Problem with dark.cgi scripts !!!

[p-root]

HI,

I Have a linux shared hosting server,and a couple of days i am facing the serious issue regarding dark mailer or some .cgi script like (dark.cgi,dm.cgi,coms.cgi,mrm.cgi) ,i have also using mod_security2.0 +WHM to prevent such type of problem,So can any one tell me the best solution to block these type of attacks through mod_security,how to create a rule specific for the attacker "(dark.cgi,dm.cgi,coms.cgi,mrm.cgi)" scripts..please do need ful and let me know the best solution...

************************************************** *****************************************
Time: Sun Jun 28 10:13:48 2009 +0530
PID: 30951
Account: hebbali
Uptime: 25705 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

/usr/bin/perl dark.cgi


Network connections by the process (if any):

tcp: 144.38.110.14:58427 -> 210.8.231.6:25


Files open by the process (if any):

/dev/null
/home/hebbali/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
/home/hebbali/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
/tmp/ZCUD4Fyc93 (deleted)


Memory maps by the process (if any):

00110000-0024e000 r-xp 00000000 08:05 9176295 /lib/libc-2.5.so
0024e000-00250000 r--p 0013e000 08:05 9176295 /lib/libc-2.5.so
00250000-00251000 rw-p 00140000 08:05 9176295 /lib/libc-2.5.so
00251000-00254000 rw-p 00251000 00:00 0
00254000-00258000 r-xp 00000000 08:05 9175078 /lib/libnss_dns-2.5.so
00258000-00259000 r--p 00003000 08:05 9175078 /lib/libnss_dns-2.5.so
00259000-0025a000 rw-p 00004000 08:05 9175078 /lib/libnss_dns-2.5.so
00500000-0062b000 r-xp 00000000 08:03 10270297 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
0062b000-00630000 rw-p 0012a000 08:03 10270297 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
00630000-00632000 rw-p 00630000 00:00 0
006ca000-006e6000 r-xp 00000000 08:03 10269980 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
006e6000-006e7000 rw-p 0001b000 08:03 10269980 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
006eb000-006f0000 r-xp 00000000 08:03 10270142 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
006f0000-006f1000 rw-p 00004000 08:03 10270142 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
00771000-0078b000 r-xp 00000000 08:05 9176294 /lib/ld-2.5.so
0078b000-0078c000 r--p 00019000 08:05 9176294 /lib/ld-2.5.so
0078c000-0078d000 rw-p 0001a000 08:05 9176294 /lib/ld-2.5.so
007bd000-007be000 r-xp 007bd000 00:00 0 [vdso]
00801000-00805000 r-xp 00000000 08:03 10269967 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
00805000-00806000 rw-p 00003000 08:03 10269967 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
008d5000-008d7000 r-xp 00000000 08:05 9176298 /lib/libdl-2.5.so
008d7000-008d8000 r--p 00001000 08:05 9176298 /lib/libdl-2.5.so
008d8000-008d9000 rw-p 00002000 08:05 9176298 /lib/libdl-2.5.so
008db000-00900000 r-xp 00000000 08:05 9176297 /lib/libm-2.5.so
00900000-00901000 r--p 00024000 08:05 9176297 /lib/libm-2.5.so
00901000-00902000 rw-p 00025000 08:05 9176297 /lib/libm-2.5.so
00904000-00917000 r-xp 00000000 08:05 9176308 /lib/libpthread-2.5.so
00917000-00918000 r--p 00012000 08:05 9176308 /lib/libpthread-2.5.so
00918000-00919000 rw-p 00013000 08:05 9176308 /lib/libpthread-2.5.so
00919000-0091b000 rw-p 00919000 00:00 0
0099f000-009b2000 r-xp 00000000 08:05 9176300 /lib/libnsl-2.5.so
009b2000-009b3000 r--p 00012000 08:05 9176300 /lib/libnsl-2.5.so
009b3000-009b4000 rw-p 00013000 08:05 9176300 /lib/libnsl-2.5.so
009b4000-009b6000 rw-p 009b4000 00:00 0
009b8000-009c1000 r-xp 00000000 08:05 9176317 /lib/libcrypt-2.5.so
009c1000-009c2000 r--p 00008000 08:05 9176317 /lib/libcrypt-2.5.so
009c2000-009c3000 rw-p 00009000 08:05 9176317 /lib/libcrypt-2.5.so
009c3000-009ea000 rw-p 009c3000 00:00 0
00a3a000-00a43000 r-xp 00000000 08:05 9175080 /lib/libnss_files-2.5.so
00a43000-00a44000 r--p 00008000 08:05 9175080 /lib/libnss_files-2.5.so
00a44000-00a45000 rw-p 00009000 08:05 9175080 /lib/libnss_files-2.5.so
00be0000-00bef000 r-xp 00000000 08:05 9176302 /lib/libresolv-2.5.so
00bef000-00bf0000 r--p 0000e000 08:05 9176302 /lib/libresolv-2.5.so
00bf0000-00bf1000 rw-p 0000f000 08:05 9176302 /lib/libresolv-2.5.so
00bf1000-00bf3000 rw-p 00bf1000 00:00 0
00e4d000-00e4f000 r-xp 00000000 08:03 10270168 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
00e4f000-00e50000 rw-p 00001000 08:03 10270168 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
05ad4000-05ad6000 r-xp 00000000 08:05 9176299 /lib/libutil-2.5.so
05ad6000-05ad7000 r--p 00001000 08:05 9176299 /lib/libutil-2.5.so
05ad7000-05ad8000 rw-p 00002000 08:05 9176299 /lib/libutil-2.5.so
08048000-0804b000 r-xp 00000000 08:03 1733841 /usr/bin/perl
0804b000-0804c000 rw-p 00002000 08:03 1733841 /usr/bin/perl
084e5000-087bb000 rw-p 084e5000 00:00 0 [heap]
b7f3a000-b7f5e000 rw-p b7f3a000 00:00 0
b7f67000-b7f68000 rw-p b7f67000 00:00 0
bfdb3000-bfdc8000 rw-p bffea000 00:00 0 [stack]
************************************************** **************************************

