Need some help to track this down.. I do not think the machine is comprimised but I may have a misbehaving client. What should I do to identify and fix this problem. The ticket opened by EV1 follows:
2/13/2005 10:39:49 AM
2/13/2005 - Abuse - 10:39:48 AM - Abuse - Warning - Identified As Attempting to Exploit - ALL -> Dear Customer,
As you know we have deployed Tipping Point on the Everyones Internet network. See http://forum.ev1servers.net/showthread.php...?threadid=51563 for further information.
Unfortunately your server has been logged, and is currently launching an attack, in an attempt to exploit the vulnerability listed below. We have attached a copy of the logs that has caused your server to be flagged by the Tipping Point system, as well as any pertinent information in regards to the specific vulnerability being exploited. Due to the severity of this activity, we must require that you update this ticket within the next 24 hours. If we do not hear back from you, we will take action to resolve this issue, including removing your server from the network, if necessary.
If you have any questions on how to correct these vulnerabilities, please refer to the link included with this information, or you may ask one of our technical support representatives. If you need any assistance, please contact the Ev1servers.net Support Team, either through the trouble ticket system in the members section of ev1servers.net, or via E-Mail at support@ev1servers.net
We recognize that you would like to respond to these allegations, and as part of our investigation process, we require your feedback as soon as possible. Please let us know if you have any questions regarding these allegations. To better serve you please log in to the members section and update the trouble ticket, rather than responding to this email.
Thank you for choosing Ev1servers.net If you feel that this message has reached the wrong party, or that we are in error, please let us know. Your cooperation with this matter is greatly appreciated.
--
Regards,
Jonathan
Abuse Team
EV1Servers.net
Signature Name: 3174: HTTP: phpBB URLDecode Vulnerability
Signature Number: 3174
Signature ID: 00000001-0001-0001-0001-000000003174
Severity ID: 4
Class: Vulnerability
Product Category ID: 5
Protocol: http
Taxonomy: 17107965
CVE ID: NULL
BugTraq ID: 11672
Message: 3174: HTTP: phpBB URLDecode Vulnerability
This filter detects an SQL injection attempt to the viewtopic.php
script, a part of the phpBB bulletin board package. PhpBB is a
popular open source bulletin board package for web servers that
integrates with multiple backend database applications. PhpBBs
"viewtopic.php" script does not properly sanitize user data
provided in the "highlight" parameter, allowing remote attackers to
execute arbitrary code.
References:
SecurityFocus
http://www.securityfocus.com/bid/11672
2005-02-13 10:03:06 207.44.242.xxx:53243 -> 67.15.98.5:80 Hit Count: 1
2005-02-13 10:11:14 207.44.242.xxx:53863 -> 67.15.16.54:80 Hit Count: 1
2005-02-13 10:17:18 207.44.242.xxx:54268 -> 67.15.16.50:80 Hit Count: 1
2005-02-13 10:19:16 207.44.242.xxx:54374 -> 66.98.242.63:80 Hit Count: 1
2005-02-13 10:20:19 207.44.242.xxx:54449 -> 67.15.42.40:80 Hit Count: 1
2005-02-13 10:24:08 207.44.242.xxx:54707 -> 67.15.76.50:80 Hit Count: 1
2005-02-13 10:30:28 207.44.242.xxx:55169 -> 67.15.72.32:80 Hit Count: 1
2/13/2005 11:33:46 AM
Checking into this now. Please do not pull the server. I will get to the bottom of this and update the ticket shortly.
2/13/2005 11:38:55 AM
How do you recommend looking into this? I suppose I am looking for outgoing http connections to port 80?
How often is my machine sending out the attacks? Is it a constant scanning action or is it directed only at the IP you listed? Does it continue to attack that IP address? This is very important for me to be able to investigate. I do not think my machine is comprimised but I suspect a client of mine who may be doing this. Thank you.
Full Version: Warning - Identified As Attempting to Exploit
check your /tmp for files, also you will have a running proccess that is executing this, most likly perl. i would chmod 000 you wget and noexec nosuid /tmp.
Greetings:
In addition to /tmp, also check /var/tmp, and /dev/shm
You will want to review securing access to your compiler and fetch utilities, securing /tmp, securing shared memory, and basically making sure your server is as hardened as possible against hackers and crackers.
