Find the answer to your Linux question:
Results 1 to 6 of 6
I totally asked for this. My fault. I'm running an ancient web server and haven't checked vulnerabilities for years. I'm quite curious to know how exactly this exploit (found running ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2009
    Posts
    3

    Pwned! A little help with identifying how?


    I totally asked for this. My fault. I'm running an ancient web server and haven't checked vulnerabilities for years. I'm quite curious to know how exactly this exploit (found running on my machine) managed to get there. The questions to answer are, "What aspect of my server was exploited so as to write to /tmp and execute the compiler?" and also "Specifically which exploit is xp.dat?" Here's what I have so far:

    I first noticed this running on my machine yesterday:
    5781 1 0 nobody nobody ? 00:00:10 perl /tmp/xt.dat
    Apache/1.3.34 (Unix) PHP/4.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7d
    is running. It's old and will be updated. Its logs show:

    [Sat Oct 3 02:55:34 2009] [notice] Accept mutex: sysvsem (Default: sysvsem)
    --19:13:22-- .../xt.dat
    => `xt.dat'
    Connecting to 208.187.91.52:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 28,018 [text/plain]

    0K .......... .......... ....... 100% 254.50 KB/s

    19:13:22 (254.50 KB/s) - `xt.dat' saved [28018/28018]

    --19:33:19-- .../xt.dat
    => `xt.dat'
    Connecting to 208.187.91.52:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 28,018 [text/plain]

    0K .......... .......... ....... 100% 252.74 KB/s

    19:33:19 (252.74 KB/s) - `xt.dat' saved [28018/28018]
    I'm sorry but I had to remove the web server URL from this post in order to get linuxforums.org to take it. (The forums complains that I must make 15 posts before I'm trusted to post links.)

    Seems pretty clear apache was hijacked to download some sort of payload.
    ls -la /tmp/.sp/hu

    drwx------ 2 root root 4096 Oct 6 18:34 .
    drwx------ 3 root root 4096 Oct 4 19:27 ..
    -rwxr-xr-x 1 nobody nobody 8013 Oct 4 19:27 exploit
    -rwxr-xr-x 1 nobody nobody 4454 Oct 4 19:27 exploit-pulseaudio
    -rw-r--r-- 1 nobody nobody 358 Sep 10 18:57 exploit-pulseaudio.c
    -rw-r--r-- 1 nobody nobody 9113 Sep 10 12:36 exploit.c
    -rwxr-xr-x 1 nobody nobody 8639 Oct 4 19:27 exploit.so
    -rwxr-xr-x 1 nobody nobody 1127 Sep 10 20:00 run
    -rw-r--r-- 1 nobody nobody 1068 Sep 10 12:01 runcon-mmap_zero
    -rw-r--r-- 1 nobody nobody 1018 Sep 6 17:44 sesearch-mmap_zero
    -rw-r--r-- 1 throes throes 28018 Oct 6 11:56 xt.dat
    I personally downloaded xt.dat just to see what was running which is why it has my user id. Googling brought up a couple pastebin entries that show how xt.dat is executed. First it's started then deleted. (Thus the need for me to download it in order to see it in detail.)

    Being xt.dat is the payload I'm mostly interested in knowing how the Apache server was pwned. Some vulnerability made it possible to trick Apache or PHP into writing files to /tmp and compiling/running them.

    Here's some hopefully relevant info on the web server environment. Includes php.ini and the list of loaded web server modules:

    [PHP]
    engine = On
    short_open_tag = On
    asp_tags = Off
    precision = 12
    y2k_compliance = On
    output_buffering = Off

    zlib.output_compression = Off

    implicit_flush = Off
    unserialize_callback_func=
    serialize_precision = 100
    allow_call_time_pass_reference = On
    safe_mode = Off
    safe_mode_gid = Off
    safe_mode_include_dir =
    safe_mode_exec_dir =
    safe_mode_allowed_env_vars = PHP_
    safe_mode_protected_env_vars = LD_LIBRARY_PATH
    disable_functions =
    disable_classes =
    expose_php = On

    max_execution_time = 30 ; Maximum execution time of each script, in seconds
    max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
    memory_limit = 16M ; Maximum amount of memory a script may consume (8MB)

