I have been attacked and don't know why.

Got problems with your B2 or B3? Share and get helped!
Gordon
Posts: 1322
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 05 Dec 2013, 10:37

Hi Samards,

You should definitely check your software version. If you're below 2.4 it will require a full reinstall and it will destroy your configs. For newer versions it will mostly depend on how you changed your apache config: if you edited the existing bubba.cfg in sites-available, then chances are that an update will overwrite this file. If you're not using bubba.cfg for your site you should be fine.

As an alternative to updating, this will deal with the issue as well:
- remove the execute flag from /usr/lib/cgi-bin/php5.cgi (trust me: this cgi serves no purpose on a B2|3)
- delete all jobs in www-data's crontab (you did that, but you'll probably need to do it again)
- run: kill -9 $(ps -U www-data -u www-data --no-headers | awk '{print $1}') (or reboot)

samards
Posts: 5
Joined: 12 Feb 2010, 07:56

Re: I have been attacked and don't know why.

Post by samards » 05 Dec 2013, 16:47

Hi Gordon,

Thanks a lot...

I've just checked, I actually never upgraded bubba, since 2010... So my version is, believe or not, 1.3.1 :o My php.cgi is something like /usr/lib/cgi-bin/php5 , so I removed x flag there, looks like nothing hapened, still everything works.

I guess I have to plan my upgrade more carefully, as everything will be updated, like you said.

toukie
Posts: 115
Joined: 13 Jan 2012, 12:22

Re: I have been attacked and don't know why.

Post by toukie » 06 Dec 2013, 09:30

Is my B3 compromised, or is this normal?

I have service postfix off and service dovecot off, I don't use them yet.
When I check logwatch I see Postfix accepting bytes and delivering them. Why is that?

Gordon
Posts: 1322
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 06 Dec 2013, 15:24

toukie wrote:Is my B3 compromised, or is this normal?

I have service postfix off and service dovecot off, I don't use them yet.
When I check logwatch I see Postfix accepting bytes and delivering them. Why is that?
Cron will send emails containing screen output to the user that owns the job (which will be root in most cases). Just check the mail logs.

toukie
Posts: 115
Joined: 13 Jan 2012, 12:22

Re: I have been attacked and don't know why.

Post by toukie » 06 Dec 2013, 16:02

I see logs like /var/log/web-admin etc. If that is what postfix does then it is OK. There was nothing in /var/mail.

Gordon
Posts: 1322
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 06 Dec 2013, 18:11

That is correct. Mail delivery on the B3 is set up to use the maildir scheme with mail being delivered in ~/Mail

OlivierC
Posts: 31
Joined: 21 Sep 2013, 08:01

Re: I have been attacked and don't know why.

Post by OlivierC » 07 Dec 2013, 12:17

Hi guys,

I have followed instructions posted:
by DanielM » 03 Nov 2013, 17:14
to clean crontab

Now must do the same for suspicious files but as a Windows User, i do not know all Linux commands to do that!

I have run
cd tmp
ls -al
total 16
drwxrwxrwt 4 root root 4096 Dec 7 18:40 .
drwxr-xr-x 23 root root 4096 Oct 22 12:20 ..
drwxrwxrwt 2 root root 4096 Dec 7 14:13 .ICE-unix
drwxrwxrwt 2 root root 4096 Dec 7 14:13 .X11-unix
srw-rw---- 1 root www-data 0 Dec 7 14:13 ftdaemon

ls -laR /var/tmp
total 184
drwxrwxrwt 2 root root 4096 Dec 6 20:16 .
drwxr-xr-x 14 root root 4096 Jan 1 2000 ..
-rw-rw-rw- 1 www-data www-data 84507 Dec 5 16:23 playd.jpg
-rw-rw-rw- 1 www-data www-data 84507 Dec 5 16:23 playd.jpg.1
I have downloaded file from Linux B3 to my Windows box using

Code: Select all

pscp username@b3:/var/tmp/playd.jpg "%temp%"
and it's not a JPEG image but perl script:
#!/usr/bin/perl

