[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Server Hacked

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Server Hacked
From: Warren Barrow <warren@xxxxxxxxx>
Date: Fri, 19 Aug 2005 14:00:34 -0400
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Fri, 19 Aug 2005 14:01:35 -0400
In-reply-to: <5c4c375e05081910123a86410a@mail.gmail.com>
References: <43057081.4080005@ocf.berkeley.edu> <20050819132417.GE28456@opium.palfrader.org> <4306109F.5000100@ocf.berkeley.edu> <5c4c375e05081910123a86410a@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

I am almost certain that the system was compromised due to b2evolution (phpBB, too, if it uses xmlrpc). Many PHP applications are vulnerable due to issues within XML RPC, specifically http://<host>/xmlrpc.php .. There are readily available exploits available that will give the attacker a command line via this vector. With that said - if you configured Apache to run as a restricted user (ie: nobody), then the attacker would have only modified pages in which the restricted account had access to write.

There are mass autorooter worms traveling around that perform this automatically: successfully exploit, change all index.* pages, drop an IRC/DDos Daemon into a hidden (or not so hidden directory. hint: check /tmp for weird binaries and other files).

Run a find command to look for all modified files within the last N hours.

for all files owned by nobody and modified within the lat 24 hours ( N x 24)
find / -user nobody -mtime -1 -print

run this perl script to exploit yourself:
http://www.milw0rm.com/id.php?id=1084

Other reading:
http://phpxmlrpc.sourceforge.net/

-Warren


Matt Thorne wrote:

Personally I think that you would find alot of mostly related information at

Honeynet.org

under tools they have some programs that allow you to interrogate hacked comps.
The thing that might be most interesting is to look in the
"whitepapers" section and see how they respond to their hacked
computers. I realize that this isn't a how-to or a step by step, but I
am pretty certain that the information will be useful to you.

Good luck

-=Matt=-

Anyway, this is getting even more off-topic.

I'm still sort of surprised that this group of what I thought was fairly
skilled developers hasn't provided one link or suggestion on how best to
1) identify the vulnerability exploited on a hacked server or 2)
identify the likely perpetrator of a defacement. Searching around I find
lots about how to prevent hacks in the first place but very little
that's helpful in dealing with it once it's happened.

Brian

References:
- Server Hacked
  - From: Brian C
- Re: Server Hacked
  - From: Peter Palfrader
- Re: Server Hacked
  - From: Brian C
- Re: Server Hacked
  - From: Matt Thorne

Prev by Author: So TOR is NOT really anonoymous!?
Next by Author: Re: Google talk and other VoIP's
Previous by thread: Re: Server Hacked
Next by thread: Re: Server Hacked
Index(es):
- Author
- Thread