[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wiki hacked?

+++ Joachim Nilsson [05-09-21 11:12 +0200]:
> Hi all,
> I was cleaning up the wiki today from some automated spambot-created
> accounts and this is what suddenly popped up in the window.
> --21:28:39--  => `/tmp/testl' Connecting to
> connected. HTTP request sent, awaiting response... 200
> OK Length: 37,234 (36K) [text/plain]
> 0K .......... .......... .......... ...... 100% 43.71 KB/s
> 21:28:41 (43.71 KB/s) - `/tmp/testl' saved [37234/37234]
> I'm so sorry if it was I who triggered this!  It must be some new TWiki
> backdoor or something because this is the first time, while cleaning, it
> happened to me.  I've seen other bisarre hacks but this one was new.

Hmm - this doesn't look good.

I see in /tmp we have a load of files 
-rwxr-xr-x  1 www-data www-data     262144 Sep 21 01:24 TTdummyfile
-rwxr-xr-x  1 www-data www-data      16384 Sep 21 01:24 TTeatfile
-rwxr-xr-x  1 www-data www-data 2147483647 Sep 21 01:27 TTeatfiles
-rwxr-xr-x  1 www-data www-data       8192 Sep 21 01:24 TTsharefile
-rwxr-xr-x  1 www-data www-data      37232 Sep 18 20:58 cache
-rwxrwxrwx  1 www-data www-data      18907 Jul 15  2002 cache2
-rwxr-xr-x  1 www-data www-data      17315 May  3 18:27 cache3
-rw-r--r--  1 www-data www-data        759 Aug 29 22:51 dc.pl
-rwxrwxrwx  1 www-data www-data      37234 Sep 17 21:08 perl
-rwxrwxrwx  1 www-data www-data      14282 Sep 20 23:03 pwn
-rwxr-xr-x  1 www-data www-data      14282 Aug  5 21:18 pwned3
-rw-r--r--  1 www-data www-data        431 Jan 18  2005 temp.pl

At the top of dc.pl it says: 
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";

So at the very least someone has had a go at us.

I don't know much about intrustion detection and forensics so if anyone who
does wants to take a look, that would be good.

I installed chkroot and ran it and it didn't find anything suspicious -
that's presumably a good sign but by no means categorical.

I'm just reading about this backdoor and what it does, and will take a look
at the logs. 

<fx: pause>

suggests that it might attack the kernel mremap problem - furtunately
we have a 2.4.27 kernel here so that should be OK. 

Ther is stuff in the apache2 error log which looks suspicious:
[Wed Sep 21 04:58:01 2005] [error] [client] [Wed Sep 21 04:58:01 2
005] view: Argument "2 %7|pwd" isn't numeric in numeric lt (<) at /var/www/twiki
/lib/TWiki/UI/View.pm line 110.


[Thu Sep 22 02:59:20 2005] [error] [client] co aborted
[Thu Sep 22 02:59:20 2005] [error] [client] rlog: no input file
[Thu Sep 22 02:59:20 2005] [error] [client] rlog usage: rlog -{bh
LNRt} -ddates -l[lockers] -r[revs] -sstates -Vn -w[logins] -xsuff -zzone file ..

<and so on>

But these errors seem to have been going on for a long time so are probably just harmless

Anyone else want to take a look and see if they can find any evidence of actual compromise
(as opposed to getting a backdoor unpacked in /tmp (I've now moved it to ~wookey/crackfiles/ )

We don't seem to be missing any Twiki or php security updates, although there are quite a few
updates pending. I won't do those just yet in case people want to examine the machine in its
current state.

I'm hopeful that this attack has failed to do any actual harm, but we'll see...

Allen - you are actually local to the box and could presumably boot it off a
CD and run some detection tools, which would be a more reliable way of
seeing if anything bad was running.

> Maybe we should consider adding some manual activation step for the
> account registration process or, at the very least, the TWiki
> BlackListPlugin:
> http://twiki.org/cgi-bin/view/Plugins/BlackListPlugin

Sadly, yes, we probably should.

Aleph One Ltd, Bottisham, CAMBRIDGE, CB5 9BA, UK  Tel +44 (0) 1223 811679
work: http://www.aleph1.co.uk/     play: http://www.chaos.org.uk/~wookey/

Reply to: