168.100.10:43745        64.89.27.36:36969           
ESTABLISHED 23626/httpsd -i eth
tcp        0      0 :::80                       :::*                        
LISTEN      11454/httpd
tcp        0      0 ::ffff:192.168.100.10:80    ::ffff:192.168.100.5:48596  
TIME_WAIT   -

Merry Christmas, you got owned a second time. Jucaria asta este un picmai desteapta. In C, se poate altera numele fisierului prin modificareaARGV[0] (si in alte limbaje, stiu, dar psybnc-urile sau te miri ce ptirc in general sunt scrise in C).

(vezi httpsd )

[EMAIL PROTECTED] ~]# ps aux
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3  1704  608 ?        Ss   Jan19   0:00 init [3]
root     11408  0.0  0.2  1608  528 ?        Ss   Jan19   0:00 syslogd -m 0
root     11418  0.0  0.5  3812 1000 ?        S    Jan19   0:00 /usr/sbin/vsftpd 
/etc/vsftpd/vsftpd.conf
root     11434  0.0  0.9  7380 1844 ?        Ss   Jan19   0:00 sendmail: 
accepting connections
smmsp    11443  0.0  0.8  6528 1644 ?        Ss   Jan19   0:00 sendmail: Queue 
[EMAIL PROTECTED]:00:00 for /var/spool/clientmqueue
root     11454  0.0  3.2 19688 6328 ?        Ss   Jan19   0:00 /usr/sbin/httpd
root     11463  0.0  0.4  2492  904 ?        Ss   Jan19   0:00 crond
apache   23626 99.9  1.2  5220 2520 ?        R    10:04  15:00 /usr/sbin/httpsd 
-i eth0
apache   23640  0.0  2.2 19784 4412 ?        S    10:04   0:00 /usr/sbin/httpd
apache   23641  0.0  2.3 19820 4592 ?        S    10:04   0:00 /usr/sbin/httpd
apache   23642  0.0  2.2 19784 4404 ?        S    10:04   0:00 /usr/sbin/httpd
apache   23645  0.0  2.2 19784 4384 ?        S    10:04   0:00 /usr/sbin/httpd
apache   23646  0.0  2.2 19784 4396 ?        S    10:04   0:00 /usr/sbin/httpd
apache   23647  0.0  2.2 19792 4404 ?        S    10:04   0:00 /usr/sbin/httpd
apache   23648  0.0  2.2 19784 4384 ?        S    10:04   0:00 /usr/sbin/httpd
root     24563  0.0  0.2  1852  424 ?        Ss   10:11   0:00 vzctl: pts/0
root     24564  0.0  0.6  2228 1292 pts/0    Ss   10:11   0:00 -bash
root     26192  0.0  0.3  2388  776 pts/0    R+   10:19   0:00 ps aux

( nu exista fisierul  /usr/sbin/httpsd )

[EMAIL PROTECTED] ~]# top -b -n1
top - 10:20:39 up 1 day, 20:22,  0 users,  load average: 1.00, 1.00, 1.04
Tasks:  18 total,   2 running,  16 sleeping,   0 stopped,   0 zombie
Cpu(s):  4.2% us,  0.7% sy,  0.0% ni, 95.1% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:    196608k total,    37300k used,   159308k free,        0k buffers
Swap:        0k total,        0k used,        0k free,        0k cached

  PID USER      PR  NI %CPU    TIME+  %MEM  VIRT  RES  SHR S COMMAND
23626 apache    25   0  100  16:04.06  1.3  5220 2520  576 R perl
    1 root      18   0    0   0:00.05  0.3  1704  608  524 S init
11408 root      15   0    0   0:00.01  0.3  1608  528  440 S syslogd
11418 root      18   0    0   0:00.00  0.5  3812 1000  772 S vsftpd
11434 root      18   0    0   0:00.04  0.9  7380 1844  872 S sendmail
11443 smmsp     18   0    0   0:00.01  0.8  6528 1644  828 S sendmail
11454 root      18   0    0   0:00.22  3.2 19688 6328 3928 S httpd
11463 root      23   0    0   0:00.00  0.5  2492  904  524 S crond
23640 apache    18   0    0   0:00.00  2.2 19784 4412 1900 S httpd
23641 apache    19   0    0   0:00.00  2.3 19820 4592 2036 S httpd
23642 apache    18   0    0   0:00.00  2.2 19784 4404 1884 S httpd
23645 apache    19   0    0   0:00.00  2.2 19784 4384 1872 S httpd
23646 apache    15   0    0   0:00.00  2.2 19784 4396 1872 S httpd
23647 apache    18   0    0   0:00.02  2.2 19792 4404 1892 S httpd
23648 apache    15   0    0   0:00.00  2.2 19784 4384 1872 S httpd
24563 root      15   0    0   0:00.01  0.2  1852  424  316 S vzctl
24564 root      15   0    0   0:00.04  0.7  2228 1292 1068 S bash
26292 root      15   0    0   0:00.00  0.4  1960  868  696 R top

Cunoaste cineva cum s-a putut face asta si cum remediez ?
Multumesc anticipat.


Ma repet, studiaza logurile si cauta ce am scris mai sus.


Salut,
Radu Oprisan

_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] ce vulnerabilitate e asta ?

Raspunde prin e-mail lui