My B2 has been hacked! Twice?

[jamerson]

Hi!

I got home yesterday to find my internet connection down. I called my ISP who told me that it had been closed by them since they had been getting a LOT of e-mail spam reports on my IP address the last two weeks or so.

These reports started coming on February 14th. That day I added a new domain do my bubba, installing wordpress for it.
The one shady thing I did during that installation was that I for a very short period of time chmod'ed the upload folder to 777 to see what user did the uploads through the wp admin. I then chmodd'ed the upload folder back and chown'ed the upload folder to that user.
I also added the new domain to bubbadomains in /etc/postfix (if that's where it's located )

That's all that I can remember from that day.

So: Yesterday I turned all e-mail services off on my Bubba2 and told my ISP that they can safely turn my connection back on. They did. But as I re-connected the Bubba I saw the network traffic starting to take off. And the reason seems to be a file called y2kupdate that causes this. A line in the syslog says (over and over and over):
bubba /USR/SBIN/CRON[16436]: (www-data) CMD (tmp/lib/y2kupdate >/dev/null 2>&1)

When I saw this I just turned the Bubba2 off.

"What should I do?" is my simple question.

/pelle

[RandomUsername]

Just found this which seems relevant:

http://riaschissl.blogspot.com/2010/05/ ... pdate.html

First thing I'd do is change all your passwords, including root and admin.

delete /tmp/lib/y2kupdate and what appears to be the associated cron job (dir /etc/cron*).

Not sure what else really. Before you delete the y2kupdate file it would be interesting to see its contents I suppose.

Also, I modded my apache config to force https on all connections to the server's admin interface and email. If you access yours from outside your LAN I suggest you do the same.

[Binkem]

I found this link:

http://www.directadmin.com/forum/archiv ... -6239.html

It may be related to having folders that are accessible from the internet and that have a 777 setting, thus enabling anyone on the internet to write (malicious) data there.

[jamerson]

The y2kupdate would be explained by this.
And that does not worry me that much. The e-mail spam seems like a more severe break-in. Could that too be made from the temporarily 777-ed upload folder? Seems to me that a hacker would need to go deeper to use my server to send e-mails... I don't know.

/pelle

[Binkem]

The easiest way to send lots of spam mail is by using a open-relay server. If your Bubba accepts smtp without asking for a username or password anyone can use it for spamming. It may also be that your paaswords have been stolen thus enabling the spammers to send mail using your Bubba you might check your logs for this. Safest is to start your Bubba without internet connection in order to investigate this. Or possibly some program hasd been installed on your Bubba that sends spam by itself.

[Ubi]

people, please. stop speculating and look at the evidence.

Yes, there was a 777 folder somewhere, but it does not mean anything, as it is merely bits in a file. The *real* issue here is that a cron job has been started. So t seems the 777 folder was readable by apache!. My first question would be which UID created this cronjob. Is it in /etc/crontab or in a personal cron folder. Whose folder is that? Also, which UID owns this weird file /tmp/bin/y2kupdate? Then I'd look in the mail logs to see which UID initiated those mails. If any of these UIDs traces back to a local, then your user account is compromised. If the UID is apache, there is a malicious web page uploaded that is being executed. Most likely this malicious webpage is in that 777 folder of yours. Use the HTTP logfiles to see which IP address uploaded that page, and which IP address is accessing it. Oh yes, kill that file!!!

Other weird things: all services were apparently shut down but upon reconnection there was an increase in traffic. So this means not all services were down doesn't it?

The first thing I'd to is block ALL incoming traffic from anywhere but local network to Bubba. Do this by modding the firewall rules on bubba or on the adsl router if you have one. Then change the firewall to drop ALL outgoing email traffic to anywhere, including local network.
Then look at the mail queue to see what's going on

If that /tmp/lib folder is owned by root, your root account is compromised. If not, note the owner of that folder, chown it to root, chmod to 700 and keep it for postmortem analysis.

[Ubi]

ah yes, and change the passwords for wordpress. it seems that the uploads folder for wordpress is serveable by apache, creating a free ride to your whole machine to whoever manages to upload some pages. You know like PHP pages. What a piece of shitware.

Sticking apache into cron-deny might also be a good idea