I have been attacked and don't know why.

[Gordon]

Actually changing the original bubba page/vhost is as simple as changing the listen address from *:80 to <lanIP>:80. The next thing is to create a second vhost that does listen to *:80 and which should be loaded before bubba vhost. It's good to know that Apache loads the vhost profile files in alphanumerical order, so a smart solution is to name that file 00-default. I can post mine if you like.

[Norman]

Ok, we are doing the final testing today and tomorrow, if any of you would like to use our test version already now you are very welcome:

Code: Select all

change_distribution hugo
apt-get update
apt-get install bubba-frontend
change_distribution elvin
apt-get update

I normally uses web ui to do system update, but tonight the update daemon is down so couldn't update to the security patch.

I ssh'd and wrote
change_distribution elvin
apt-get update

3 packages got downloaded.

Do I need to write more cmd's, or is the system updated with the latest sec patch?

Thanks for your help!

[ingo2]

Just my 2 cents:

B3 has currently PHP Version: 5.3.3-7+squeeze4ex1 which dates back to July 2011.
Debian-Squeeze since then received 13 security-updates/fixes and currently is version 5.3.3-7+squeeze17 (see here: http://ftp-master.metadata.debian.org/c ... _changelog).

Don't you think this is worth a consideration to include

Code: Select all

http://security.debian.org/ squeeze/updates

in the sources list?

This php5 story is just one issue, there are also lot of other security fixes for various components in Squeeze. Squeeze is still maintained - at least till May next year.

Regards,
Ingo

[johannes]

I ssh'd and wrote
change_distribution elvin
apt-get update

3 packages got downloaded.
Do I need to write more cmd's, or is the system updated with the latest sec patch?

I am not sure, the correct commands are:

Code: Select all

change_distribution elvin
apt-get update
apt-get dist-upgrade

(yours might work as well, unsure)
You can check the version number in the web UI, which should be 2.6.0.1 right now.

[Norman]

Ah, thanks!

[Gordon]

Nicked a couple of them last weekend:

• If you have the /tmp/update in www-data's crontab there's not much to worry. This bot is based on running an i386 ELF binary, which won't run on your B3.
• There was a second one that will be harder to detect, however you will notice severely slow response from your B3. It downloads a file named robots.txt, which is fairly common and therefore not suspicious but in this case contains a perl script. When run this script will spawn a second instance of this process and hide it with an fake process name set by the hacker (n my case this was `xauditd`). The script opens an IRC channel to a machine (in Japan) that is controlled by the hacker to receive commands. Apparently it is designed to scan the web and find sites that use a CMS that allows loading files from another server. It can however also perform port scans and do flood attacks on other servers. Lastly it can run arbitrary commands on your machine.
• Third one is a variation on the second. The perl script is now packed inside a self extracting archive (UPX). No harm for the B3 this one, because the self extract code is again for i386. The controlling machine for this one is in Russia. Quite deviously this one hides the script in your process listing as `/usr/sbin/apache2 -k start`.
• Fourth one I'm not sure. MO appears the same as #2, but the server that I'm supposed to download the script from refuses connection. The server appears to be owned by a cloud server provider, so possibly it is only available in certain (day) time slots.

Edit: suspicion about that last one confirmed. I found it online just now. The script that was created last Friday refers to a domain that is hosted by the freedns service on afraid.org and was created just 10 days ago. It currently doesn't work because it links to a localhost extension, which may be an indication that someone else discovered him as well and filed a report.

[Norman]

Gordon, thanks for all the information.

I did the Ubi trick, and apt-get updated my system to 2.6.1.

You talking about the apache2... -k start, this is what I found in (ps aux):

Code: Select all

root      2588  0.0  1.9  83828 10228 ?        Ss   Nov18   0:08 /usr/sbin/apache2 -k start
www-data  2591  0.0  0.5  21180  2672 ?        S    Nov18   0:00 /usr/sbin/fcgi-pm -k start
root      2627  0.0  1.4  78384  7604 ?        Ss   Nov18   0:00 /usr/bin/php5-cgi
root      2635  0.0  3.4  89292 17548 ?        S    Nov18   0:01 /usr/bin/php5-cgi
root      2636  0.0  2.9  88032 15344 ?        S    Nov18   0:00 /usr/bin/php5-cgi
www-data  2637  0.0  1.1  84852  5872 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2638  0.0  1.2  84852  6608 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2639  0.0  1.1  84852  5904 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2641  0.0  1.1  84852  5852 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2678  0.0  1.1  84852  5880 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2683  0.0  1.1  84852  5844 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2684  0.0  1.2  84852  6524 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2685  0.0  1.1  84852  5856 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2686  0.0  1.1  84852  5936 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start
www-data  2690  0.0  1.0  83828  5348 ?        S    Nov18   0:00 /usr/sbin/apache2 -k start

In auth.log I find this each morning at 06.25 (normal, I guess):

Code: Select all

Nov 18 06:25:04 soul su[3918]: Successful su for nobody by root
Nov 18 06:25:04 soul su[3918]: + ??? root:nobody
Nov 18 06:25:04 soul su[3918]: pam_unix(su:session): session opened for user nobody by (uid=0)
Nov 18 06:25:04 soul su[3918]: pam_unix(su:session): session closed for user nobody

But since the 18th nov I found this aswell in auth.log:

Code: Select all

Nov 19 09:10:01 soul CRON[14449]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 19 09:10:01 soul CRON[14448]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 19 09:10:01 soul CRON[14447]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 19 09:10:01 soul CRON[14449]: pam_unix(cron:session): session closed for user root
Nov 19 09:10:01 soul CRON[14447]: pam_unix(cron:session): session closed for user root
Nov 19 09:10:02 soul CRON[14448]: pam_unix(cron:session): session closed for user root

But the only accepted keyboard-interactive is happening when I loggin in with my username and pwd:

Code: Select all

Nov 19 09:06:32 soul sshd[14416]: Accepted keyboard-interactive/pam

In apache2 logs, I found this two (I got many) in access.log

Code: Select all

221.132.35.243 - - [18/Nov/2013:19:04:09 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 518 "-" "-"
14.17.35.181 - - [19/Nov/2013:07:11:45 +0100] "GET http://www.baidu.com/ HTTP/1.1" 200 1187 "-" "-"

And in error.log i found this:

Code: Select all

[Mon Nov 18 16:48:44 2013] [error] [client 193.26.131.235] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Mon Nov 18 16:48:44 2013] [error] [client 193.26.131.235] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Mon Nov 18 16:48:44 2013] [error] [client 193.26.131.235] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Mon Nov 18 19:04:09 2013] [error] [client 221.132.35.243] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Mon Nov 18 19:07:58 2013] [error] [client 162.220.67.251] File does not exist: /home/web/user
[Tue Nov 19 02:24:49 2013] [error] [client 210.149.29.182] Premature end of script headers: php5

What do you guys say, I'm still got open windows?

Thanks for yer respond!

[Ubi]

AFAIK this is all regular responses on a linux system. Those root logins are usually cron jobs and the like. Baidu is a search engine. the php5 error shows that your fix is working.
The wootwoot is an exploit scanner that has been around for a while. If it eats too much bandwith you can block it like this:http://serverfault.com/questions/125607 ... 0t-attacks

Maybe I missed something really stupid though...

[Norman]

Thanks Ubi!

I really appreciate your quick response.

[Gordon]

Hi Norman,

No need to worry about those apache2 processes. If they are the hacker's perl script you'll see a huge CPU load from them and these don't have that. Point is that it can be any process and unless you manage to get hold of the original script you will not know beforehand what name it uses.

The request for `w00tw00t` is another hack. I think it is some kind of identification for a backdoor, so these are just the sorry bunch trying to piggyback on the actual hackers. I actually filter those a*holes at my firewall and they get moved to the penalty box where they will not see my B3 at all for quite a substantial amount of time.

Those scans for /cgi-bin/php* are unavoidable I'm afraid. It's the hacker's script trying to find an accessible php cgi that he can use to attempt his exploit.

[Norman]

Thanks Gordon!

[Puma]

This is a listing of my ps aux....

I see a cpu load of 6,2 and 6,3 at /usr/bin/php5-cgi....but is this huge /abnormal behaviour?

I use owncloud, limesurvey.....

Code: Select all

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   2076   600 ?        Ss   Nov17   0:02 init [2]
root         2  0.0  0.0      0     0 ?        S    Nov17   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    Nov17   0:20 [ksoftirqd/0]
root         6  0.0  0.0      0     0 ?        S    Nov17   0:26 [rcu_kthread]
root         7  0.0  0.0      0     0 ?        S<   Nov17   0:00 [khelper]
root         8  0.0  0.0      0     0 ?        S    Nov17   0:00 [kworker/u:1]
root       139  0.0  0.0      0     0 ?        S    Nov17   0:00 [sync_supers]
root       141  0.0  0.0      0     0 ?        S    Nov17   0:00 [bdi-default]
root       143  0.0  0.0      0     0 ?        S<   Nov17   0:00 [kblockd]
root       149  0.0  0.0      0     0 ?        S<   Nov17   0:00 [ata_sff]
root       160  0.0  0.0      0     0 ?        S    Nov17   0:00 [khubd]
root       164  0.0  0.0      0     0 ?        S<   Nov17   0:00 [md]
root       180  0.0  0.0      0     0 ?        S<   Nov17   0:00 [rpciod]
root       189  0.0  0.0      0     0 ?        S    Nov17   0:35 [kswapd0]
root       241  0.0  0.0      0     0 ?        S    Nov17   0:00 [fsnotify_mark]
root       250  0.0  0.0      0     0 ?        S<   Nov17   0:00 [nfsiod]
root       257  0.0  0.0      0     0 ?        S<   Nov17   0:00 [crypto]
root       363  0.0  0.0      0     0 ?        S    Nov17   0:00 [scsi_eh_0]
root       366  0.0  0.0      0     0 ?        S    Nov17   0:00 [scsi_eh_1]
root       369  0.0  0.0      0     0 ?        S    Nov17   0:00 [kworker/u:2]
root       377  0.0  0.0      0     0 ?        S<   Nov17   0:00 [orion_spi]
root       382  0.0  0.0      0     0 ?        S    Nov17   0:00 [mtdblock0]
root       387  0.0  0.0      0     0 ?        S    Nov17   0:00 [mtdblock1]
root       392  0.0  0.0      0     0 ?        S    Nov17   0:00 [mtdblock2]
root       484  0.0  0.0      0     0 ?        S    Nov17   0:01 [md0_raid1]
root       488  0.0  0.0      0     0 ?        S    Nov17   0:00 [scsi_eh_2]
root       489  0.0  0.0      0     0 ?        S    Nov17   0:52 [usb-storage]
root       497  0.0  0.0      0     0 ?        S    Nov17   0:02 [kjournald]
root       539  0.0  0.0   3144   416 ?        S<s  Nov17   0:00 udevd --daemon
root       602  0.0  0.0      0     0 ?        S    Nov17   0:00 [mv_crypto]
root       614  0.0  0.0      0     0 ?        S    Nov17   0:00 [scsi_eh_3]
root       624  0.0  0.0      0     0 ?        S    Nov17   0:00 [usb-storage]
root       639  0.0  0.0      0     0 ?        S<   Nov17   0:00 [cfg80211]
root       725  0.0  0.0      0     0 ?        S    Nov17   0:03 [flush-8:0]
root       974  0.0  0.0      0     0 ?        S    Nov17   0:00 [kjournald]
root       978  0.0  0.0      0     0 ?        S    Nov17   0:00 [kjournald]
root      1168  0.0  1.1  78384  5784 ?        Ss   Nov17   0:00 /usr/bin/php5-cgi
root      1172  0.0  0.2  27540  1168 ?        Sl   Nov17   0:02 /usr/sbin/rsyslogd -c4
root      1174  0.0  0.0   1520   264 ?        Ss   Nov17   0:00 startpar -f -- bubba-adminphp
root      1241  0.0  0.2  19332  1160 ?        S    Nov17   0:00 /usr/bin/python /usr/sbin/bubba-album-inotifyd
root      1245  0.0  0.2  38060  1192 ?        Ssl  Nov17   0:00 /usr/sbin/bubba-igd --verbose=4
110       1253  0.0  0.1   3732   788 ?        Ss   Nov17   0:00 /usr/bin/dbus-daemon --system
avahi     1265  0.0  0.2   3372  1228 ?        S    Nov17   0:00 avahi-daemon: running [b3.local]
avahi     1266  0.0  0.0   3244   412 ?        S    Nov17   0:00 avahi-daemon: chroot helper
root      1271  0.0  0.0   3140   444 ?        S<   Nov17   0:00 udevd --daemon
dnsmasq   1282  0.0  0.1   2812   856 ?        S    Nov17   0:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u d
root      1290  0.0  1.3  16688  7136 ?        S    Nov17   0:00 /usr/bin/python /usr/bin/twistd --syslog --pidfile=/va
root      1294  0.0  1.7  23436  9252 ?        Sl   Nov17   0:01 /usr/bin/python /usr/bin/twistd --syslog --pidfile=/va
root      1304  0.0  1.9  83828  9884 ?        Ss   Nov17   0:10 /usr/sbin/apache2 -k start
www-data  1308  0.0  0.5  22204  2724 ?        S    Nov17   0:00 /usr/sbin/fcgi-pm -k start
root      1316  0.0  0.1   2476   868 ?        Ss   Nov17   0:01 /usr/sbin/cron
108       1330  0.0  0.2   5452  1344 ?        Ss   Nov17   0:05 /usr/bin/fetchmail -f /etc/fetchmailrc --pidfile /var/
root      1348  0.0  0.0   1708   456 ?        S    Nov17   0:08 /usr/sbin/ifplugd -i eth0 -q -f -u0 -d10 -w -I
root      1356  0.0  0.0   1708   456 ?        S    Nov17   0:09 /usr/sbin/ifplugd -i eth1 -q -f -u0 -d10 -w -I
root      1360  0.0  0.1   3412   792 ?        Ss   Nov17   0:00 /usr/sbin/incrond -f /etc/incron.conf
root      1370  0.0  0.1   2496   608 ?        Ss   Nov17   0:00 /sbin/mdadm --monitor --pid-file /var/run/mdadm/monito
root      1402  0.0  0.1   1720   528 ?        S    Nov17   0:00 /bin/sh /usr/bin/mysqld_safe
ntp       1463  0.0  0.3   5428  1820 ?        Ss   Nov17   0:14 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 104:108
mysql     1540  0.2  5.4 143744 28076 ?        Sl   Nov17   6:20 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mys
root      1541  0.0  0.1   1640   524 ?        S    Nov17   0:00 logger -t mysqld -p daemon.error
root      1608  0.0  0.1   6468   672 ?        Ss   Nov17   0:00 /usr/sbin/squid -D -YC
proxy     1860  0.1  2.9  19784 15280 ?        S    Nov17   3:39 (squid) -D -YC
proxy     1877  0.0  0.0   1500   332 ?        S    Nov17   0:01 (unlinkd)
root      1956  0.0  0.3   6752  1756 ?        Ss   Nov17   0:01 /usr/lib/postfix/master
root      2005  0.0  0.1   2304   712 ?        Ss   Nov17   0:01 dhclient -v -pf /var/run/dhclient.eth0.pid -lf /var/li
root      2087  0.0  0.1   6772   928 ?        Ss   Nov17   0:00 /usr/sbin/sshd
postfix   2112  0.0  0.3   6836  1864 ?        S    Nov17   0:00 qmgr -l -t fifo -u
root      2206  0.0  0.1   4360   852 ?        Ss   Nov17   0:08 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
root      2208  0.0  0.3  10936  2048 ?        S    Nov17   0:02 dovecot-auth
root      2224  0.0  0.4  10936  2100 ?        S    Nov17   0:01 dovecot-auth -w
root      2229  0.0  0.0   1632   276 ?        Ss   Nov17   0:00 /sbin/bubba-buttond
root      2285  0.0  0.2   9992  1544 ?        Ss   Nov17   0:03 /usr/sbin/nmbd -D
root      2287  0.0  0.5  17140  2760 ?        Ss   Nov17   0:00 /usr/sbin/smbd -D
root      2293  0.0  0.1   1700   524 ttyS0    Ss+  Nov17   0:00 /sbin/getty -L ttyS0 115200 vt100
root      2294  0.0  0.2  17128  1276 ?        S    Nov17   0:00 /usr/sbin/smbd -D
postfix   2607  0.0  0.4   6872  2492 ?        S    Nov17   0:00 tlsmgr -l -t unix -u -c
root      2919  0.0  0.4  18644  2472 ?        Sl   Nov17   0:00 /usr/sbin/console-kit-daemon --no-daemon
root      8274  0.0  0.0   3140   464 ?        S<   Nov18   0:00 udevd --daemon
www-data  8463  0.0  2.7  89096 14016 ?        S    Nov18   0:04 /usr/sbin/apache2 -k start
www-data  8467  0.0  1.1  84852  6004 ?        S    Nov18   0:03 /usr/sbin/apache2 -k start
www-data  8478  0.0  9.6 138120 49864 ?        S    Nov18   1:11 /usr/sbin/apache2 -k start
www-data  8479  0.0  1.1  84852  6108 ?        S    Nov18   0:03 /usr/sbin/apache2 -k start
dovecot   8577  0.0  0.3   5584  1888 ?        S    00:03   0:00 imap-login
www-data  8659  0.0  2.7  89096 14016 ?        S    00:26   0:02 /usr/sbin/apache2 -k start
