Locating the source of a malicious script/program
I've been a linode customer for almost a year now, but have recently been made aware that my server has been accessing another website maliciously. I'm told that I'm going to have to redeploy (really not an option) unless I can locate and fix the problem.
I'd say I am at an intermediate skill level with linux so I'm not really sure what else I can do apart from searching the entire file system for the domain name and ip (which returned no results)
root@server [/]# find . | xargs grep '[i]THEIP_' -sl
root@server [/]# find . | xargs grep '[i]THEDOMAIN_' -sl
I'd really appreciate any help with how I can find out what could have gone wrong!!
Here are the logs on the server that is being attacked by mine…
Access Log:
MY_IP - - [05/Apr/2011:12:43:53 -0500] "GET /index.php?cPath=35/admin/file_manager.php/login.php HTTP/1.1" 200 19334 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
MY_IP - - [05/Apr/2011:12:43:54 -0500] "GET /admin/file_manager.php/login.php HTTP/1.1" 404 8802 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
MY_IP - - [05/Apr/2011:12:43:54 -0500] "GET /index.php?cPath=35/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 43381 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
MY_IP - - [05/Apr/2011:12:43:55 -0500] "GET /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 8802 "-" "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)"
Error Log:
[Tue Apr 05 12:43:53 2011] [error] [client MY_IP] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "THEIR_DOMAIN"] [uri "/index.php"] [unique_id "TZtU2Uj5jcIAAAqtDHMAAAA3"]
[Tue Apr 05 12:43:54 2011] [error] [client MY_IP] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "THEIR_DOMAIN"] [uri "/admin/file_manager.php/login.php"] [unique_id "TZtU2kj5jcIAAAZjgU4AAAAc"]
[Tue Apr 05 12:43:54 2011] [error] [client MY_IP] File does not exist: /home/kdc/public_html/admin
[Tue Apr 05 12:43:54 2011] [error] [client MY_IP] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "THEIR_DOMAIN"] [uri "/index.php"] [unique_id "TZtU2kj5jcIAAAuqFkwAAABA"]
[Tue Apr 05 12:43:55 2011] [error] [client MY_IP] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "THEIR_DOMAIN"] [uri "/admin/categories.php/login.php"] [unique_id "TZtU20j5jcIAAF9IsRAAAAAE"]
[Tue Apr 05 12:43:55 2011] [error] [client MY_IP] File does not exist: /home/kdc/public_html/admin
15 Replies
I wonder if someone is accessing your linode at the exact same times as the remote logs you posted.
When I typed that user-agent from the logs into google, one of the results came up with something about Net::Proxy. Not sure if it's related, but it is one place to look if you're not finding a hard-coded script anywhere on your box.
http://www.chkrootkit.org/
This stands out from chkrootkit!
Checking `bindshell'… INFECTED (PORTS: 465)
What does netstat -lpntu show?
Thanks for all your help - much appreciated!
root@server1 [~]# netstat -lpntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2996/dovecot
tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN 22406/cpsrvd - wait
tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN 22406/cpsrvd - wait
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2996/dovecot
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN 22406/cpsrvd - wait
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN 22406/cpsrvd - wait
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3388/mysqld
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2996/dovecot
tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN 22406/cpsrvd - wait
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 15006/spamd child
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2996/dovecot
tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN 22406/cpsrvd - wait
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 534/httpd
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 15574/exim
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 15535/pure-ftpd (SE
tcp 0 0 178.79.154.28:53 0.0.0.0:* LISTEN 2795/named
tcp 0 0 178.79.145.220:53 0.0.0.0:* LISTEN 2795/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2795/named
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15574/exim
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2795/named
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 534/httpd
tcp 0 0 0.0.0.0:2077 0.0.0.0:* LISTEN 22400/cpdavd - acce
tcp 0 0 0.0.0.0:2078 0.0.0.0:* LISTEN 22400/cpdavd - acce
tcp 0 0 :::465 :::* LISTEN 15574/exim
tcp 0 0 :::21 :::* LISTEN 15535/pure-ftpd (SE
tcp 0 0 :::22 :::* LISTEN 2815/sshd
tcp 0 0 :::25 :::* LISTEN 15574/exim
udp 0 0 178.79.154.28:53 0.0.0.0:* 2795/named
udp 0 0 178.79.145.220:53 0.0.0.0:* 2795/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2795/named
udp 0 0 0.0.0.0:68 0.0.0.0:* 2662/dhclient
udp 0 0 178.79.154.28:123 0.0.0.0:* 2829/ntpd
udp 0 0 178.79.145.220:123 0.0.0.0:* 2829/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2829/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2829/ntpd
udp 0 0 ::1:123 :::* 2829/ntpd
udp 0 0 :::123 :::* 2829/ntpd
However there are a few "problems" you'll want to address.
1) SSH has password authentication enabled
2) MySQL is listening on the public interface
3) You're using apache 2.0 you should really be using 2.2 by now.
4) You have front page extensions enabled these are no longer supported by microsoft.
Have a check in /var/log/auth.log for unauthorized access attempts via ssh.
/var/log/auth.log doesn't exist - so can't see what attempts were made :s
I have however found that a bunch of perl scripts were eating my CPU and file IO owned by a website which I have found to be hacked into and malicious scripts had been uploaded - thinking this could have been the proxy to which the hackers were using my server!
Thanks again obs, eld101 and haus
What distro (and version) are you running?
CENTOS 5.5
You should also inspect the malicious perl scripts to see if they managed to edit any files, do you know what user the scripts were running under?
I'd love to know more about those scripts they uploaded.
You can also set up an "ftpcheck" script to monitor FTP uploads and look for anything suspicious, though if you have customers uploading files that might go against privacy concerns. The problem now is that once your box is compromised, you never quite know if you've gotten it all out or not. Hopefully the damage was limited to that one user account and a handful of perl scripts.
You could also run find / -user username -exec ls -lh {} \;
to list all files owned by the user and their details i.e. last modified etc, so you can see if any new files have been created.
@obs:
I assume that account doesn't have sudo access if it does you'll want to check the logs for sudo uses.
You could also run find / -user username -exec ls -lh {} \;
to list all files owned by the user and their details i.e. last modified etc, so you can see if any new files have been created.
Doesn't matter, the logs can be modified. As soon as root is compromised, or a sudoers user is compromised, the box is too compromised to save, and must be rebuilt.