Re: [users@httpd] site compromised and httpd log analysis

[KK CHN]

On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz  wrote:

> Your log doesn't start early enough. Someone uploaded a web shell (or
> found an existing web shell) to your server, possibly using an upload for
> that doesn't validate the input, then used that shell to run commands on
> your server.
>

Yes, that was not too old log

Here is another old log  paste
https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw=


.

Here is another log which starts earlier than the earlier logs.  Which may
help to investigate more.

I would consider your entire server to be compromised at this point since
> you have no record of what else the attacker could have done once they had
> a shell.
>
> Yes we took the server down, and recreated the VM with an old backup. Also
informed the developer/maintainer about this simple.shell execution and the
need of regular patching of the PHP7 version and the wordpress framework
they used for hosting.

I would like to know what other details / analysis we need to perform to
find out how the attacker got access and what time the backdoor was
installed and through what vulnerability they exploited ?

I request your tips  to investigate further and to find the root cause of
this kind of attack and how to prevent it in future..??



Make sure that you do not allow users to upload files and then execute
> those files.
>
> - Y
>
> On Tue, Jul 5, 2022 at 9:53 PM KK CHN  wrote:
>
>> https://pastebin.com/YspPiWif
>>
>> One of the websites hosted  by a customer on our Cloud infrastructure was
>> compromised, and the attackers were able to replace the home page with
>> their banner html page.
>>
>> The log files output I have pasted above.
>>
>> The site compromised was PHP 7 with MySQL.
>>
>> From the above log, can someone point out what exactly happened and how
>> they are able to deface the home page.
>>
>> How to prevent these attacks ? What is the root cause of this
>> vulnerability  and how the attackers got access ?
>>
>> Any other logs or command line outputs required to trace back kindly let
>> me know what other details  I have to produce ?
>>
>> Kindly shed your expertise in dealing with these kind of attacks and
>> trace the root cause and prevention measures to block this.
>>
>> Regards,
>> Krish
>>
>>
>>

[users@httpd] site compromised and httpd log analysis

[KK CHN]

https://pastebin.com/YspPiWif

One of the websites hosted  by a customer on our Cloud infrastructure was
compromised, and the attackers were able to replace the home page with
their banner html page.

The log files output I have pasted above.

The site compromised was PHP 7 with MySQL.

>From the above log, can someone point out what exactly happened and how
they are able to deface the home page.

How to prevent these attacks ? What is the root cause of this
vulnerability  and how the attackers got access ?

Any other logs or command line outputs required to trace back kindly let me
know what other details  I have to produce ?

Kindly shed your expertise in dealing with these kind of attacks and trace
the root cause and prevention measures to block this.

Regards,
Krish

[users@httpd] Defaced Website : Few forensic tips and help

[KK CHN]

List ,

https://pastebin.com/YspPiWif

One of our PHP  website hacked on 3rd july 2022.  I am attaching the httpd
access files contents in the above pastebin.I hide the original URL of
the website due to a SLA policy.

Can anybody point out from the logs what exactly made the attacker able to
bring the site down..

Has he used this php site for attacking ?

Any other logs or command line outputs needed  let me know. I will share
the required files.   I am new to this area of forensic analysis to find
out the root cause of the attack .

Kindly shed some tips to find out where the vulnerability is and how to
prevent it in future.

Any more inputs/details  required  keep me informed, I can share those too.

Regards,
Krish

[users@httpd] Slow web site response..PHP-8/CSS/Apache/

[KK CHN]

List,

I am facing a slow response for a hosted PHP8 web site..   It takes 30
seconds to load the website fully .  The application and database(
postgresql ) both are separately running on two Virtual Machines in
OpenStack cloud.  in two 10.184.x.221  and 10.184.y.221 networks
respectively.



When I  used tools like  GTMetrix and Webpagetest.org   it says   there are
render  blocking resources

Resources are blocking the first paint of your page. Consider delivering
critical JS/CSS inline and deferring all non-critical JS/styles.
Learn how to improve this


Resources that *may* be contributing to render-blocking include:
URL Transfer Size Download Time
 xxx.mysite.com/css/bootstrap.min.css   152KB 6.6s
xxx.mysite.com/css/style.css 14.2KB 5.9s
xxx.mysite.com/css/font/font.css  3.33KB  5.7s

here this bootstrap.css, which take  TTFB  6 seconds   and full loading of
the website taking almost extra 24 seconds total  30 seconds to render it..

https://pastebin.mozilla.org/SX3Cyhpg


The GTmetrix.com site also  show  this  issue also

The Critical Request Chains below show you what resources are loaded with a
high priority. Consider reducing the length of chains, reducing the
download size of resources, or deferring the download of unnecessary
resources to improve page load.
Learn how to improve this


Maximum critical path latency: *24.9s*



How can I overcome this issue   ?  Is this a  VM performance issue or PHP
issue ?/Apache issue ?or PHP applicaiton to Database  backend
connection issue..

