Greenguy's Board - View Single Post - Anyone else getting viruses and trojans at The Red Cherry?

cd34 · 2006-02-08, 11:58 PM

url removed

Here are your boys.

Typically they don't attack freebsd boxes so, I am wondering if they planted it there to gain recognition, but it wasn't a sanctioned hack. Have your host save all of their logs on that machine. that box is running an old compromisable sshd and a potentially compromisable bind -- unless someone has hacked the scripts to return false versions, but then, a production machine is no place for a honeypot.

You need to look over any open source software you have on that machine -- the way this particular script works is that it is run from a php script that wgets code that is then executed. That program goes up as far as it can and searches the entire disk for any file that it can write -- and then tries to cleanly write to the pages -- a strong case for NOT running apache setuid.

Any file that is writeable by apache can then be overwritten -- as you have seen. I don't know what software you're running, but, commonly wordpress, phpbb, phpmyadmin, some cms software have had holes that allow this. Depending on the version of php running and how the machine is configured, you'll probably find a number of entry points.

You should also search for any script containing passthru|system|exec for angelshell/phpshell/etc. That will probably have been dropped in many locations on the server. There are also scripts that may be dropped in place that mimic other filenames that exec $_ENV variables -- the first search will probably find those.

Securing a box that has been hacked is much harder than reloading things with known good routines. Once a box has been hacked, its a constant thing. Have your host figure out what the entry point was -- I would start by searching the apache error logs for wget/lynx/GET executed and then figure out by time what scripts were called that could have executed that. Also check /tmp and /var/tmp for the remnants of other botscripts that allow remote access into the machine.

Until you find the entry point, that box will be continually compromised, or, could be running a bot allowing them free reign on the box. Have your host check every process that is running -- especially those listening to ports. I wouldn't be surprised to find a few daemons listening to higher ports allowing shell access into the machine.

Good luck with it. Its never fun to recover from things like that.

2006-02-08, 11:58 PM	#12
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	url removed Here are your boys. Typically they don't attack freebsd boxes so, I am wondering if they planted it there to gain recognition, but it wasn't a sanctioned hack. Have your host save all of their logs on that machine. that box is running an old compromisable sshd and a potentially compromisable bind -- unless someone has hacked the scripts to return false versions, but then, a production machine is no place for a honeypot. You need to look over any open source software you have on that machine -- the way this particular script works is that it is run from a php script that wgets code that is then executed. That program goes up as far as it can and searches the entire disk for any file that it can write -- and then tries to cleanly write to the pages -- a strong case for NOT running apache setuid. Any file that is writeable by apache can then be overwritten -- as you have seen. I don't know what software you're running, but, commonly wordpress, phpbb, phpmyadmin, some cms software have had holes that allow this. Depending on the version of php running and how the machine is configured, you'll probably find a number of entry points. You should also search for any script containing passthru\|system\|exec for angelshell/phpshell/etc. That will probably have been dropped in many locations on the server. There are also scripts that may be dropped in place that mimic other filenames that exec $_ENV variables -- the first search will probably find those. Securing a box that has been hacked is much harder than reloading things with known good routines. Once a box has been hacked, its a constant thing. Have your host figure out what the entry point was -- I would start by searching the apache error logs for wget/lynx/GET executed and then figure out by time what scripts were called that could have executed that. Also check /tmp and /var/tmp for the remnants of other botscripts that allow remote access into the machine. Until you find the entry point, that box will be continually compromised, or, could be running a bot allowing them free reign on the box. Have your host check every process that is running -- especially those listening to ports. I wouldn't be surprised to find a few daemons listening to higher ports allowing shell access into the machine. Good luck with it. Its never fun to recover from things like that. __________________ SnapReplay.com a different way to share photos - iPhone & Android