Re: Wiki hacked?
+++ Joachim Nilsson [05-09-21 11:12 +0200]:
>
> Hi all,
>
> I was cleaning up the wiki today from some automated spambot-created
> accounts and this is what suddenly popped up in the window.
>
> --21:28:39-- http://67.169.227.28/il/b => `/tmp/testl' Connecting to
> 67.169.227.28:80... connected. HTTP request sent, awaiting response... 200
> OK Length: 37,234 (36K) [text/plain]
>
> 0K .......... .......... .......... ...... 100% 43.71 KB/s
>
> 21:28:41 (43.71 KB/s) - `/tmp/testl' saved [37234/37234]
>
>
> I'm so sorry if it was I who triggered this! It must be some new TWiki
> backdoor or something because this is the first time, while cleaning, it
> happened to me. I've seen other bisarre hacks but this one was new.
Hmm - this doesn't look good.
I see in /tmp we have a load of files
-rwxr-xr-x 1 www-data www-data 262144 Sep 21 01:24 TTdummyfile
-rwxr-xr-x 1 www-data www-data 16384 Sep 21 01:24 TTeatfile
-rwxr-xr-x 1 www-data www-data 2147483647 Sep 21 01:27 TTeatfiles
-rwxr-xr-x 1 www-data www-data 8192 Sep 21 01:24 TTsharefile
-rwxr-xr-x 1 www-data www-data 37232 Sep 18 20:58 cache
-rwxrwxrwx 1 www-data www-data 18907 Jul 15 2002 cache2
-rwxr-xr-x 1 www-data www-data 17315 May 3 18:27 cache3
-rw-r--r-- 1 www-data www-data 759 Aug 29 22:51 dc.pl
-rwxrwxrwx 1 www-data www-data 37234 Sep 17 21:08 perl
-rwxrwxrwx 1 www-data www-data 14282 Sep 20 23:03 pwn
-rwxr-xr-x 1 www-data www-data 14282 Aug 5 21:18 pwned3
-rw-r--r-- 1 www-data www-data 431 Jan 18 2005 temp.pl
At the top of dc.pl it says:
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
So at the very least someone has had a go at us.
I don't know much about intrustion detection and forensics so if anyone who
does wants to take a look, that would be good.
I installed chkroot and ran it and it didn't find anything suspicious -
that's presumably a good sign but by no means categorical.
I'm just reading about this backdoor and what it does, and will take a look
at the logs.
<fx: pause>
This:http://www.mirrorshades.org/overflow/archives/000135.shtml
suggests that it might attack the kernel mremap problem - furtunately
we have a 2.4.27 kernel here so that should be OK.
Ther is stuff in the apache2 error log which looks suspicious:
[Wed Sep 21 04:58:01 2005] [error] [client 217.116.136.9] [Wed Sep 21 04:58:01 2
005] view: Argument "2 %7|pwd" isn't numeric in numeric lt (<) at /var/www/twiki
/lib/TWiki/UI/View.pm line 110.
and
[Thu Sep 22 02:59:20 2005] [error] [client 148.244.150.58] co aborted
[Thu Sep 22 02:59:20 2005] [error] [client 148.244.150.58] rlog: no input file
[Thu Sep 22 02:59:20 2005] [error] [client 148.244.150.58] rlog usage: rlog -{bh
LNRt} -ddates -l[lockers] -r[revs] -sstates -Vn -w[logins] -xsuff -zzone file ..
<and so on>
But these errors seem to have been going on for a long time so are probably just harmless
errors.
Anyone else want to take a look and see if they can find any evidence of actual compromise
(as opposed to getting a backdoor unpacked in /tmp (I've now moved it to ~wookey/crackfiles/ )
We don't seem to be missing any Twiki or php security updates, although there are quite a few
updates pending. I won't do those just yet in case people want to examine the machine in its
current state.
I'm hopeful that this attack has failed to do any actual harm, but we'll see...
Allen - you are actually local to the box and could presumably boot it off a
CD and run some detection tools, which would be a more reliable way of
seeing if anything bad was running.
> Maybe we should consider adding some manual activation step for the
> account registration process or, at the very least, the TWiki
> BlackListPlugin:
>
> http://twiki.org/cgi-bin/view/Plugins/BlackListPlugin
Sadly, yes, we probably should.
Wookey
--
Aleph One Ltd, Bottisham, CAMBRIDGE, CB5 9BA, UK Tel +44 (0) 1223 811679
work: http://www.aleph1.co.uk/ play: http://www.chaos.org.uk/~wookey/
Reply to: