On the apache server that I run I also host a few phpBB forums and I think that an exploit has allowed a worm to access all my files in the web root.

I host about 12 sites on the server and every index.php file has been altered from what it should be to:


SPYKIDS GROUP 2005

AONDE VC GUARDA O SEU RACISMO?
Racismo em pleno século XXI?

Desde abolição da escravatura buscamos o fim do racismo, onde temos uma sociedade sem distinção nem discriminação das pessoas pela etnia, mais o que você acha do sistema de quotas para negros em universidades? Você não acha que ao aderirem a isso está sendo praticado um ato de racismo? Pois para pedir quota parte-se do princípio que são inferiores aos outros por ser negro? Ou seja, neste mundo moderno onde vivemos existe ato de racismo maior que adoção de sistemas de quotas?

E ai nos volta aquela 1ª pergunta, e você AONDE GUARDA O SEU RACISMO?

insecurity@clubedolinux.com.br

Forever...

Lutamos por um mundo melhor...

A UNIÃO FAZ A FORÇA, AGRADECIMENTOS AOS GRUPOS: #H4ck3rsBr , #SimienS , #Priv8Crew , #SPYKIDS

/server irc.gigachat.net


I have pulled the plug on the server so that it can't make any network connections at the moment, but I don't know what is the best course of action to take.

I have complete backups of all of the /var/www and databases from before this happened so gettting everything back to it's original state will not be too much of a problem. But I want to know if I need to do a fesh install, or how do I check to makesure that whatever caused this is off my server.

I am running Debian if that makes any difference.

Here is a copy of ps -aux


USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.0 1492 512 ? S 14:32 0:02 init [2]
root 2 0.0 0.0 0 0 ? SW 14:32 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SWN 14:32 0:00 [ksoftirqd_CPU0]
root 4 0.0 0.0 0 0 ? SW 14:32 0:00 [kswapd]
root 5 0.0 0.0 0 0 ? SW 14:32 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? SW 14:32 0:00 [kupdated]
root 103 0.0 0.0 0 0 ? SW 14:32 0:00 [kjournald]
root 240 0.0 0.0 0 0 ? SW 14:33 0:00 [kjournald]
root 241 0.0 0.0 0 0 ? SW 14:33 0:00 [kjournald]
root 401 0.0 0.0 0 0 ? SW 14:33 0:00 [khubd]
daemon 552 0.0 0.0 1608 440 ? S 14:33 0:00 /sbin/portmap
root 644 0.0 0.1 2240 804 ? S 14:33 0:00 /sbin/syslogd
root 648 0.0 0.2 2168 1328 ? S 14:33 0:00 /sbin/klogd
Debian-e 682 0.0 0.2 4224 1608 ? S 14:33 0:00 /usr/sbin/exim4 -
root 687 0.0 0.1 2220 724 ? S 14:33 0:00 /usr/sbin/inetd
lp 692 0.0 0.1 2452 860 ? S 14:33 0:00 /usr/sbin/lpd -s
root 704 0.0 0.1 2496 1236 ? S 14:33 0:00 /bin/sh /usr/bin/
mysql 740 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
root 741 0.0 0.0 1476 488 ? S 14:33 0:00 logger -p daemon.
mysql 742 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 743 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 744 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 745 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 746 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 749 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 750 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 751 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 752 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 753 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
root 776 0.0 0.2 3720 1536 ? S 14:33 0:00 /usr/sbin/sshd
root 784 0.0 0.9 9380 6384 ? S 14:33 0:00 /usr/bin/perl /us
root 785 0.0 0.6 6748 4468 ? S 14:33 0:00 /usr/bin/python2.
zope 786 1.9 4.2 30016 27576 ? S 14:33 0:21 /usr/bin/python2.
root 790 0.0 0.1 2368 920 ? S 14:33 0:00 /sbin/rpc.statd
daemon 803 0.0 0.0 1672 628 ? S 14:33 0:00 /usr/sbin/atd
root 806 0.0 0.1 1756 808 ? S 14:33 0:00 /usr/sbin/cron
root 819 0.0 0.1 2484 1196 ? S 14:33 0:00 /bin/sh /command/
root 821 0.0 0.0 1484 476 tty1 S 14:33 0:00 /sbin/getty 38400
root 822 0.0 0.0 1484 476 tty2 S 14:33 0:00 /sbin/getty 38400
root 826 0.0 0.0 1484 476 tty3 S 14:33 0:00 /sbin/getty 38400
root 828 0.0 0.0 1484 476 tty4 S 14:33 0:00 /sbin/getty 38400
root 829 0.0 0.0 1484 476 tty5 S 14:33 0:00 /sbin/getty 38400
root 830 0.0 0.0 1484 476 tty6 S 14:33 0:00 /sbin/getty 38400
root 837 0.0 0.0 1504 324 ? S 14:33 0:00 svscan /service
root 838 0.0 0.0 1336 244 ? S 14:33 0:00 readproctitle ser
root 839 0.0 0.0 1348 280 ? S 14:33 0:00 supervise qmail-s
root 840 0.0 0.0 1348 280 ? S 14:33 0:00 supervise log
root 841 0.0 0.0 1348 280 ? S 14:33 0:00 supervise qmail-s
root 842 0.0 0.0 1348 280 ? S 14:33 0:00 supervise log
root 843 0.0 0.0 1348 280 ? S 14:33 0:00 supervise qmail-p
root 844 0.0 0.0 1348 280 ? S 14:33 0:00 supervise log
qmails 845 0.0 0.0 1520 472 ? S 14:33 0:00 qmail-send
qmaill 846 0.0 0.0 1356 288 ? S 14:33 0:00 multilog t s10000
qmaill 848 0.0 0.0 1484 344 ? S 14:33 0:00 multilog t s10000
root 849 0.0 0.0 1372 284 ? S 14:33 0:00 tcpserver -H -R -
qmaill 850 0.0 0.0 1356 288 ? S 14:33 0:00 multilog t s10000
root 856 0.0 0.0 1484 312 ? S 14:33 0:00 qmail-lspawn ./Ma
qmailr 857 0.0 0.0 1480 340 ? S 14:33 0:00 qmail-rspawn
qmailq 858 0.0 0.0 1472 312 ? S 14:33 0:00 qmail-clean
root 1285 0.0 0.3 7176 2164 ? S 14:35 0:00 sshd: jme [priv]
root 1287 0.0 0.3 7176 2164 ? S 14:35 0:00 sshd: jme [priv]
jme 1299 0.0 0.3 7352 2276 ? S 14:35 0:00 sshd: jme@pts/0
jme 1306 0.0 0.2 3016 1680 pts/0 S 14:35 0:00 -bash
root 2270 0.0 0.2 3020 1680 pts/0 S 14:38 0:00 bash
root 3617 0.0 0.1 2056 700 pts/0 T 14:42 0:00 more
root 4669 0.0 0.9 12836 6220 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4670 0.0 1.0 12968 6540 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4671 0.0 0.9 12836 6324 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4672 0.0 1.0 12968 6504 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4673 0.0 1.0 12968 6540 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4674 0.0 1.1 13644 7528 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4695 0.0 0.9 12836 6324 pts/0 S 14:46 0:00 /usr/sbin/apache
root 6254 0.0 0.0 0 0 ? Z 14:51 0:00 [tcpserver <defun
root 6259 0.0 0.2 3400 1368 pts/0 R 14:51 0:00 ps aux


If there's anything else you need just shout!

Many thanks.

Jamie

If there is any doubt, do a fresh install.

I am no expert but every thread I have read on such matters recommends you do a fresh install as there is no way to be sure what has been tampered with and as such no way to guarantee the machine is secure. Btw is there anything suspicious in the logs?

re-install.
A google search with terms "SPYKIDS GROUP 2005" turned up all kinds of goodies. Looks like it was a PHP vulnerability.

From what I've read it seems to be a vulnrability in phpBB!

Fresh install it is then! Oh well there goes my afternoon! ;)

Thanks guys.

make sure to chmod all those files to be only readable or executable by yourself and apache also, this will help to ensure that no one may easily do this in the future. Do you run ftp or any other such things , ssh, telnet so forth, that could also have been where they gained access to you machine. But non ethe less change the file permissions, apache and you only need access to it, others access it through apache

I was on a channel last night and some guy was bragging how many phpbb forums he hacked, he threw the links up and he really did get into all of them... seems like mnay ppl are getting hacked lately with PHPbb forums?? lol, and I find this out right when I installed them on my new/updated site!!

Yes, there have been TONS of phpBB exploits recently. ;)

If you're running PHP on a public web server (actually, if you run any public server...), make sure you follow either your distro's security list (if they have one) or a couple of other security sites.

My favorites are the diaries at http://isc.sans.org/ and the "recent vulnerabilities" lists each day at http://secunia.com/. The isc.sans.org site has been talking about the phpBB exploits once in a while recently.

Looks like a problem with privilages may have gotten you into trouble


http://www.securitytracker.com/alerts/2005/Mar/1013411.html

If your not sure if you should reinstall, or to clean the system up, reinstalling would be the best option. Without having a host based IDS system like tripwire, AIDE etc. running, or knowing for certain what has been modified/replaced I would have a hard time trusting it in any kind of production environment.

As others have said phpbb has had a few nasty bugs show up in the past few months. I have snort running on a small server of mine that has phpbb on it, and I have seen what looks to be mostly automated scripts trying to exploit it almost daily. There are some worms that are using google, and other search engines to search for sites hosting vulnerable version of phpbb, and then attempt to compromise the host, and I'm guessing in your case just post some crap in your root directory to say "Hey look what our kr3w did!!!@1111!!", and then try to replicate itself to other systems.

Thanks for all your replies - I did in the end opt for a reinstall of Debian - always better to air on the side of caution when it come to this - and as it's been said before I doubt that I'd be able to trust the system fully since I didn't have any record of what had actually happened.

As for an IDS would this have to be installed on the same machine as the webserver or could I run it through another machine on my network instead so that it would be able to record all activity to the different servers?? As I do run SmoothWall and I believe that Snort is included in this.

Jamie

Originally posted by jme

As for an IDS would this have to be installed on the same machine as the webserver or could I run it through another machine on my network instead so that it would be able to record all activity to the different servers?? As I do run SmoothWall and I believe that Snort is included in this.

Jamie

You can have it on another machine as long as it is able to see the traffic going to the computer you want to monitor. In order to put the NIDS sensor on another host you will either need to add, or be using a hub as they send all traffic to all ports. If you have a switch you will need to be able to put one of the ports into a monitor/spanning mode where traffic is sent to the port where you have the NIDS sensor placed. You can also put Snort on the your Smoothwall box if all traffic is going through that.

These kiddies... make me ashamed of being brazilian...
btw wasn't phpBB always a major exploiting target?

good luck