Thank you.
In addition to /tmp, also check /var/tmp, and /dev/shm
You will want to review securing access to your compiler and fetch utilities, securing /tmp, securing shared memory, and basically making sure your server is as hardened as possible against hackers and crackers.
Thank you.
Chances are that the offending process is running from /tmp. As dynamicnet suggested you should remove access to common fetch applications like wget. Something like mod_security with a decent ruleset will patch you against these exploits. However you should not just stop there while you are at it you should take the time to learn how to harden and secure your server and take the opportunity to do it.
Though I cannot say for certain your server has not been fully compromised all of the phpbb exploited servers I have seen thus far have not had any trouble other then the scanning scripts. Hardening apache and your /tmp folders along with a reboot will probably clear it. That being said take this as a fair warning that your server is probably not secure and you should do something to get it secure. You were (probably) lucky this time in that you do not require a restore, learn from this experience!
I have some guides on my website that will help you out and should help you avoid this problem again.
Though I cannot say for certain your server has not been fully compromised all of the phpbb exploited servers I have seen thus far have not had any trouble other then the scanning scripts. Hardening apache and your /tmp folders along with a reboot will probably clear it. That being said take this as a fair warning that your server is probably not secure and you should do something to get it secure. You were (probably) lucky this time in that you do not require a restore, learn from this experience!
I have some guides on my website that will help you out and should help you avoid this problem again.
Use this script to fix viewtopic.php virunable files
Thanks to the timdorr from WHT.
CODE
#!/bin/sh
for i in `locate viewtopic.php`
do
if grep "htmlspecialchars(urldecode" $i > /dev/null; then
echo $i >> vulnerable_phpbbs
/bin/cp -p $i $i.bak.dec-`date +%d`
replace "trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));" "trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));" -- $i
fi
done
for i in `locate viewtopic.php`
do
if grep "htmlspecialchars(urldecode" $i > /dev/null; then
echo $i >> vulnerable_phpbbs
/bin/cp -p $i $i.bak.dec-`date +%d`
replace "trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));" "trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));" -- $i
fi
done
Thanks to the timdorr from WHT.
I would highly suggest still installing mod_security along with that. There have been multiple phpbb exploits in the past few weeks and there are rumors of a new one still out there. The viewtopic patch above will only help prevent the current ones. The mod_security will very likely block the new ones as well. It will save you trouble down the road 
QUOTE
Originally posted by eth00
I would highly suggest still installing mod_security along with that. There have been multiple phpbb exploits in the past few weeks and there are rumors of a new one still out there. The viewtopic patch above will only help prevent the current ones. The mod_security will very likely block the new ones as well. It will save you trouble down the road
I would highly suggest still installing mod_security along with that. There have been multiple phpbb exploits in the past few weeks and there are rumors of a new one still out there. The viewtopic patch above will only help prevent the current ones. The mod_security will very likely block the new ones as well. It will save you trouble down the road
upgrading apache and php with easyapache script is also highly recommended
regards
This happens a lot through the EV1 servers.
Inever had it happen elsewhere, but this is common with them
Inever had it happen elsewhere, but this is common with them
Today I received a warning from Ev1 regarding viewtopic.php attack from my server.
Server /tmp is nosuid
But I found this running and killed it.
nobody 8295 0.0 0.0 1520 516 ? S 2004 0:00 ./9000
I chmod 700 the wget
What else should I do as I cannot find the 9000 script anywhere.
Server is cpanel/whm latest stable build.
I hope the server does not need a restore!!!
Please help,
Regards.
Server /tmp is nosuid
But I found this running and killed it.
nobody 8295 0.0 0.0 1520 516 ? S 2004 0:00 ./9000
I chmod 700 the wget
What else should I do as I cannot find the 9000 script anywhere.
Server is cpanel/whm latest stable build.
I hope the server does not need a restore!!!
Please help,
Regards.
Greetings:
While it is good that cpanel is the latest stable build, that in and of itself, does not secure your server.
Thank you.
While it is good that cpanel is the latest stable build, that in and of itself, does not secure your server.
Thank you.
QUOTE
Originally posted by nsp
Today I received a warning from Ev1 regarding viewtopic.php attack from my server.
