[SWLUG] Server exploited

James Edgeworth diagmato at black0ps.com
Mon Aug 3 03:36:30 UTC 2009 

Hi all,

I run a small debian-based server which hosts just a personal page, and 
a couple development versions of other sites (and svn, and motion 
detection with webcams). Seems I made a big mistake thinking it was 
secure (against a common attack).

In apache's document root, there was a .Aol.Checker directory with a 
couple javascript and html files, and gif images. Looking in the apache 
logs, a couple IP's had sent out HTTP requests for various web 
applications, hoping that register_globals was on (it was trying to set 
the phpbb_root_path to the URL to a text file elsewhere simply 
displaying "vulnerable"). This should have failed, and I suspect it was 
some mass-exploit attempt. None of the directories it was looking for 
seem to have been found, register_globals is off, etc. Hopefully good so 
far.

The biggest worry is that Aol directory. It was set to the permissions 
of one of the users on the system who has the weakest password. At 
least, I'd imagine it to be. SSH's port was open to allow me to remotely 
administrate the server if there are problems. I am trying to figure out 
how the directory got there - I am guessing someone must have SSH'd in 
with the 'weak' user mentioned before?

I have checked the router's log, and SSH comes up quite a few times from 
a few IP's - one is one I know, the other couple I don't recognise. The 
time seems to match apache's access/error logs for when that Aol folder 
was accessed. I do not know of a way to check login attempts over SSH.

So far I have not found anything else out of the ordinary, but it has 
made me paranoid.

So far in all:

-Checked the rest of the directories in the document root, can't see 
anything I don't recognise.
-Looked at the bash history for root, and my user (but the 'weak' user 
doesn't seem to have a /home directory, and any files he was chown'ed to 
seem to be gone - curious :-( )
-Ran updatedb, locate Aol, nothing comes up.
-Blocked HTTP, and SSH ports until things are properly administrated
-Changed all user passwords to some super-stupid-strict pass (different 
for each user)
-Obviously removed the malicious files
-Ran chkrootkit just for safety's sake

Apache's log shows that someone navigated to the contents of that aol 
folder - I just hope it wasn't some victim. I also hope the domain 
hasn't been blacklisted, or that the ISP isn't preparing a nasty letter 
for tomorrow's mail.

Sorry for the long email - hoping someone has a few pointers/things to 
check for in this case?

James

More information about the Swlug mailing list