Jump to content

Welcome to GamingIO - Gaming should be fun and free(dom)
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

Backdoors, shells the works from a hacked server

News

  • Please log in to reply
No replies to this topic

#1
Vangel

Vangel

    Administrator

  • Administrators
  • 208 posts

As you may or may not know Hetzner was recently reported in some  large scale DDoS attacks where it was the source. 

I have two servers at Hetzner. One of them I no longer maintain at all and is basically for testing purposes. 

So here I probably had some open source old software which allows file uploads, a particularly badly configured /tmp directory (still allowed executables)

 

So it was eventually compromized and shells installed. interestingly it was never possible to exploit until shellshock. 

 

 

This is what i found in my uploads temp directory. fake "su"

 

root@DE3000 /tmp # md5sum .b/su
a739bbec6fde0e1fb5192212c830c148  .b/su

 

 

possibly the real "su"

root@DE3000 /tmp # md5sum /bin/su
9c7c172d0f34bf9996a3f8ef173d97b2  /bin/su

 

 

 

When was this compromised? Oh a long time ago apparently  :lol:

 

root@DE3000 / # ls -ls /tmp/.b/
total 1.5M
   0 -rw-r--r-- 1 apache apache    0 Oct 25 18:02 13.89.pscan.22
1.4M -rwxr-xr-x 1 apache apache 1.4M Jun  6  2005 brute
84K -rwxr-xr-x 1 apache apache  80K Oct 17 19:09 pass.txt
4.0K -rwxr-xr-x 1 apache apache  148 Oct 17 19:12 print
16K -rwxr-xr-x 1 apache apache  16K Aug 13  2012 ps
4.0K -rwxr-xr-x 1 apache apache 1.2K Mar 14  2013 rand
4.0K -rwxr-xr-x 1 apache apache  552 Oct 17 18:59 su

 

 

 

All the fake executables have a system type name to hide it with regular process. But it wasnt hard to find once I was informed of the exploit.

I saw apache process running "./ps" which basically sends SYN Flood to target network. 

 

What a waste. 

 

Attaching the fun files for your play around. You can see that the attacker even uploaded a nice brute force file.

 

 

 

The fix: Just disabled all the apache hosted apps that I no longer used. 

Added IPtables rules to prevent outgoing traffic from certain IP. Due to my setup with several public IPs it uniquely binds to one IP by default when sending outgoing requests which is a separate interface. The malware runs on its ow space so it does not use the IP of apache but of the system default. 

Attached Files

  • Attached File  b.tar.gz   621.58KB   0 downloads






Also tagged with one or more of these keywords: News