The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bravo configserver firewall

Discussion in 'General Discussion' started by whwh1, Oct 2, 2008.

  1. whwh1

    whwh1 Registered

    Joined:
    Oct 2, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I just want to tell that lfd saved me today.
    I have a small webhosting business with something like 40 customers on 3 differents centos servers.

    lfd did send me an email. An executable was in the tmp/ ( horror music plz ) on the main server.
    what the hell ? seriously ? aaah shyt!

    I logged in. Deleted it. And tried to find the sources.
    5 minutes after, i found the source.
    I didn,t know ( shame on me ) but one coppermine installation was outdated. It was used to upload 3 php file ( which i believe was php shell ) in the user directory and a backdoor shell in the tmp folder.

    I deleted the whole /home/the_user_account/public_html.

    i was a little bit more relax... but still insecure. I updated rkhunter, ran it. Found nothing. ps didn,t shown anything ... etc etc... I was feeling very better :)

    I investigated the logs, apache, cpanel, exim, everything... It was very interresting. They used 4 differents ips in 25minutes.
    One of them was used to "upload" the shells using the coppermine.
    The ip was from a compromised server hosted by theplanet. I contacted them.
    The three ip that left was located in Maroc... All from the same ISP.

    I connected to these three on port 80. All of them answered with a login request to "ADSL modem".
    I guess they were compromised by a default user/pass used on these modems... probably used as a proxy now ...

    For those still interested, here,s some stuff from apache logs:

    The uploading process of r0x.php ( php shell )
    Code:
    "POST /coppermine/picEditor.php HTTP/1.1" 200 19328 "-" "-"
    "GET /coppermine/albums/userpics/r0x.php HTTP/1.1" 200 4540 "-" "-"
    
    The uploading process of sniper.php ( php shell #2 )
    Code:
    "POST /coppermine/albums/userpics/r0x.php HTTP/1.1" 200 4976 "coppermine/albums/userpics/r0x.php" "Opera/9.27 (Windows NT 5.1; U; en)"
    "GET /coppermine/albums/userpics/sniper.php HTTP/1.1" 200 49199 "-" "Opera/9.27 (Windows NT 5.1; U; en)"
    "POST /coppermine/albums/userpics/sniper.php HTTP/1.1" 200 49340 "coppermine/albums/userpics/sniper.php" "Opera/9.27 (Windows NT 5.1; U; en)"
    
    And here's the interesting stuff: errror_log.php and the real commands executed.
    Code:
    "POST /coppermine/albums/userpics/r0x.php HTTP/1.1" 200 4688 "coppermine/albums/userpics/r0x.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php HTTP/1.1" 200 5074 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=home HTTP/1.1" 200 209 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=back HTTP/1.1" 200 119 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5
    .1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=forward HTTP/1.1" 200 119 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=up HTTP/1.1" 200 199 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1
    ; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=refresh HTTP/1.1" 200 200 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=search HTTP/1.1" 200 250 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT
     5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=buffer HTTP/1.1" 200 163 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT
     5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=sort_asc HTTP/1.1" 200 85 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=ext_lnk HTTP/1.1" 200 572 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=ext_diz HTTP/1.1" 200 1027 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=small_dir HTTP/1.1" 200 164 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=ext_php HTTP/1.1" 200 79 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT
     5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=change HTTP/1.1" 200 290 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT
     5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=download HTTP/1.1" 200 161 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=arrow_ltr HTTP/1.1" 200 88 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=ext_html HTTP/1.1" 200 230 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=img&img=ext_no_ftp-uploads_into_this_folder! HTTP/1.1" 200 1034 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "POST /coppermine/albums/userpics/errror_log.php HTTP/1.1" 200 5130 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php HTTP/1.1" 200 5133 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1;  fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=ls&d=%2Fhome%2F&sort=0a HTTP/1.1" 200 3834 "coppermine/albums/userpics/errror_log.php" "Mozilla/5.0 (Windows; U;Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    "GET /coppermine/albums/userpics/errror_log.php?act=cmd&d=%2Fhome%2F&cmd=cd+%2Fetc%2Fvaliases%3Bls+-la&cmd_txt=1
    &submit=Execute HTTP/1.1" 200 4924 "coppermine/albums/userpics/errror_log.php?act=ls&d=%2Fhome%2F&sort=0a" "Mozilla/5.0 (Windows; U;Windows NT 5.1; fr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
    
    I'm not sure what every commands was doing.
    But i know that they listed the domains hosted on the machine from /etc/valiases/.
    I guess they documented the server ... They didn't had the time to run the backdoor in /tmp ... they didn,t execute anything else from the php shell...

    But this line weird... it seems funny to me...
    errror_log.php?act=img&img=ext_no_ftp-uploads_into_this_folder!

    Anyway, i'm still monitoring everything. They tried to connect to the .php many times the next hour... and did receive a bad 404... :)

    I then, banned their ip into the firewall :)

    Exciting day :)
     
Loading...
Similar Threads - bravo configserver firewall
  1. urgido
    Replies:
    3
    Views:
    206

Share This Page