    error_reporting = E_ALL & ~E_NOTICE
    display_errors = On
    display_startup_errors = Off
    log_errors = Off
    log_errors_max_len = 1024
    ignore_repeated_errors = Off
    ignore_repeated_source = Off
    report_memleaks = On
    track_errors = Off
    variables_order = "EGPCS"
    register_globals = Off
    register_argc_argv = On
    post_max_size = 8M
    gpc_order = "GPC"
    magic_quotes_gpc = On
    magic_quotes_runtime = Off
    magic_quotes_sybase = Off
    auto_prepend_file =
    auto_append_file =
    default_mimetype = "text/html"
    include_path = ".:/php/includes:/usr/php/lib/php"
    doc_root =
    user_dir =
    extension_dir = "./"
    enable_dl = On
    file_uploads = On
    upload_max_filesize = 20M
    allow_url_fopen = On
    default_socket_timeout = 60
    zend_extension="/usr/lib/php_accelerator_1.3.3r2.so"


    [Syslog]
    define_syslog_variables = Off

    [mail function]
    SMTP = localhost

    [SQL]
    sql.safe_mode = Off

    [ODBC]
    odbc.allow_persistent = On
    odbc.check_persistent = On
    odbc.max_persistent = -1
    odbc.max_links = -1
    odbc.defaultlrl = 4096
    odbc.defaultbinmode = 1

    [MySQL]
    mysql.allow_persistent = On
    mysql.max_persistent = -1
    mysql.max_links = -1
    mysql.connect_timeout = 60
    mysql.trace_mode = Off


    [dbx]
    dbx.colnames_case = "unchanged"

    [bcmath]
    bcmath.scale = 0


    [Session]
    session.save_handler = files
    session.save_path = /tmp
    session.use_cookies = 1
    session.name = PHPSESSID
    session.auto_start = 0
    session.cookie_lifetime = 0
    session.cookie_path = /
    session.cookie_domain =
    session.serialize_handler = php
    session.gc_probability = 1
    session.gc_divisor = 100
    session.gc_maxlifetime = 1440
    session.bug_compat_42 = 1
    session.bug_compat_warn = 1
    session.referer_check =
    session.entropy_length = 0
    session.entropy_file =
    session.cache_limiter = nocache
    session.cache_expire = 180
    session.use_trans_sid = 0
    url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fields et="

    [Sockets]
    sockets.use_system_read = On
    I'm guessing "allow_url_fopen = On" might be something to do with it. I'm just speculating here.

    Loaded Apache modules:
    mod_php4, mod_ssl, mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias, mod_userdir, mod_speling, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_info, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, mod_vhost_alias, http_core
    xp.dat is malware so I won't post here but it should be easy to grab a copy for yourself like so:
    (Crap. Linux Forums won't let me post the link until I have made 15 posts.)
    I guess "grab xt.dat from the web root of 208.187.91.52" is the best way to explain it.


    I'm happy to post any other files you may need.

    Again looking to answer, "What aspect of my server was exploited so as to write to /tmp and execute the compiler?" and also "Specifically which exploit is xp.dat?"

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Focussing on xt.dat isn't good because it's just a bot. Most of the time it'll be vulnerable software (web log, statistics, forum, CMS) you run on top of the (unprotected: configuration, iptables, IDS, mod_security) webserver that allows crackers to abuse or compromise a server.

    (The /tmp/.sp/hu directory contents identify that exploit as the Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability: www .securityfocus .com /bid/36038/info .)

    To find "evidence" you could reconstruct a timeline and command history from your webservers access and error logs, system logs and any shell history (if applicable). Here's an example of PhpMyAdmin: www .linuxquestions .org/questions/showthread.php?p=3706072#post3706072 and here's one for Roundcube: www .linuxquestions .org/questions/showthread.php?p=3702239#post3702239 to give you an idea.

    I hope you mitigated the situation by making the server unavailable to anyone but you before posting this. If you didn't then that'll be your first responsability, regardless of the consequences for you or for (paying) customers. As long as the machine can be abused by others it is a threat to other 'net users (meaning all of us).

    //As you can see I suffer from link probs as well...

  3. #3
    Just Joined!
    Join Date
    Apr 2009
    Posts
    3

    I see now

    Yep. There it is. The file exploit.c has these comments at the top:

    /*
    * Linux sock_sendpage() NULL pointer dereference
    * Copyright 2009 Ramon de Carvalho Valle <ramon@risesecurity.org>
    *
    * This program is free software; you can redistribute it and/or modify
    * it under the terms of the GNU General Public License as published by
    * the Free Software Foundation; either version 2 of the License, or
    * (at your option) any later version.
    ...
    So it appears Ubuntu backports the fix for this to their 2.6.27.14.18 kernel. There's an article on the Ubuntu site that explains this kernel version fixes CVE-2009-2692 (which is the "'sock_sendpage()' NULL Pointer Dereference Vulnerability".)

    As for how the exploit was installed in the first place, I do in fact have RoundCube (now deleted in favor of squirrelmail). And sure enough, I too saw the log file entries relative to the exploit:

    193.33.61.48 - - [04/Oct/2009:19:18:23 -0700] "POST /webmail2/bin/html2text.php
    HTTP/1.1" 200 -
    193.33.61.48 - - [04/Oct/2009:19:38:20 -0700] "POST /webmail2/bin/html2text.php
    HTTP/1.1" 200 -
    That IP address is in the Netherlands. I don't have any email users over there. (I do however appear to have script kiddies over there.)

    My plan is to install the backported kernel and review all web apps for security vulnerabilities. RoundCube is now gone and PHPMyAdmin was never present. I'm also using Nikto to address any other issues in the web server / web apps. A security review of all apps that are internet facing will also occur.

    Considering installing and using Nessus...

    I'd like to thank you Unspawn for highlighting the issue so clearly for me. I could have applied security fixes all week but wouldn't be able to rest until I was pretty sure I understood what specifically was done to this server in the first place.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by throes View Post
    My plan is to install the backported kernel and review all web apps for security vulnerabilities. RoundCube is now gone and PHPMyAdmin was never present. I'm also using Nikto to address any other issues in the web server / web apps. A security review of all apps that are internet facing will also occur.
    Unfortunately that is not the right approach. "Repairing" system integrity from backups should not be attempted unless you have the time, skills and tools to do so (and even then) and "restoring" system integrity by just installing binaries over others is a fallacy. This because the exploit (if used) grants the cracker root account privileges. GNU/Linux installations by default do not enable enough auditing features to ensure (data) integrity by just glancing at logfiles, so the actual amount of "damage" done can only be assessed by performing a thorough investigation. I'm not talking about compromising the system by installing a sniffer or leeching passwords by trojaning binaries or hiding processes by installing a process-hiding kernel modules but for instance simply siphoning off passwords (for usage on other systems). As long as there remains doubt (and you definately should have) the system should remain off limits to all until you have either investigated or decided to cut your losses and move on (reformat, reinstall, harden).

  6. #5
    Just Joined!
    Join Date
    Apr 2009
    Posts
    3
    I wasn't actually planning to restore anything. I use tripwire against every file on the system. Aside from the files added to /tmp nothing out of the ordinary has changed. At the time of my last post I was focused on patching the vulnerability. Later we decided to also follow the cert.org System Compromise Recovery procedure. cert.org /tech_tips/win-UNIX-system_compromise.html

    The server is not in public service at this time. Beyond what's outlined in the recovery procedure do you have any suggestions to add?

  7. #6
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by throes View Post
    I wasn't actually planning to restore anything.
    Awesome. It's good to be very clear about things like that. Especially when there's lines like "My plan is to install the backported kernel" in replies...


    Quote Originally Posted by throes View Post
    I use tripwire against every file on the system. Aside from the files added to /tmp nothing out of the ordinary has changed.
    Detecting changes depends on the state of the binary (MD5 or SHA1 hash or off site copy of the binary), any exclusions in your tripwire configuration and your update policy. As with all autonomous means of verifying integrity it's good to have a copy of the database archived off site for just this kind of situation.


    Quote Originally Posted by throes View Post
    Beyond what's outlined in the recovery procedure do you have any suggestions to add?
    No. It is all there. The problem with most items on the list is that you have to consciously reason for yourself why an item is important. Reading hardening tutorials wrt the system and those for configuring the AMP part of your LAMP machine could come in handy.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •