Re: [Full-disclosure] one of my servers has been compromized



John,

All good thoughts but can we show the server was rooted?

In otherwords; instead of an attacker getting root and then adding this to a botnet this way is it not more likely that the original attack added the server in one step to avoid the need to do this?

Attackers, from my experience, don't need to worry about rooting when they can find a vuln, exploit and add to a botnet- they don't need to be able to SSH in, nor do they need a shell; the IRC channel takes care of all they need.

Additionally suppose we're looking at your old fashioned shellcode payload- probably a fair assumption. What happens if this is not using bash, perhaps sh isn't pointing to bash, suppose even csh or zsh.

Lets also not forget without a proper disassembly of the server pma is only a likely vector.

In this case I tend to suggest that OP takes a stab at the time of compromise to get a backup that can be trusted, takes a new hard drive, restore from backup and upgrade everything that can be possibly upgraded (and so on- the same repair stuff we all do in our sleep; nothing new) and uses the old data to go through the logs, go through the dumped data from memory, assuming fmem and understanding of /proc/iomem



On 5 Dec 2011, at 17:20, John Jacobs wrote:


For future reference, and for the benefit of people searching for
solutions to similar problems: You've made the most common rookie
mistake. You have already trashed potentially critical information
about the attack by trying to clean up the server first. Don't do
that.

Tim, while I do believe there is some truth in what you are saying here, I respectfully disagree in that this tends to be a run-of-the-mill IRC bot as evidenced by the Undernet advisory. This looks like a skiddie-de-jour attack against PHPMyAdmin and nothing to be concerned with regarding cloning disk images and full forensics. I do respect your input and thoughts though for a more targeted attack; not an IRC bot in /tmp.

That being said, I strongly believe in preserving bash_history as well as vital log data. It's best/wise to ship this off to a separate Syslog server. If you're paranoid turn up stunnel between the devices. For example and as evidenced by many of the documented attacks here purging of bash_history is common ala 'history -c' after fun. To thwart this I like the idea of logging to syslog often, ensure permissions are strict for the syslog messages, and shipping the syslog data off to a separate box. I like to:

1) Generate an E-Mail alert when someone logs in, by adjusting /etc/bash.bashrc (or similar based on distribution) to:

#Email alert for login
echo -e "Subject: Login from $(/usr/bin/whoami) on $(/bin/hostname) at $(/bin/date)\n\n$(/usr/bin/last -ian 10)\n"|/usr/sbin/sendmail recipient@xxxxxxxxxxx

2) Preserve, via Syslog, commands executed at the prompt, by adjusting /etc/profile. Adjust /etc/syslog.conf or /etc/rsyslog.conf to forward these syslog messages off-box to another asset. If you're paranoid use stunnel.

export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo "$$ $USER $(history 1)"|/usr/bin/logger -p user.alert -t bash_history'
readonly PROMPT_COMMAND

3) Preserve bash_history by adjusting /etc/profile:

#Secure the Bash History
export HISTSIZE=1500
export HISTCONTROL=''
export HISTIGNORE=''
export HISTTIMEFORMAT='%F %T '
readonly HISTFILE
readonly HISTFILESIZE
readonly HISTSIZE
readonly HISTCONTROL
readonly HISTIGNORE
readonly HISTTIMEFORMAT

4) Optionally use chattr to set ~/.bash_history to append-only:

#Secure .bash_history (poke fun of the while subshell if you wish)
/usr/bin/find / -maxdepth 3|/bin/grep -i bash_history|while read line; do /usr/bin/chattr +a "$line"; done

5) Use of an IP Recorder, something like daemonlogger, in ring-buffer mode, as a way to record all ingress/egress traffic using a percentage of the disk. See http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html

I am eager to hear any additional thoughts or methods for security information such as this.

Thanks,
John






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [NT] Web Browsers Vulnerable to the Extended HTML Form Attack
    ... inject HTML scripts, which makes use of the same method described in the ... The Original HTML form attack: ... server 7 open ...
    (Securiteam)
  • [UNIX] DoS Attack Against FreeRADIUS (Other RADIUS Servers Affected)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to create a high-performance and highly configurable GPL'd RADIUS server. ... program with failed requests causing a denial of service attack. ... Access-Request to the RADIUS server, ...
    (Securiteam)
  • Re: I was hacked
    ... > I have a Windows 2000 server that is current w/ the latest patches from MS. ... > It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
    (alt.computer.security)
  • Re: I was hacked
    ... > I have a Windows 2000 server that is current w/ the latest patches from MS. ... > It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
    (microsoft.public.inetserver.iis.security)
  • Re: I was hacked
    ... I saw no successes in your IIS Log. ... > It is running an IIS server that is configured w/ Microsoft's URLScan ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
    (alt.computer.security)