[PlatinumServerM]

They can be coming from insecure scripts or weak passwords. You will need to check your logs for details

[konrath]

Hello

please, read.

http://forums.cpanel.net/f7/iframe-j...cks-62821.html

I minimize the problem blocking ftp access to certain IPs.

Konrath

[Spiral]

Quote:

Originally Posted by konrath

http://forums.cpanel.net/f7/iframe-j...cks-62821.html

I minimize the problem blocking ftp access to certain IPs.

Konrath

Konrath,

Unfortunately that issue really has little to nothing to do with FTP and limiting
the IPs allowed to connect by FTP really won't do much good in this case as
the methods the hackers use to get the client login information also allow for
them to proxy off the client's own home ISP connections as well so short of
banning your own client's from logging in entirely; won't do much good.

(I posted a few times already. However, a few basic details below ...)

The current "iframe" added to index files and scripts uploaded attack is done
via a client compromise and not from the server so there is very little you
can do from a server perspective as the attack isn't at your server.

We've been 1st hand tracking the group behind this attack for a while now
at my network security consulting firm. The group behind the attack is
based out of China and basically in a nutshell using a set of trojans
and custom designed keyloggers to capture client passwords from their
own infected computers at home and then using that same information
to direclty login to the client's web hosting and bank accounts and wreak
more havoc by updating index files to call uploaded spam scripts with the
user's permissions and making transfers from the victim's bank accounts.

Some good news is that these hackers are limited to the permissions of
the client whose login details they had captured from the client's computer
at home which limits what they can do if your server is properly secure
as it should already be. In addition, since the upload process seems to
be consistent and apparently fully automated, it's very easy to setup
activity scanning and cron processes to watch and block this activity.
Same goes for setting up Mod_Security rules and firewall traps too.

For any client who has been compromised at home, their passwords
should be changed immediately (or better their account suspended).
Until their home computers are scanned and disinfected, the client
probably should not be given the new password as the new password
will just be captured by the hackers as well as soon as the client
tries to login from their infected home computer.

[konrath]

Quote:

Originally Posted by Spiral

Konrath,

Unfortunately that issue really has little to nothing to do with FTP and limiting
the IPs allowed to connect by FTP really won't do much good in this case as
the methods the hackers use to get the client login information also allow for
them to proxy off the client's own home ISP connections as well so short of
banning your own client's from logging in entirely; won't do much good.

(I posted a few times already. However, a few basic details below ...)

The current "iframe" added to index files and scripts uploaded attack is done
via a client compromise and not from the server so there is very little you
can do from a server perspective as the attack isn't at your server.

We've been 1st hand tracking the group behind this attack for a while now
at my network security consulting firm. The group behind the attack is
based out of China and basically in a nutshell using a set of trojans
and custom designed keyloggers to capture client passwords from their
own infected computers at home and then using that same information
to direclty login to the client's web hosting and bank accounts and wreak
more havoc by updating index files to call uploaded spam scripts with the
user's permissions and making transfers from the victim's bank accounts.

Some good news is that these hackers are limited to the permissions of
the client whose login details they had captured from the client's computer
at home which limits what they can do if your server is properly secure
as it should already be. In addition, since the upload process seems to
be consistent and apparently fully automated, it's very easy to setup
activity scanning and cron processes to watch and block this activity.
Same goes for setting up Mod_Security rules and firewall traps too.

For any client who has been compromised at home, their passwords
should be changed immediately (or better their account suspended).
Until their home computers are scanned and disinfected, the client
probably should not be given the new password as the new password
will just be captured by the hackers as well as soon as the client
tries to login from their infected home computer.

Hello Spiral

Not working for you.

For me, it works perfectly.

As I understand it, the invasion is robotised and happens only by FTP.

In this case, the blocking of port 21 for certain countries it is sufficient to minimize this problem.

I keep ftp only to IPs from my country.

Thank you
Konrath

[konrath]

Hello Spiral

and all sites were invaded by IPs that are not of my country.

LAST INVASION ( TODAY ).

THIS IPS IS FROM OUTSIDE FROM MY COUNTRY. NOW, IS BLOCKED !!


Jun 28 09:39:02 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//test.pl uploaded (2973 bytes, 11.18KB/sec)
Jun 28 09:39:05 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] Deleted test.pl
Jun 28 09:39:07 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/56viagra.txt uploaded (25502 bytes, 45.45KB/sec)
Jun 28 09:39:09 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/dm.cgi uploaded (74366 bytes, 89.47KB/sec)
Jun 28 09:39:09 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/from.txt uploaded (3169 bytes, 11.88KB/sec)
Jun 28 09:39:10 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/mkrv.txt uploaded (33533 bytes, 47.78KB/sec)
Jun 28 09:39:11 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/replyto.txt uploaded (3169 bytes, 11.89KB/sec)
Jun 28 09:39:12 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/v2letter.txt uploaded (10 bytes, 0.08KB/sec)
Jun 28 09:39:12 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/v2msg.html uploaded (131 bytes, 0.99KB/sec)
Jun 28 09:39:13 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/v2subject.txt uploaded (22634 bytes, 40.70KB/sec)
Jun 28 09:39:58 server pure-ftpd: (amananci@62.141.36.134) [INFO] Logout.
Jun 28 09:48:12 server pure-ftpd: (?@75.144.194.185) [INFO] amananci is now logged in
Jun 28 09:48:13 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//test.pl uploaded (2973 bytes, 17.72KB/sec)
Jun 28 09:48:15 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] Deleted test.pl
Jun 28 09:48:15 server pure-ftpd: (amananci@75.144.194.185) [INFO] Logout.
Jun 28 10:04:51 server pure-ftpd: (?@75.144.194.185) [INFO] amananci is now logged in
Jun 28 10:04:54 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//test.pl uploaded (2973 bytes, 4.99KB/sec)
Jun 28 10:05:11 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] Deleted test.pl
Jun 28 10:05:24 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/1.txt uploaded (14677 bytes, 3.16KB/sec)
Jun 28 10:05:26 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/2.txt uploaded (3297 bytes, 4.32KB/sec)
Jun 28 10:05:29 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/config.txt uploaded (295 bytes, 0.68KB/sec)
Jun 28 10:05:41 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/dark.cgi uploaded (74627 bytes, 7.64KB/sec)
Jun 28 10:05:46 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/from.txt uploaded (7264 bytes, 11.53KB/sec)
Jun 28 10:05:48 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/letlet.txt uploaded (8 bytes, 0.02KB/sec)
Jun 28 10:05:49 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/mes.html uploaded (605 bytes, 1.90KB/sec)
Jun 28 10:06:05 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/sites3.txt uploaded (88627 bytes, 5.78KB/sec)
Jun 28 10:06:07 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/subjlist.txt uploaded (8310 bytes, 10.83KB/sec)
Jun 28 10:09:51 server pure-ftpd: (?@213.182.197.226) [INFO] amananci is now logged in
Jun 28 10:09:58 server pure-ftpd: (amananci@213.182.197.226) [INFO] Logout.
Jun 28 10:09:59 server pure-ftpd: (?@213.182.197.226) [INFO] amananci is now logged in
Jun 28 10:10:00 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/test.pl uploaded (2973 bytes, 8.80KB/sec)
Jun 28 10:10:02 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] Deleted test.pl
Jun 28 10:10:02 server pure-ftpd: (amananci@213.182.197.226) [INFO] Logout.
Jun 28 10:10:40 server pure-ftpd: (?@213.182.197.226) [INFO] amananci is now logged in
Jun 28 10:10:44 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/test.pl uploaded (2973 bytes, 8.82KB/sec)
Jun 28 10:10:47 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] Deleted test.pl
Jun 28 10:10:47 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/mailbase.txt uploaded (1945588 bytes, 6.88KB/sec)
Jun 28 10:10:48 server pure-ftpd: (amananci@75.144.194.185) [INFO] Logout.
Jun 28 10:10:50 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/coms.cgi uploaded (74537 bytes, 65.36KB/sec)
Jun 28 10:10:51 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/config.txt uploaded (1307 bytes, 7.48KB/sec)
Jun 28 10:10:58 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/fmto.txt uploaded (357337 bytes, 55.04KB/sec)
Jun 28 10:10:59 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/godi.cgi uploaded (74537 bytes, 64.96KB/sec)
Jun 28 10:11:01 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/nsub.txt uploaded (45631 bytes, 48.17KB/sec)
Jun 28 10:11:07 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/reto.txt uploaded (258599 bytes, 45.23KB/sec)
Jun 28 10:11:08 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upal.txt uploaded (32 bytes, 0.19KB/sec)
Jun 28 10:11:08 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upbr.txt uploaded (115 bytes, 0.68KB/sec)
Jun 28 10:11:09 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upcl.txt uploaded (97 bytes, 0.57KB/sec)
Jun 28 10:11:10 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upcli.txt uploaded (1230 bytes, 6.69KB/sec)
Jun 28 10:11:10 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upfn.txt uploaded (295 bytes, 1.67KB/sec)
Jun 28 10:11:11 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/uplet.txt uploaded (11 bytes, 0.07KB/sec)
Jun 28 10:11:12 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/uplet1.html uploaded (1063 bytes, 6.09KB/sec)

[konrath]

I agree with you.

It is not the ultimate solution but is better than no protection.


"Educate their customers"? (HOSTIT) KKKKKKKKKKKK. This is very funny.

"Unfortunately that issue really has little to nothing to do with FTP (Spiral) KKKKKKKKKKKK. No, the invasion is made using the drive 1.44 in my server. This is very funny.

SAINT patience.

I have a business and need answers and quick solutions. I can not believe I will resolve this problem educating my clients. This is not consistent.

AND YES. The invasion is made via FTP.

Konrath

[neo_user]

the problem has been solve after i have stopped FTP server at all and only SFTP is allowed now , as i have seen on my network some clients were infected and there was trojans installed and on few they were victim of large botnet which were sniffing out the FTP passwords and doing all the wrong stuff.Its been 8 months now and i have no problems.Stop using ftp altogether