Excuse me if this an off topic post to httpd list. Hope a lot of people
might have their experience to share how to trouble shoot or what may the
root cause making this site response too slow.

Kindly shed some light here.  Any hints where to start most welcome..

Any more data needed pls let me know ..I can share .

Thanks in advance,
Krish.

[us...@httpd] apache ajp interconnection Issue

[KK CHN]

Hi  list,

I am trying ajp   connector  for apache  to   tomcat

using   mod_ajpapache2.2   and tomcat  5.5on Debian platform

apache  and  Tomcat  are in separate  boxes  both are in  same  LAN.  and
apache  machine is bind to  a public IP address  in firwall level.

this is the virtual host configuration



ServerName demo.mydomain.in
ProxyPass /balancer://mycluster/
ProxyPassReverse / balancer://mycluster/

BalancerMember ajp://192.168.31.128:8009/MyJava min=10 max=100
Allow from all



when I access   demo.mydomain.in the home page of   MyJava  is
served  by my apache box,  and when  enter  login name & password to login
into the application and press submit button  ,  getting  error  in
browser
the requested resource path is incorrect   .

But  If  I access the  MyJava  application from  the  Ipaddress of the
tomcat boxby http://Ipaddress:8080/MyJava
able to login and perform  actions in the Java applications.

What I made  wrong , any   error  in  the Vhostentry.

Let me request h   your  valuable  advice  and   hints to solve the issue


Thanks in advance
kk

[us...@httpd] .htpasswd login failure

[KK CHN]

Hi List,


 I added afor restricting access to   my  web site
URL. I used   Basic  Authentication module..


I created  #htpasswd  -c  .htpasswd  test

   password  :  test


and restarted  apache .   The  path to  AuthUserFile   is   absolutely the
system path no error in   that ..

but when I tried to   accessmysites  URL  it  showing the
Authentication Dialogue  ,  I enteredusername  : test

password  : test   ,   but  its not loging in ..)

I recreated the   password  many times  with  other user  names and
passwords.. but still I can't login  ..


what may be the issue ?  how can I fix the issue ?



This is the setup 

[r...@sun /usr/local/www/testblock]# ls -al
total 6
drwxr-xr-x   2 www   www512 Mar  5 19:13 .
drwxr-xr-x  11 root  wheel  512 Mar  5 16:10 ..
-rw-r-xr-x   1 www   www 19 Mar  6 09:52 .htpasswd
[r...@sun /usr/local/www/testblock]# cat .htpasswd
test:Nkw3seTaTE16I
[r...@sun /usr/local/www/testblock]#



ServerName   mysite.com


AuthType Basic
AuthName "Auth"
AuthUserFile "/usr/local/www/testblock/.htpasswd"
Require valid-user
RewriteEngine On
RewriteRule ^/(.*)
http://127.0.0.1:8081/VirtualHostBase/http/mysite.com:80/site1/VirtualHostRoot/$1[L,P]

ErrorLog /var/log/apache/site1/error_log
CustomLog /var/log/apache/site2/access.log combined


Any hints most welcome

Thanks in advance
KK

[us...@httpd] how to do a Password protection for a RewriteRule based VirtualHost

[KK CHN]

ServerName  mydomain.com
RewriteEngine On
RewriteRule ^/(.*)
http://127.0.0.1:8081/VirtualHostBase/http/www.mydomain.com:80/site1/VirtualHostRoot/$1
[L,P]
ErrorLog /var/log/apache/mysite.com/error_log
CustomLog /var/log/apache/mysite.com/access.log combined




Now  every one can access the site   mydomain.com


But I want to restrict this access  toa  group of members  ..
when they type www.mydomain.com
it should   promt for a username and password  ..


I know I can do it  for  directories  but is it possible for
RewriteRule section ?  How can we do it ?


Any hints & suggestions most welcome

Thanks in advance
KK