My new main server was hacked.

slodave · slodave's Garage

What a pain. This a new Linux server I put up a few weeks ago. I was planning to retire my old server and had the new one almost ready, when the old one decided to give up a hard drive unexpectedly. That drive was dated 1996.

I rushed to get the new one in place and even though it runs the same firewall script that my old one did, someone got past it. They exploited either ftp or php. PHP is current and ftp is supposed to be forwarded via the firewall to a different server, so I'm not sure how this happened.

The exploit created a new user and installed port/IP scanning software and an ssh client. Looking through the files, I found the password info for fsf.org - The Free Software Foundation aka the GNU guys...

At this point, I can clean up and be done with it or I can have some fun, rewrite certain scripts, sit back and watch the fireworks (even if they are CGI

).

Suggestions??

-rwxr-xr-x 1 fax users 433 2006-03-10 15:32 all
-rwxr-xr-x 1 fax users 22354 2005-04-18 11:30 common
-rwxr-xr-x 1 fax users 732 2006-04-18 14:27 full
-rwxr-xr-x 1 fax users 265 2004-11-24 15:21 gen-pass.sh
-rwxr-xr-x 1 fax users 89 2005-04-18 11:29 go.sh
-rwxr-xr-x 1 fax users 5159 2005-05-26 08:34 inb.php
-rwxr-xr-x 1 fax users 17148 2006-03-09 07:39 kb.tgz
-rwxr-xr-x 1 fax users 6320 2008-08-10 11:34 mfu.txt
-rwxr-xr-x 1 fax users 2388 2008-08-10 11:49 pass_file
-rwxr-xr-x 1 fax users 207456 2007-04-27 07:28 pico
-rwxr-xr-x 1 fax users 20363 2006-05-06 01:46 ps
-rwxr-xr-x 1 fax users 25503 2007-04-27 07:28 pscan2
-rwxr-xr-x 1 fax users 6735709 2008-03-19 08:43 r00t
-rwxr-xr-x 1 fax users 423 2005-11-09 16:32 skan
-rwxr-xr-x 1 fax users 458068 2007-04-27 07:28 ss
-rwxr-xr-x 1 fax users 846832 2007-04-27 06:24 ssh
-rwxr-xr-x 1 fax users 704 2008-03-16 11:03 vuln.txt
-rwxrwxr-x 1 fax users 3130 2007-04-27 07:30 x

87coupe · 87coupe's Garage

Someone was having some fun. Brute force SSH kit, PHP web shell... You've caught my interest. Post the contents of go.sh

slodave · slodave's Garage

Tis but a boring little script.

./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan
rm -f bios.txt

trekkor · 08-13-2008, 09:53 PM

It's all geek to me...

Will it take much to get back up and running like you want it?

KT

slodave · slodave's Garage

I had noticed the username a few days ago, but dismissed it, as I had recently setup a corporate fax machine to email via a different Linux server for a client, but it is possible that I had also created the user on mine to test with. I had even checked the 'lastlog', but I guess I did not pay attention to the I.P.

slodave · slodave's Garage

Quote:

Originally Posted by trekkor

It's all geek to me...

Will it take much to get back up and running like you want it?

KT

Less than 5 minutes. It's more of a pride thing

.

I don't like my servers being hacked. This is the second time in 4 years, so not bad. I pretty lazy on keeping my personal Linux servers updated. Kinda like the mechanic that never gets his project car finished.

87coupe · 87coupe's Garage

If your not already you should be running an IDS. This is most likely the work of a bot that discovered a ftp (plain text passwords) or an application vulnerability via PHP. BTW, a firewall shouldn't run FTP or PHP if you care about security.

slodave · slodave's Garage

Looks like the server was hacked on 6/24/08 via PHP. There is an empty session file in the /tmp directory and a few other files...

drwxr-xr-x 2 fax users 4096 2000-04-25 17:21 cmd
-rw-r--r-- 1 fax users 278762 2008-06-24 11:53 cmd.tgz
drwxr-xr-x 4 root root 4096 2008-06-24 01:37 pear
-rw------- 1 root root 0 2008-06-24 01:35 sess_ab47719c7181effe333e3b343dc613ec

The fun stuff is in the cmd directory...

1234 echok kod paralyze3 stealth
ADMdns****r fawx kox pepsi stream
DoS-Linux.pl flatline land pimp syndrop
DoS_frontpage.pl flushot laser pimp2 synful
akill2.pl foqerc latierra pirchslap synhose
arnup100 galt_gin linux-icmp pong synk
ascend-foo gewse locktcp quake2 synk4
beer gewse5 mailer rape targa
biffit gin misfrag raped targa2
binds hanson mmsu-dos rc8 targa3
bloop hell moyari13 rcon teardrop
bncex hestra mutilate rpk tesoiis
boink hiperbomb2 nestea ruc ton
bonk inetd.DoS nestea2 rwhokill trash
c**ksuck ircd_kill newtear simping trash2
coke jaypee nt-dns slice3 twinge
comatose jolt octopus smack udpdata
conseal kill_inetd opentear spender.pl udpflood
d0s.pl killwin orgasm spiffit winfreez
dos-prox.pl kkill oshare_1_gou sprite wingatecrash
duy koc overdrop ssping winnuke

87coupe · 87coupe's Garage

Yeah, definitely a bot. So what are you running in the way of php?

humorous note: "targa rape" & "raped targa2" in that list

slodave · slodave's Garage

Latest version, 5.2.6.. Nothing special when configured/compiled.

87coupe · 87coupe's Garage

Sorry, should have phrased that different. Are you running a php based framework, BB, some little php based frontend, php you wrote?

slodave · slodave's Garage

Ah, my own stuff. I looked at some of the common exploits, but I don't think any of my files are using the calls. I had a couple of websites on the old server that could have been exploited, but I am not using them and never bothered to set them up on the new server. Sendmail is not even installed on the server, so some of the form exploits can't work.

svandamme · svandamme's Garage

So Dave, you reinstalling it to Windows now ?

slodave · slodave's Garage

Yeah, right! That will be the day. Linux power all the way!

Team Tux!

BReif61 · 08-14-2008, 03:28 AM

I'm glad some of you know what the heck he's talking about, because I sure have no idea.

onewhippedpuppy · 08-14-2008, 05:10 AM

I just hoped to hear that you fried some hacker's computer.

911 Rod · 911 Rod's Garage

Now I'm worried about my server.
Never really thought about it before.
I just had an ftp site set up as I am a printing company and need it for customer files.
Are there any precautions I should be taking?
Thanks in advance.