Re: Security tools

[Craig Skinner]

On Wed, Mar 15, 2006 at 12:31:06PM +, Gaby vanhegan wrote:
> Hi,
> 
> I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by  
> some hackers that are using a bug I can't track down to download perl  
> scripts into /tmp:
> 

Gaby, I think that the list may have already answered this question for
you at the beginning of the year in a thread from yourself titled "How
did they get there?"

You where advised against running phpBB on non-chroot apache, on an
older version of OpenBSD.

Have you followed the adivce given then? If not, the answers are still
the same.

Re: Security tools

[Joachim Schipper]

On Fri, Mar 17, 2006 at 11:01:53AM +0100, Mark Prins wrote:
> [EMAIL PROTECTED]  wrote on :
> 
> > On Wed, Mar 15, 2006 at 12:31:06PM +, Gaby vanhegan wrote:
> 
> >> 1. How do I find out their attack vector?  I have had a nessus scan
> >> performed on the machine, but it did not present any security (I can
> >> supply on request).  I've checked the security releases in
> >> security.html and there are no pertinent ones for httpd. Snort has
> >> provided little useful information (I can provide access to the
> >> snort logs if required). 
> 
> Your access log only shows the request errors (404, 408) this makes it
> useless for finding the entry point (which would be logged with 2xx)
> assuming it's httpd. 
> The error log looks kinda scary...
> btw rotating the logs makes them easier to manage)
> 
> >> 2. If I can't stop them getting in, is there any way to observe what
> >> they're doing, or how they're doing  it, so I can get a pointer to
> >> the hole. 
> >> 
> 
> >> i've run out of ideas here.  Can you help?
> > 
> > php is old, and best avoided as a matter of general principle. There
> > have been several security bugs found and fixed since 4.3.8.
> 
>  my bets are on php

Or, to be fair to the PHP developers, one of the numerous buggy apps
written in PHP.

Joachim

Re: Security tools

[Mark Prins]

[EMAIL PROTECTED]  wrote on :

> On Wed, Mar 15, 2006 at 12:31:06PM +, Gaby vanhegan wrote:

>> 1. How do I find out their attack vector?  I have had a nessus scan
>> performed on the machine, but it did not present any security (I can
>> supply on request).  I've checked the security releases in
>> security.html and there are no pertinent ones for httpd. Snort has
>> provided little useful information (I can provide access to the
>> snort logs if required). 

Your access log only shows the request errors (404, 408) this makes it
useless for finding the entry point (which would be logged with 2xx)
assuming it's httpd. 
The error log looks kinda scary...
btw rotating the logs makes them easier to manage)

>> 2. If I can't stop them getting in, is there any way to observe what
>> they're doing, or how they're doing  it, so I can get a pointer to
>> the hole. 
>> 

>> i've run out of ideas here.  Can you help?
> 
> php is old, and best avoided as a matter of general principle. There
> have been several security bugs found and fixed since 4.3.8.

 my bets are on php



-- 
drs. Mark C. Prins
Spatial Fusion Specialist / Network Administration
SkypeMe@ skype:mark.prins-caris.nl


--

CARIS Geographic Information Systems BV
phone: +31 413 296 010
fax: +31 413 296 012
web: http://www.caris.nl
product support: [EMAIL PROTECTED]
sales/marketing: [EMAIL PROTECTED]

This email contains confidential information for the intended recipient.
If you are not the intended addressee, please notify us immediately.
You should not use, disclose, distribute or copy this communication
if received in error.
No binding contract will result from this message until such a time as
a written contract has been signed on behalf of the company named above.

This message has been scanned for viruses using McAfee Groupshield.
This message may have been modified by the virusscanner.


We are exhibiting at Oceanology International London. Visit us on stand 931. 
For more information visit www.oi06.com 

Re: Security tools

[Steve Mansee]

On Wed, 15 Mar 2006, Gaby vanhegan wrote:

> Hi,
> 
> I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by  
> some hackers that are using a bug I can't track down to download perl  
> scripts into /tmp:
>
> 
>
> 1. How do I find out their attack vector?  I have had a nessus scan  
> performed on the machine, but it did not present any security (I can  
> supply on request).  I've checked the security releases in  
> security.html and there are no pertinent ones for httpd.  Snort has  
> provided little useful information (I can provide access to the snort  
> logs if required).

Would you be running phpbb? It bit my ass in a very similar fashion.

Re: Security tools

[Clint M. Sand]

On Wed, Mar 15, 2006 at 12:31:06PM +, Gaby vanhegan wrote:
> Hi,
> 
> I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by  



> My questions are:
> 
> 1. How do I find out their attack vector?  I have had a nessus scan  
> performed on the machine, but it did not present any security (I can  
> supply on request).  I've checked the security releases in  
> security.html and there are no pertinent ones for httpd.  Snort has  
> provided little useful information (I can provide access to the snort  
> logs if required).
>

>From http://www.openbsd.org/errata36.html

009: SECURITY FIX: January 12, 2005   All architectures
httpd(8) 's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer,
causing a buffer overflow.
This would require enabling the XBitHack directive or server-side
includes and making use of a malicious document. 

Re: Security tools

[Joachim Schipper]

On Wed, Mar 15, 2006 at 12:31:06PM +, Gaby vanhegan wrote:
> Hi,
> 
> I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by  
> some hackers that are using a bug I can't track down to download perl  
> scripts into /tmp:
> 
> [EMAIL PROTECTED] 11:26]# cd /tmp/
> [EMAIL PROTECTED] 11:26]# ls -lFa
> total 76
> drwxrwxrwt   2 root wheel512 Mar 15 12:21 ./
> drwxr-xr-x  22 root wheel512 Jun 29  2005 ../
> -rw-r--r--   1 www  wheel  0 Mar 14 22:14 .alekspwned2
> -rw-r--r--   1 www  wheel  0 Mar 14 20:41 .balum
> -rw-r--r--   1 www  wheel  0 Mar 13 22:36 .mladen3
> -rw-r--r--   1 www  wheel321 Mar 14 20:41 alekshah
> -rw-r--r--   1 www  wheel320 Mar 14 20:41 alekshah2
> -rw-r--r--   1 www  wheel   3589 Mar 14 22:14 alekspwned
> -rw-r--r--   1 www  wheel  19309 Mar 14 22:14 alekspwned2
> 
> I have lots of suspicious activity in /var/www/log/error_log:
> 
>0 193090  12220 0   1222  0  0:00:15 --:--:--   
> 0:00:15  1222
>0 193090  41420 0   4142  0  0:00:04  0:00:01   
> 0:00:03  8414
> 100 19309  100 193090 0  19309  0  0:00:01  0:00:01  
> --:--:-- 17258  % Total% Received % Xferd  Average Speed
> TimeTime Time  Current
>   Dload  Upload   Total   Spent 
> Left  Speed
> 
>0  35890  12240 0   1224  0  0:00:02 --:--:--   
> 0:00:02  1224
> 100  3589  100  35890 0   3589  0  0:00:01 --:--:--   
> 0:00:01 2309k
> Can't open perl script "/tmp/.alekspwned": No such file or  
> directory.Use -S to search $PATH for it.  % Total% Received %  
> Xferd  Average Speed   TimeTime Time  Current
>   Dload  Upload   Total   Spent 
> Left  Speed
>0  35890  12240 0   1224  0  0:00:02 --:--:--   
> 0:00:02  1224
> 100  3589  100  35890 0   3589  0  0:00:01 --:--:--   
> 0:00:01  384k
> Can't open perl script "/tmp/.alekspwned": No such file or  
> directory.Use -S to search $PATH for it.
>% Total% Received % Xferd  Average Speed   TimeTime  
> Time  Current Dload  Upload   Total
> SpentLeft  Speed
> 
>0  35890  12240 0   1224  0  0:00:02 --:--:--   
> 0:00:02  1224
> 100  3589  100  35890 0   3589  0  0:00:01 --:--:--   
> 0:00:01  461k
> 
> Amongst other things, quite a few:
> 
> Can't open perl script "/tmp/.mladen": No such file or directory.Use - 
> S to search $PATH for it.Can't open perl script "/tmp/.mladen": No  
> such file or directory.
> Use -S to search $PATH for it.Can't open perl script "/tmp/.mladen":  
> No such file or directory.Use -S to search $PATH for it.Can't open  
> perl script "/tmp/.mladen": No such file or directory.Use -S to  
> search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.Use  
> -S to search $PATH for it.Can't open perl script "/tmp/.mladen2": No  
> such file or directory.Use -S to search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.Use  
> -S to search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.Use  
> -S to search $PATH for it.
> Can't open perl script "/tmp/.mladen2": No such file or directory.
> Use -S to search $PATH for it.
> 
> I believe they're exploiting a bug in apache to do remote execution  
> of their code, which downloads something to /tmp (usually a script of  
> some sort).  They were previously using wget, so I modified that to  
> log as much information is it could to a file, but this didn't yield  
> anything useful.  Now I see from the logs that they're using ftp and  
> curl to download the files.
> 
> As in intermediate fix, I have mounted /tmp noexec, but this is not  
> an ideal solution, and I don't want to remove ftp and curl.  I have  
> installed snort (from ports) with the latest rules but this has not  
> yielded much useful information.  The latest attack did come up in  
> the snort logs, as a double decoding attack.  I found some data in  
> the downloaded files that corresponded to a payload around the time  
> of the attack.
> 
> My questions are:
> 
> 1. How do I find out their attack vector?  I have had a nessus scan  
> performed on the machine, but it did not present any security (I can  
> supply on request).  I've checked the security releases in  
> security.html and there are no pertinent ones for httpd.  Snort has  
> provided little useful information (I can provide access to the snort  
> logs if required).
> 
> 2. If I can't stop them getting in, is there any way to observe what  
> they're doing, or how they're doing  it, so I can get a pointer to  
> the hole.
> 
> An upgrade is in the works, and right soon too, but I'd really like  
> to know what's going on here.  Some useful links:
> 
> Nessus scan: http://vanhegan.n

Re: Security tools

[Darrin Chandler]

Gaby vanhegan wrote:

I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by  
some hackers that are using a bug I can't track down to download perl  
scripts into /tmp:


[EMAIL PROTECTED] 11:26]# cd /tmp/
[EMAIL PROTECTED] 11:26]# ls -lFa
total 76
drwxrwxrwt   2 root wheel512 Mar 15 12:21 ./
drwxr-xr-x  22 root wheel512 Jun 29  2005 ../
-rw-r--r--   1 www  wheel  0 Mar 14 22:14 .alekspwned2
-rw-r--r--   1 www  wheel  0 Mar 14 20:41 .balum
-rw-r--r--   1 www  wheel  0 Mar 13 22:36 .mladen3
-rw-r--r--   1 www  wheel321 Mar 14 20:41 alekshah
-rw-r--r--   1 www  wheel320 Mar 14 20:41 alekshah2
-rw-r--r--   1 www  wheel   3589 Mar 14 22:14 alekspwned
-rw-r--r--   1 www  wheel  19309 Mar 14 22:14 alekspwned2
 



Are you running Apache chroot?

--
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Security tools

[Gaby vanhegan]

Hi,

I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by  
some hackers that are using a bug I can't track down to download perl  
scripts into /tmp:

[EMAIL PROTECTED] 11:26]# cd /tmp/
[EMAIL PROTECTED] 11:26]# ls -lFa
total 76
drwxrwxrwt   2 root wheel512 Mar 15 12:21 ./
drwxr-xr-x  22 root wheel512 Jun 29  2005 ../
-rw-r--r--   1 www  wheel  0 Mar 14 22:14 .alekspwned2
-rw-r--r--   1 www  wheel  0 Mar 14 20:41 .balum
-rw-r--r--   1 www  wheel  0 Mar 13 22:36 .mladen3
-rw-r--r--   1 www  wheel321 Mar 14 20:41 alekshah
-rw-r--r--   1 www  wheel320 Mar 14 20:41 alekshah2
-rw-r--r--   1 www  wheel   3589 Mar 14 22:14 alekspwned
-rw-r--r--   1 www  wheel  19309 Mar 14 22:14 alekspwned2

I have lots of suspicious activity in /var/www/log/error_log:

   0 193090  12220 0   1222  0  0:00:15 --:--:--   
0:00:15  1222
   0 193090  41420 0   4142  0  0:00:04  0:00:01   
0:00:03  8414
100 19309  100 193090 0  19309  0  0:00:01  0:00:01  
--:--:-- 17258  % Total% Received % Xferd  Average Speed
TimeTime Time  Current
  Dload  Upload   Total   Spent 
Left  Speed

   0  35890  12240 0   1224  0  0:00:02 --:--:--   
0:00:02  1224
100  3589  100  35890 0   3589  0  0:00:01 --:--:--   
0:00:01 2309k
Can't open perl script "/tmp/.alekspwned": No such file or  
directory.Use -S to search $PATH for it.  % Total% Received %  
Xferd  Average Speed   TimeTime Time  Current
  Dload  Upload   Total   Spent 
Left  Speed
   0  35890  12240 0   1224  0  0:00:02 --:--:--   
0:00:02  1224
100  3589  100  35890 0   3589  0  0:00:01 --:--:--   
0:00:01  384k
Can't open perl script "/tmp/.alekspwned": No such file or  
directory.Use -S to search $PATH for it.
   % Total% Received % Xferd  Average Speed   TimeTime  
Time  Current Dload  Upload   Total
SpentLeft  Speed

   0  35890  12240 0   1224  0  0:00:02 --:--:--   
0:00:02  1224
100  3589  100  35890 0   3589  0  0:00:01 --:--:--   
0:00:01  461k

Amongst other things, quite a few:

Can't open perl script "/tmp/.mladen": No such file or directory.Use - 
S to search $PATH for it.Can't open perl script "/tmp/.mladen": No  
such file or directory.
Use -S to search $PATH for it.Can't open perl script "/tmp/.mladen":  
No such file or directory.Use -S to search $PATH for it.Can't open  
perl script "/tmp/.mladen": No such file or directory.Use -S to  
search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.Use  
-S to search $PATH for it.Can't open perl script "/tmp/.mladen2": No  
such file or directory.Use -S to search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.Use  
-S to search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.Use  
-S to search $PATH for it.
Can't open perl script "/tmp/.mladen2": No such file or directory.
Use -S to search $PATH for it.

I believe they're exploiting a bug in apache to do remote execution  
of their code, which downloads something to /tmp (usually a script of  
some sort).  They were previously using wget, so I modified that to  
log as much information is it could to a file, but this didn't yield  
anything useful.  Now I see from the logs that they're using ftp and  
curl to download the files.

As in intermediate fix, I have mounted /tmp noexec, but this is not  
an ideal solution, and I don't want to remove ftp and curl.  I have  
installed snort (from ports) with the latest rules but this has not  
yielded much useful information.  The latest attack did come up in  
the snort logs, as a double decoding attack.  I found some data in  
the downloaded files that corresponded to a payload around the time  
of the attack.

My questions are:

1. How do I find out their attack vector?  I have had a nessus scan  
performed on the machine, but it did not present any security (I can  
supply on request).  I've checked the security releases in  
security.html and there are no pertinent ones for httpd.  Snort has  
provided little useful information (I can provide access to the snort  
logs if required).

2. If I can't stop them getting in, is there any way to observe what  
they're doing, or how they're doing  it, so I can get a pointer to  
the hole.

An upgrade is in the works, and right soon too, but I'd really like  
to know what's going on here.  Some useful links:

Nessus scan: http://vanhegan.net/openbsd/nessus.txt
dmesg: http://vanhegan.net/openbsd/dmesg.txt
httpd error_log: http://vanhegan.net/openbsd/error_log
httpd access_log: http://vanhegan.net/openbsd/access_log
pkg_info: http://vanhegan.net/openbsd/pkg.list

i've run out of ideas here.  Can you help?

Gaby