Centos LAMP Server with unidentified script causing server to port scan
I have a Server set up with Centos 5.5, Apache (latest as of last week) and MySQL 5.5 (latest as of last week)
The problem is my host (1and1) keep disabling the server because it is port scanning... I have SELinux enabled, My IPTables setup is chained together in such a way that it blocks IP's if they port scan my server and only allows through the ports required for hosted sites (http mail etc) I have turned off FTP for the time being to try and stop any files being changed by users before I fix this issue... I am reasonably sure that it is a script under one of the websites I have running on this server (turn off apache and the server runs fine with no port scans out) From the logs I determined that the script is using libwww-perl to perform said scans, so I deleted libwww-perl from the server. The port scans are still happening... So, how can I detect the script (or scripts) that are causing this issue and thus stop it? Thankyou in advance and any other information you require just shout :) |
Quote:
Quote:
As for determining where the problem is coming from, how are you determining it is happening now? You also might look at the netstat -pane output when scanning is happening and see if anything shows up there. You could also disable all webistes, start Apache and then bring them up one-by-one to determine which website is causing the issue. Of course you wold want to run Apache with all websites disabled to see if Apache itself has been compromised. |
Quote:
Quote:
Logs as follows... ***TCP INFORMATION******************************************************* Timezone +0100 (CET) Lines containing IP:xx.xx.xx.242 in /var/log/apache2/kikayfairy.net-combined.log xx.xx.xx.242 - - [15/Jan/2011:04:32:51 +0100] "GET /2009/04/bye-waves//sources/functions.php?CONFIG[main_path]=../../../../../../../../../../../../../../../proc/self/envir on%00 HTTP/1.1" 200 151342 "-" "libwww-perl/5.805" xx.xx.xx.242 - - [15/Jan/2011:04:32:51 +0100] "GET //sources/functions.php?CONFIG[main_path]=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 151342 "-" "libwww-perl/5.805" xx.xx.xx.242 - - [15/Jan/2011:04:32:51 +0100] "GET /2009/04//sources/functions.php?CONFIG[main_path]=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 151342 "-" "libwww-perl/5.805" ***END TCP INFORMATION*************************************************** And ***TCP INFORMATION******************************************************* LOG (GMT -3) 05:55:03.552957 IP 75.126.231.xx > 189.1.164.243: udp 05:55:03.553001 IP 75.126.231.xx > 189.1.164.243: udp 05:55:03.553015 IP 75.126.231.xx > 189.1.164.243: udp 05:55:03.553033 IP 213.193.213.xx.54760 > 189.1.164.243.bmc-jmx-port: UDP, length 8192 05:55:03.553047 IP 75.126.231.xx > 189.1.164.243: udp 05:55:03.553071 IP 75.126.231.xx > 189.1.164.243: udp 05:55:03.553100 IP 75.126.231.xx > 189.1.164.243: udp 05:55:03.553109 IP 75.127.70.xx > 189.1.164.243: udp 05:55:03.553123 IP 75.126.231.xx > 189.1.164.243: udp www.FIRELAYER.com.br - DDoS Prevention ***END TCP INFORMATION*************************************************** I don't understand the second log as its got no reference to my server at all... but they still disabled the server based on it... Quote:
Quote:
The "script" does not portscan all the time, hence I beleive everything has been fixed, then it starts 3 or 4 days later and they block the server again, therefore I don't have a chance to sit on the server at the time of the scan... Any ideas on tracking this down would be very useful... Thankyou Sam |
For info...
I have just reimaged the server again and have email working fine, I also have MailScanner and MySQL running fine, however Apache is turned off (Disabled intentionally till I find out whats up) and everything is fine, no sign of anything untoward... however I would really like to find out what the issue is before starting Apache again! I did have mod-security at one point but it didn't help... so not installed it this time round |
Quote:
Quote:
Quote:
Quote:
Have you tried grepping files for the target IP address? I can't imagine it would be hard coded, but you may have run into someone with lower skill levels. Quote:
|
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
Quote:
|
Quote:
I had a look at the CERT Checklist and still beleive it is one or more scripts that have been injected\uploaded and I am reasonably convinced that the base OS is not compromised but one or more scripts within the server... I've grepped the web logs and error logs but not found much yet. |
In addition to what Hangdog42 wrote the "sources/functions.php?CONFIG[main_path]=" string is an exact match for CVE-2006-2487, a 2006 vulnerability in something called "ScozNews", allowing anyone to execute arbitrary PHP code. Other software might be using the same path and file names which does not say anything about it being or not being vulnerable. (Also note there isn't necessarily a server-side problem with libwww-perl as the remote client's User Agent string is set to "libwww-perl".)
|
Quote:
|
Quote:
|
If it is a local file and it was uploaded by a user then:
- the location may be the users writable docroot or generic upload directory or temp dir (know where to search), - MAC times, ownership and permissions might not match earlier or later uploaded files ('find' "-printf" args for modification and access time access rights and ownership), - file name may be innocuous, it may have the wrong (image) extension, but 'file' may show it's a interpreted script or non-image binary (|xargs file), - If the file was deleted after it was opened (rare) 'lsof -Pwln|grep dele' should show. Can you whip up the 'find' command line for that with this information? |
Most likely one of your hosted sites has an attack script triggered by loading a specific web page.
Since the queries originate from your server, there isn't anything in your own logs. (Unless you log outgoing connections too at the firewall level.) Have you already done a brute force search over the hosted site files for the string "sources/functions.php"? Code:
sudo sh -c "find /var/www -type f -print0 | xargs -0 grep -lF 'sources/functions.php'" (Use -print0 for find and -0 for xargs to handle file names with whitespaces.) The user agent string in the target server logs is trivial to fake; it may not have anything to do with perl. wget even has an option for this, -U. I'd say you need to look over all the files in the sites you host, and look for anomalies; do whatever you need to to find the trigger page and/or the attack script. Grepping is a good start. Nominal Animal |
Quote:
|
Quote:
Do you still have a log of password changes made soon after the problems started? Talk to those who did. The scenario I'm thinking of is quite simple: At some point in the past, one of your users had their password compromised. Most likely she used the same password in their administrative duties and in their social networking sites. After getting notified that their account was one of the compromised ones, this user was probably a bit ashamed that they used the same password on multiple sites, and instead of telling you, just changed their password, and assumed the interval was too short for anybody to have gotten in. After nothing bad happened for a week or two, they forgot all about it. In the mean time, a mass DDoS specialist used the account details to drop a couple of attack tools in some quiet corner of the server, without making any other changes; simply to avoid detection. Most likely the scripts or their data files contain IP addresses to a number of other compromised servers, and the original attacker has had no direct access to your server since then. And the accesses that trigger the attacks come from other compromised servers, so there's nothing really obvious in your server logs. I don't want to get into much more detail, because I'm afraid of giving ideas to the wrong people. (Not you, of course; those that trawl this site and others looking for new ideas, and signs of their networks' being exposed. Those half-wit sweaty-crack flunkies really annoy me.) Nominal Animal |
All times are GMT -5. The time now is 09:15 AM. |