I have been attacked and don't know why.

Ubi · Post by **Ubi** » 10 Nov 2013, 07:05

You only know if the attack is specific to B23 owners if you can verify no other vulnerable machines are targeted. Its like saying that only windows-users cause car accidents if your entire sample size is made up of windows users. It is classical sampling error.

Read this: http://www.badscience.net/2011/08/untitled-1/

@Ubi Not as many as those that believe that hackers are specifically targeting B2/B3 owners.

There's even more people believing in intelligent design. That does not make it reality

Ubi · Post by **Ubi** » 10 Nov 2013, 07:24

Of course, the semi-illegal way to measure the range of attack is to take the current easyfind listing and try the exploit on those ip addresses.

Harry · Post by **Harry** » 10 Nov 2013, 11:08

Fortunately Excito has not announced any of this as a big threat(or small) since it came to their knowledge 6 days ago.
It is reassuring to non Linux-experts like myself to know that the severity of all this is lower than worth announcing as a threat, followed by recommended precautions.

Sent from my iPad using Tapatalk

Ubi · Post by **Ubi** » 10 Nov 2013, 13:28

How would you propose excito goes about thic anouncement then? There isnt exactly a registration requirement for purchase of a B2/3, so nobody knows who the customers are. Would you like an advert in all of the worlds newspapers?

Oh and when was the last time you heard Apple or Microsoft hand out a fix within 6 days after discovery? I think theyre doing a pretty good job.

Harry · Post by **Harry** » 10 Nov 2013, 15:26

There is a forum section called announcement, right?
Fix? thats your word, one of mine was precaution.

Sent from my iPad using Tapatalk

Ubi · Post by **Ubi** » 10 Nov 2013, 16:03

As you can see from the above its still not quite sure whats going on and whether the proposed fix is adequate. Announcing a problem without a cure is not very useful if the cure is just days away. I'm sure once this is more clear there will be an official announcement in the section that you point out.

Artanicus · Post by **Artanicus** » 10 Nov 2013, 16:17

Caught my server sending out spam to mostly Swedish email addresses and got mighty suspicious since was pretty sure I'd restricted SMTP to localhost. After an hour of poking around found enough to find my way to this thread. What I've found and cleaned out so far;

- /tmp/sw containing the spamming package
- www-data crontab entry pointing to a script that doesn't seem to exist; * * * * * /tmp/update >/dev/null 2>&1
- an attack script pulled off a russian server.. was running as two processes named '-bash'

.. pretty sure I've gotten all of it out and the patch is applied, let's wait and see if something odd pops up again. Looks like I first got probed at the start of November but didn't notice anything before the spam portion fired up today.

Post by **johannes** » 10 Nov 2013, 16:45

I do think Excito should tell us exactly what has been done though, so we don't have to worry about things like this.

Correct, this is Excito's work, a wrapper for php not allowing remote execution.

Post by **johannes** » 10 Nov 2013, 16:49

Gordon wrote:Well I guess that with these last few posts the backdoor is exposed again (to a hacker reading this board).

Can you elaborate on why knowing this would open the backdoor again?

Artanicus · Post by **Artanicus** » 10 Nov 2013, 16:58

Going through all they've been running through the exploit and looks like we could be having a much worse time of this. Most of the exploits actually fail because of the ARM platform

.. security by accident .. "a: line 21: ./bash: cannot execute binary file" .. you apache error_log will probably provide an entertaining read if you want to follow along on everything.

More attack cruft I've found;
- /dev/shm/.a (failed to do any damage on an ARM system)
- various bitcoin miners seem to have been attempted but looks like they've also been removed, all failed again due to ARM.

Ubi · Post by **Ubi** » 10 Nov 2013, 17:09

Interesting, I suppose not installing gcc (or making it specific user-only) would increase this added benefit even more =)

6feet5 · Post by **6feet5** » 10 Nov 2013, 17:54

johannes wrote:
Gordon wrote:Well I guess that with these last few posts the backdoor is exposed again (to a hacker reading this board).
Can you elaborate on why knowing this would open the backdoor again?

That's probably my bad. I got suspicious when I found two php files in cgi-bin and thought the one only named php was a possible back door. If they do read the forum, they now know the name of the "original" one, so to speak (I won't name it again).

I must admit I was a bit confused since it was an ARM binary, but I have gcc installed so I couldn't be sure and I dared not run it to see what would happen. Sorry again for breaking you protection

/Johan

PS Maybe you should remove the posts where we name the files.

Post by **johannes** » 10 Nov 2013, 18:20

Yes I undestood this, but I still don't know why knowing about would let them in again? It's not like they can just run any file in that directory, right?

Ubi · Post by **Ubi** » 11 Nov 2013, 02:23

No they cannot. CGI-BIN is not indexable. However if php5.orig is executable than it can be accesses from outside and the vulnerability remains, but you added a layer of security through obscurity. Real protection would them come from either removing the execute flag from php5.orig or moving that file out of the /cgi-bin/ folder where it can no longer be executed by apache.

Post by **johannes** » 11 Nov 2013, 02:57

[quote="Ubi"]No they cannot. CGI-BIN is not indexable. However if php5.orig is executable than it can be accesses from outside [/quote]

Now being a hw guy and therefore hopefully excused for not understanding this - how could Apached be made to execute this file?

forum.excito.org