proxy     9962  0.0  1.9  12028 10128 ?        S    06:25   0:09 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9964  0.0  1.8  11640  9720 ?        S    06:25   0:01 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9967  0.0  1.7  10980  9008 ?        S    06:25   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9968  0.0  1.6  10448  8460 ?        S    06:25   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9970  0.0  1.5   9928  7992 ?        S    06:25   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9971  0.0  1.5   9792  7788 ?        S    06:25   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9972  0.0  1.4   9260  7248 ?        S    06:25   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9973  0.0  1.4   9260  7248 ?        S    06:25   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
proxy     9975  0.0  0.1   2748   744 ?        S    06:25   0:00 (ncsa_auth) /etc/squid/squid_passwd
proxy     9976  0.0  0.0   2616   440 ?        S    06:25   0:00 (ncsa_auth) /etc/squid/squid_passwd
proxy     9977  0.0  0.0   2616   440 ?        S    06:25   0:00 (ncsa_auth) /etc/squid/squid_passwd
proxy     9980  0.0  0.0   2616   440 ?        S    06:25   0:00 (ncsa_auth) /etc/squid/squid_passwd
proxy     9981  0.0  0.0   2616   440 ?        S    06:25   0:00 (ncsa_auth) /etc/squid/squid_passwd
www-data 10089  0.0  2.6  90120 13652 ?        S    06:36   0:04 /usr/sbin/apache2 -k start
www-data 10092  0.0  2.6  90120 13568 ?        S    06:37   0:02 /usr/sbin/apache2 -k start
dovecot  11925  0.0  0.4   5724  2224 ?        S    16:34   0:00 imap-login
root     12322  0.0  0.0      0     0 ?        S    18:30   0:00 [kworker/0:2]
postfix  12544  0.0  0.3   6792  1684 ?        S    19:40   0:00 pickup -l -t fifo -u -c
1001     12710  0.0  0.5   7312  2640 ?        S    20:36   0:00 imap
root     12712  0.0  0.0      0     0 ?        S    20:36   0:00 [kworker/0:0]
dovecot  12718  0.0  0.4   5724  2220 ?        S    20:36   0:00 imap-login
1001     12720  0.0  0.3   5272  1864 ?        S    20:37   0:00 imap
dovecot  12721  0.0  0.4   5724  2220 ?        S    20:37   0:00 imap-login
1001     12728  0.0  0.3   5248  1796 ?        S    20:37   0:00 imap
root     12752  6.2  2.7  87568 14324 ?        S    20:44   1:39 /usr/bin/php5-cgi
root     12766  6.3  2.9  87568 14948 ?        S    20:45   1:40 /usr/bin/php5-cgi
www-data 12780  0.0  1.1  84852  5980 ?        S    20:52   0:00 /usr/sbin/apache2 -k start
www-data 12781  0.0  1.1  84852  5944 ?        S    20:52   0:00 /usr/sbin/apache2 -k start
www-data 12823  0.0  1.1  84852  5904 ?        S    21:03   0:00 /usr/sbin/apache2 -k start
1001     12845  0.0  0.3   3192  1640 pts/0    Ss   21:06   0:00 -bash
root     12848  0.0  0.2   3668  1460 pts/0    S    21:06   0:00 su
root     12855  0.0  0.3   3200  1652 pts/0    S    21:06   0:00 bash
root     12857  0.0  0.0      0     0 ?        S    21:06   0:00 [flush-9:0]
dovecot  12861  0.0  0.3   5584  1936 ?        S    21:06   0:00 imap-login
dovecot  12862  0.0  0.3   5584  1936 ?        S    21:06   0:00 imap-login
root     12893  0.0  0.1   2576   972 pts/0    R+   21:11   0:00 ps aux

Puma

[Ubi]

Why is your php5-cgi process running as root? Is that the bubba backend routine?

[Puma]

Ubi,

I really don't know.
I installed owncloud and limesurvey which both are owned by root.
only data, config folder of owncloud have www-data ownership.

Can i check which process is behind this /usr/bin/php5-cgi load?

Puma

[Ubi]

Nah I have the same process. I think I made this mistake before in this thread. The php5-cgi is the backend for the bubba GUI. It shouldnt be eating all your cpu though, but this may be because it is doing something important. If it is still high after hours you may want to restart apache (/etc/init.d/apache2 restart). If I understand the setup correctly this should also reload the php5 process