Server /tmp is nosuid
But I found this running and killed it.
nobody 8295 0.0 0.0 1520 516 ? S 2004 0:00 ./9000
I chmod 700 the wget
What else should I do as I cannot find the 9000 script anywhere.
Server is cpanel/whm latest stable build.
I hope the server does not need a restore!!!
Please help,
Regards.
Today I received a warning from Ev1 regarding viewtopic.php attack from my server.
Server /tmp is nosuid
But I found this running and killed it.
nobody 8295 0.0 0.0 1520 516 ? S 2004 0:00 ./9000
I chmod 700 the wget
What else should I do as I cannot find the 9000 script anywhere.
Server is cpanel/whm latest stable build.
I hope the server does not need a restore!!!
Please help,
Regards.
I don't think so, but I'd run chkrootkit and rkhunter just to be sure it's the only thing wrong with the server
I know restores are a hassle, but you could be unplugged in case your hunch that "nothing is wrong" is inaccurate
regards
QUOTE
Originally posted by dynamicnet
Greetings:
While it is good that cpanel is the latest stable build, that in and of itself, does not secure your server.
Thank you.
Greetings:
While it is good that cpanel is the latest stable build, that in and of itself, does not secure your server.
Thank you.
I did these now..
1) Fixed all phpbb viewtopic.php
2) Installed mod_security as per http://eth0.us/?q=node/17
I am monioring for unknown processes coming up with line like below..
ps wauxw| grep -iv -e spamd -e httpd -e ssh -e exim -e cpanel -e mail -e bash -e minge -e rsync -e ftpd -e entropy -e mysql -e cpsrvd -e xfs -e syslog -e cron -e "]" -e cpop -e gett -e rhnsd -e klogd -e xinet -e portsen -e " su" -e anitr -e " ps" -e cppop -e antirelayd -e clamd -e named -e RSS
Please let me know anything else...
Thanks.
QUOTE
Originally posted by kamihacker
I don't think so, but I'd run chkrootkit and rkhunter just to be sure it's the only thing wrong with the server
I know restores are a hassle, but you could be unplugged in case your hunch that "nothing is wrong" is inaccurate
regards
I don't think so, but I'd run chkrootkit and rkhunter just to be sure it's the only thing wrong with the server
I know restores are a hassle, but you could be unplugged in case your hunch that "nothing is wrong" is inaccurate
regards
chkrootkit and rhhunter went through fine.
Thanks, when you are under pressure any tip comes in as a great help!!
Regards.
basically securing /tmp doesnt help much because you can still execute the script with sh /tmp/9000.sh if it was in /tmp. it just makes it so you cannot do ./9000 from /tmp . i would suggest installing apf with strict firewall permissions as well. that will stop unauthorized outgoing packets. also install phpsuexec so you can see what site its coming from.
apf is already installed. Only minimum required inbound ports open.
(Any additional tip here welcome)
I need to study phpsuexec so .. (any pointers?)
Thanks
(Any additional tip here welcome)
I need to study phpsuexec so .. (any pointers?)
Thanks
I am using tcpdump to see outgoing port 80 access from the server..
tcpdump src host `hostname` and dst port 80
Can some one give tips on extening this further to trap the process?
What I am doing is as below in a shell script.
#!/bin/sh
hst=`hostname`
while [ .T. ]
do
tcpdump src host $hst and dst port 80 -nn -c 1 -w test.txt
ps wwauxf > test-ps.txt
tcpdump -r test.txt > test-tcp.txt
cat test-tcp.txt test-ps.txt |mail -s "Access:80" email@address
cat test-tcp.txt
done
Run it on a spare ssh screen. To kill this control+z and then kill %1
Any tips on this welcome..
Thanks.
tcpdump src host `hostname` and dst port 80
Can some one give tips on extening this further to trap the process?
What I am doing is as below in a shell script.
#!/bin/sh
hst=`hostname`
while [ .T. ]
do
tcpdump src host $hst and dst port 80 -nn -c 1 -w test.txt
ps wwauxf > test-ps.txt
tcpdump -r test.txt > test-tcp.txt
cat test-tcp.txt test-ps.txt |mail -s "Access:80" email@address
cat test-tcp.txt
done
Run it on a spare ssh screen. To kill this control+z and then kill %1
Any tips on this welcome..
Thanks.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.