Re: one of my servers has been compromized

[Lucio Crusca <lucio () sulweb org>]

Gage Bystrom wrote:

> Fortunately for him, since the bot was so easy to find in the first place
> and such a simple way of maintaining it, the box was clearly seized by
> someone who didn't give a rats ass about it. Probably a skiddie or an
> automated attack to begin with.

That makes me think the problem is more likely in VirtueMart/other common 
app original code as opposed to the custom pieces of code. Skiddies or 
automated attacks are not very likely to succeed with custom code, right? If 
so, I may speed up the process of finding vulnerable code by starting from 
the common apps changelogs.

> As for plugging any security holes, check your httpd error logs. If you
> noted down the time of the bot files creation date

I did and then I've found this highly suspicious log entry:

217.170.53.79 - - [03/Dec/2011:19:48:13 +0100] "POST 
/phpmyadmin/index.php?session_to_unset=123&token=42..._SESSION[!bla]=%7Cx...

which led me to this blog:

http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html

Now my phpmyadmin is version 3.3.2deb1 as packaged with Ubuntu 10.04.1. 

# cat /etc/issue
Ubuntu 10.04.1 LTS \n \l

# apt-cache policy phpmyadmin
phpmyadmin:
  Installed: 4:3.3.2-1
  Candidate: 4:3.3.2-1
  Version table:
 *** 4:3.3.2-1 0
        990 http://archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

Ubuntu 10.04.1 was released way before july 2011 (the date of the blog) and, 
since the package does not come from security repo, I can assume it's not 
been patched.

Two questions for experts:
1. (noob question) why the hell apt-cron did not update my system to 
10.04.3? (ok, don't waste time replying that, I'll check myself)
2. Do you think said phpmyadmin vulns are reasonable attack vectors in my 
case?

> If it comes down to being too much of a hassle to get all the obvious
> vulns at least then go to your boss, admit there is an issue 

Yes obviously that's already done (btw, I'm self employed and the php code 
came directly from my customer, no problem to admit).

> and that time
> needs to be taken to remove such legacy code as this could have been a far
> worse incident if it had been more targetted and the end goal wasn't a
> botnet. 

We plan to dismiss the current code in a few days (let the shop sell some 
christmas items before dismissing it).

For the time being, I configured crontab so that only root can execute it, 
protected phpmyadmin with http authentication and configured iptables so 
that the server cannot make outgoing connections. I'm applying other 
measures in the next few hours.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/