Re: Server hacked - next...?

To: Jason Lim <maillist@jasonlim.com>
Cc: debian-isp@lists.debian.org
Subject: Re: Server hacked - next...?
From: bda <bda@mirrorshades.net>
Date: Sun, 29 Jun 2003 11:28:47 -0400
Message-id: <[🔎] 20030629152847.GA4755@mirrorshades.net>
In-reply-to: <[🔎] 004b01c33e44$f2c375a0$d600a8c0@antivirusgateway>
References: <[🔎] 04ca01c33dfb$6dce7b40$0800a8c0@SYSTEM8> <[🔎] 200306291549.00472.russell@coker.com.au> <[🔎] 05d401c33e0e$075ebf60$0800a8c0@SYSTEM8> <[🔎] 200306291802.00054.russell@coker.com.au> <[🔎] 004b01c33e44$f2c375a0$d600a8c0@antivirusgateway>

On Sun, Jun 29, 2003 at 09:47:13PM +0800, Jason Lim wrote:
> The user CGIs run as the user's UID... suexec.

suexec doesn't run PHP suid the owner, unless you're using php-cgi. By
default, PHP is incredibly insecure. If a user is using an insecure PHP
application (or any other insecure CGI application, I use PHP as an
example due to the preponderance of administrators who do not realize
this), they can run arbitrary commands as that user with relatively
little work, and as such gain shell access.

> Is there any tool that could search the system for root suid scripts (so
> the hacker can login again and gain root easily)?

find / -uid 0 -perm 0400

You will need to use a known-good copy of the `find' command. Copy it to
the machine via sneakernet (by floppy) and run it locally. Even then,
there's little gaurantee the command is not being tampered with while
running...

> Hope you can shed some light on the above, so at least the system can get
> back up and running, then we can even setup a new server (with SE Linux

You have few options now by now but to do a complete reinstall. There is
no intermediate step when a machine has been breeched.

I mention PHP above because...

Briefly looking at your previous posts, it would appear that the machine
was taken via the  `www-data' user, suggesting either an Apache exploit,
or an application running as the http daemon (the www-data user), which
was not being run under suexec.

>From there, considering that you were (if I am recalling correctly)
running a 2.4.17 kernel, which has a few known local root exploits
(again, if I am recalling this correctly); I don't believe you mention
if you are using Debian kernel packages, or vanilla source, or patched
source. However, the attack vector seems relatively clear:

Web app/server (if you're running stable, that would be 1.3.26. If you
are indeed keeping up with security updates, it should be patched
against the known Apache remote exploits), to shell, to kernel or suid
buffer overflow or something of that nature. From that point, they have
root access. And don't bother hiding themselves at all, which is lucky
for you, really.

Of course, all of the above is simply a hypothesis based on incomplete
information, but...

I would suggest taking a look at what CGI you or your customers are
running, and searching the web for known security issues with them.
-- 
bda
Cyberpunk is dead.  Long live cyberpunk.
http://mirrorshades.org

Reply to:

Follow-Ups:
- Re: Server hacked - next...?
  - From: Marcin Owsiany <porridge@debian.org>

References:
- Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>
- Re: Server hacked - next...?
  - From: Russell Coker <russell@coker.com.au>
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>
- Re: Server hacked - next...?
  - From: Russell Coker <russell@coker.com.au>
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>

Prev by Date: Re: Server hacked - next...?
Next by Date: Re: Server hacked - next...?
Previous by thread: Re: Server hacked - next...?
Next by thread: Re: Server hacked - next...?
Index(es):
- Date
- Thread