######################################################################################################################
######################################################################################################################
## Drops Perl IrcBot v2.0 / 2012 by Jericho Security Team ## [ Help ] ###########################################
## Stealth MultiFunctional IrcBot writen in Perl #######################################################
## Teste on every system with PERL instlled ## !u @system ##
## ## !u @version ##
## This is a free program used on your own risk. ## !u @channel ##
## Created for educational purpose only. ## !u @flood ##
## I'm not responsible for the illegal use of this program. ## !u @utils ##
######################################################################################################################
## [ Channel ] #################### [ Flood ] ################################## [ Utils ] ###########################
######################################################################################################################
## !u !join <#channel> ## !u @udp1 <ip> <port> <time> ## !u @cback <ip> <port> ##
## !u !part <#channel> ## !u @udp2 <ip> <packet size> <time> ## !u @downlod <url+path> <file> ##
## !u !rejoin <#channel> ## !u @udp3 <ip> <port> <time> ## !u @portscan <ip> ##
## !u !op <channel> <nick> ## !u @tcp <ip> <port> <packet size> <time> ## !u @mail <subject> <sender> ##
## !u !deop <channel> <nick> ## !u @http <site> <time> ## <recipient> <message> ##
## !u !voice <channel> <nick> ## ## !u pwd;uname -a;id <for example> ##
## !u !devoice <channel> <nick> ## !u @ctcpflood <nick> ## !u @port <ip> <port> ##
## !u !nick <newnick> ## !u @msgflood <nick> ## !u @dns <ip/host> ##
## !u !rnick (random nick) ## !u @noticeflood <nick> ## ##
## !u !msg <nick> ## ## ##
## !u !quit ## ## ##
## !u !raw ## ## ##
## !u @die ## ## ##
## !u @admin (add/del) <nick> ## ## ##
######################################################################################################################
######################################################################################################################
Experts give right answers here but should take care of users that aren't Linux experts.
I have some knowledge in windows command line but i'm still learning Linux commands...

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 08 Dec 2013, 03:19

The full command is

Code: Select all

rm /var/tmp/playd.jpg
However you may find it easier to install midnight commander and get a semi gui way to work your way around the file system.

Code: Select all

su -
apt-get install mc
mc

vladi
Posts: 24
Joined: 05 Jul 2013, 15:03

Re: I have been attacked and don't know why.

Post by vladi » 08 Dec 2013, 12:26

HI guys,

although I am using 2.6.1, I noticed today these 2 logs. I think thats not good, isn't it?

apache2/error.log

Code: Select all

[Sun Dec 08 06:25:08 2013] [notice] FastCGI: process manager initialized (pid 28739)
[Sun Dec 08 06:25:12 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 08 06:25:12 2013] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
[Sun Dec 08 06:25:12 2013] [notice] Apache/2.2.16 (Debian) mod_fastcgi/2.4.6 PHP/5.3.3-7+squeeze4ex1 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
[Sun Dec 08 06:42:37 2013] [error] [client 98.230.76.40] Invalid method in request \x80w\x01\x03\x01
[Sun Dec 08 06:42:38 2013] [error] [client 98.230.76.40] File does not exist: /home/web/HNAP1, referer: http://188.25.251.253/
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] <b>Security Alert!</b> The PHP CGI cannot be accessed directly.
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105]
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] means that a page will only be served up if the REDIRECT_STATUS CGI variable is
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] set, e.g. via an Apache Action directive.</p>
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] <p>For more information about changing this behaviour or re-enabling this webserver,
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] consult the installation file that came with this distribution, or visit
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] <a href="http://php.net/install.windows">the manual page</a>.</p>
[Sun Dec 08 10:02:09 2013] [error] [client 221.122.80.105] Premature end of script headers: php
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] <b>Security Alert!</b> The PHP CGI cannot be accessed directly.
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105]
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] means that a page will only be served up if the REDIRECT_STATUS CGI variable is
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] set, e.g. via an Apache Action directive.</p>
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] <p>For more information about changing this behaviour or re-enabling this webserver,
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] consult the installation file that came with this distribution, or visit
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] <a href="http://php.net/install.windows">the manual page</a>.</p>
[Sun Dec 08 10:02:10 2013] [error] [client 221.122.80.105] Premature end of script headers: php5
[Sun Dec 08 10:02:11 2013] [error] [client 221.122.80.105] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Sun Dec 08 10:02:12 2013] [error] [client 221.122.80.105] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Sun Dec 08 10:02:12 2013] [error] [client 221.122.80.105] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Sun Dec 08 11:00:23 2013] [error] [client 66.76.199.132] Invalid method in request \x80w\x01\x03\x01
[Sun Dec 08 11:00:23 2013] [error] [client 66.76.199.132] File does not exist: /home/web/HNAP1, referer: http://188.25.251.253/
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] <b>Security Alert!</b> The PHP CGI cannot be accessed directly.
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104]
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] means that a page will only be served up if the REDIRECT_STATUS CGI variable is
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] set, e.g. via an Apache Action directive.</p>
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] <p>For more information about changing this behaviour or re-enabling this webserver,
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] consult the installation file that came with this distribution, or visit
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] <a href="http://php.net/install.windows">the manual page</a>.</p>
[Sun Dec 08 14:37:41 2013] [error] [client 173.201.45.104] Premature end of script headers: php
[Sun Dec 08 18:08:36 2013] [error] [client 192.168.0.1] File does not exist: /home/web/favicon.ico
[Sun Dec 08 18:21:36 2013] [notice] caught SIGTERM, shutting down
[Sun Dec 08 18:22:14 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 08 18:22:14 2013] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
[Sun Dec 08 18:22:14 2013] [notice] FastCGI: process manager initialized (pid 1159)
[Sun Dec 08 18:22:18 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 08 18:22:18 2013] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
[Sun Dec 08 18:22:18 2013] [notice] Apache/2.2.16 (Debian) mod_fastcgi/2.4.6 PHP/5.3.3-7+squeeze4ex1 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
apache2/access.log - from today :(

Code: Select all

98.230.76.40 - - [08/Dec/2013:06:42:37 +0200] "\x80w\x01\x03\x01" 501 295 "-" "-"
98.230.76.40 - - [08/Dec/2013:06:42:38 +0200] "GET /HNAP1/ HTTP/1.1" 404 502 "http://188.25.251.253/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20030306 Camino/0.7"
122.147.138.20 - - [08/Dec/2013:07:28:27 +0200] "HEAD / HTTP/1.0" 200 278 "-" "-"
122.147.138.20 - - [08/Dec/2013:07:28:52 +0200] "-" 408 0 "-" "-"
122.147.138.20 - - [08/Dec/2013:07:29:17 +0200] "-" 408 0 "-" "-"
122.147.138.20 - - [08/Dec/2013:07:29:41 +0200] "-" 408 0 "-" "-"
122.147.138.20 - - [08/Dec/2013:07:30:05 +0200] "-" 408 0 "-" "-"
122.147.138.20 - - [08/Dec/2013:07:30:29 +0200] "-" 408 0 "-" "-"
221.122.80.105 - - [08/Dec/2013:10:02:08 +0200] "HEAD / HTTP/1.0" 200 278 "-" "-"
221.122.80.105 - - [08/Dec/2013:10:02:09 +0200] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 500 834 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
221.122.80.105 - - [08/Dec/2013:10:02:10 +0200] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 500 834 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
221.122.80.105 - - [08/Dec/2013:10:02:11 +0200] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 496 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
221.122.80.105 - - [08/Dec/2013:10:02:12 +0200] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 496 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
221.122.80.105 - - [08/Dec/2013:10:02:12 +0200] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 493 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
66.76.199.132 - - [08/Dec/2013:11:00:23 +0200] "\x80w\x01\x03\x01" 501 295 "-" "-"
66.76.199.132 - - [08/Dec/2013:11:00:23 +0200] "GET /HNAP1/ HTTP/1.1" 404 502 "http://188.25.251.253/" "Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]"
192.168.0.11 - - [08/Dec/2013:11:30:07 +0200] "POST /admin/login/index/json HTTP/1.1" 200 511 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:09 +0200] "GET /admin/ajax_status/uptime HTTP/1.1" 200 549 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:09 +0200] "GET /admin/ajax_status/version HTTP/1.1" 200 543 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:09 +0200] "GET /admin/ajax_status/disks HTTP/1.1" 200 986 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:09 +0200] "GET /admin/ajax_status/total_space HTTP/1.1" 200 595 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:09 +0200] "GET /admin/ajax_status/free_space HTTP/1.1" 200 595 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:09 +0200] "GET /admin/downloads/dolist/json HTTP/1.1" 200 400 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:29 +0200] "GET /admin/ajax_status/uptime HTTP/1.1" 200 549 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:11:30:29 +0200] "GET /admin/downloads/dolist/json HTTP/1.1" 200 401 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
....
173.201.45.104 - - [08/Dec/2013:14:37:41 +0200] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-"
192.168.0.11 - - [08/Dec/2013:14:37:56 +0200] "GET /admin/ajax_status/uptime HTTP/1.1" 200 549 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:14:37:56 +0200] "GET /admin/downloads/dolist/json HTTP/1.1" 200 401 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:14:37:56 +0200] "GET /admin/ajax_status/version HTTP/1.1" 200 543 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
...
192.168.0.11 - - [08/Dec/2013:15:41:39 +0200] "GET /admin/ajax_status/free_space HTTP/1.1" 200 597 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
188.25.181.126 - - [08/Dec/2013:15:41:47 +0200] "GET http://www.soso.com/ HTTP/1.1" 200 840 "http://www.soso.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
192.168.0.11 - - [08/Dec/2013:15:41:59 +0200] "GET /admin/ajax_status/uptime HTTP/1.1" 200 549 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.0.11 - - [08/Dec/2013:15:41:59 +0200] "GET /admin/downloads/dolist/json HTTP/1.1" 200 401 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
....
192.168.0.11 - - [08/Dec/2013:19:14:14 +0200] "GET /admin/ajax_status/free_space HTTP/1.1" 200 595 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"
SInce I noticed the log, I disabled remote acces through my router, restarted the B3 and applied Ubi's commands http://forum.excito.net/viewtopic.php?f ... =30#p23743

The threat is still present? What do I have to do to be sure that no one has acces to my B3?

Thank you

Gordon
Posts: 1322
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 08 Dec 2013, 13:36

Apparently you did something more than you refer to and removed the execute flag on php cgi as well (or installed the Excito update). This causes the HTTP 500 return, which means you are okay.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 08 Dec 2013, 13:44

he didnt remove the execute flag, as the binary is indeed being executed. It spawns an error because of the Excito patch, but disabled it is not.

But the Bubba is secure though.

vladi
Posts: 24
Joined: 05 Jul 2013, 15:03

Re: I have been attacked and don't know why.

Post by vladi » 08 Dec 2013, 14:18

I only applied the update, after I saw Johannes' announcement from Nov

Gordon
Posts: 1322
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 08 Dec 2013, 14:21

Ubi wrote:he didnt remove the execute flag, as the binary is indeed being executed. It spawns an error because of the Excito patch, but disabled it is not.

But the Bubba is secure though.
The 500 error is returned on my system as well, where I deliberately kept the vulnerable version but keep it marked as non-executable when I'm not trying to retrace the offenders' steps.

But yes, installing the patch from Excito will cause it to return a 500 as well - but I already said so. The important thing here is that it returns a 500 and not a 200 which you only want to see on valid pages.

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername » 17 Dec 2013, 11:02

I've noticed a substantial increase in the number of attempts to exploit this hole over the last week or so.

My fail2ban filter is blocking 30 - 40 IP address per day (each one gets blocked for a month so it's not just the same IPs again and again). Some of them are coming from IPs owned by Amazon cloud services and other VPS/cloud providers. I used to go to the trouble of reporting these but I hardly get a response so I gave up.

EDIT: I just found this tutorial which uses emails from fail2ban to automatically generate abuse reports via blocklist.de. Pretty neat, I think I'll give it a go at some point.

Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Re: I have been attacked and don't know why.

Post by Cheeseboy » 17 Dec 2013, 12:12

I've also noticed a lot more of these.
And yesterday there where two defunct instances of php5.orig started by www-data...
(I created a cron job to watch for processes owned by this user).

I used to send abuse reports too, mainly for ssh attacks (rarely got replies either), until after one such report the address I had used (stupidly the admin account of my domain) seemed to end up on every spam list in the universe :-)

Post Reply