[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <jbimpk$nmm$1@dough.gmane.org>
Date: Mon, 05 Dec 2011 16:08:35 +0100
From: Lucio Crusca <lucio@...web.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: one of my servers has been compromized
Gage Bystrom wrote:
> Fortunately for him, since the bot was so easy to find in the first place
> and such a simple way of maintaining it, the box was clearly seized by
> someone who didn't give a rats ass about it. Probably a skiddie or an
> automated attack to begin with.
That makes me think the problem is more likely in VirtueMart/other common
app original code as opposed to the custom pieces of code. Skiddies or
automated attacks are not very likely to succeed with custom code, right? If
so, I may speed up the process of finding vulnerable code by starting from
the common apps changelogs.
>
> As for plugging any security holes, check your httpd error logs. If you
> noted down the time of the bot files creation date
I did and then I've found this highly suspicious log entry:
217.170.53.79 - - [03/Dec/2011:19:48:13 +0100] "POST
/phpmyadmin/index.php?session_to_unset=123&token=42..._SESSION[!bla]=%7Cx...
which led me to this blog:
http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
Now my phpmyadmin is version 3.3.2deb1 as packaged with Ubuntu 10.04.1.
# cat /etc/issue
Ubuntu 10.04.1 LTS \n \l
# apt-cache policy phpmyadmin
phpmyadmin:
Installed: 4:3.3.2-1
Candidate: 4:3.3.2-1
Version table:
*** 4:3.3.2-1 0
990 http://archive.ubuntu.com/ubuntu/ lucid/universe Packages
100 /var/lib/dpkg/status
Ubuntu 10.04.1 was released way before july 2011 (the date of the blog) and,
since the package does not come from security repo, I can assume it's not
been patched.
Two questions for experts:
1. (noob question) why the hell apt-cron did not update my system to
10.04.3? (ok, don't waste time replying that, I'll check myself)
2. Do you think said phpmyadmin vulns are reasonable attack vectors in my
case?
> If it comes down to being too much of a hassle to get all the obvious
> vulns at least then go to your boss, admit there is an issue
Yes obviously that's already done (btw, I'm self employed and the php code
came directly from my customer, no problem to admit).
> and that time
> needs to be taken to remove such legacy code as this could have been a far
> worse incident if it had been more targetted and the end goal wasn't a
> botnet.
We plan to dismiss the current code in a few days (let the shop sell some
christmas items before dismissing it).
For the time being, I configured crontab so that only root can execute it,
protected phpmyadmin with http authentication and configured iptables so
that the server cannot make outgoing connections. I'm applying other
measures in the next few hours.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists