1

I discover that one of my partition was full.

rootfs                 20G  1,8G   17G  10% /
/dev/root              20G  1,8G   17G  10% /
devtmpfs              7,8G  184K  7,8G   1% /dev
none                  7,8G     0  7,8G   0% /dev/shm
none                  7,8G  600K  7,8G   1% /var/run
none                  7,8G     0  7,8G   0% /var/lock
none                  7,8G     0  7,8G   0% /lib/init/rw
/dev/md3              1,8T  1,6T  177G  90% /var
none                  7,8G  600K  7,8G   1% /var/run
none                  7,8G     0  7,8G   0% /var/lock

With some recursive du -sh * | sort -n , I discover that my /var/tmp has 2 folders belong to www-data

root@ns384990:/var/tmp# ls -la
total 76
drwxr-xr-x  2 www-data www-data 36864 2014-10-27 00:11  .. 
drwxrwxrwt  4 root     root      4096 2014-10-29 06:30 .
drwxr-xr-x  2 www-data www-data 32768 2014-10-01 18:40 . .. 
drwxr-xr-x 21 root     root      4096 2013-07-23 11:49 ..

I go to the .. folder cd ' .. ' (yeah, 2 fcking escape ... I was mad 'cause I don't see the 2nd escape and it takes me hours to find it)

And here what I get inside... Severals films and series

root@ns384990:/var/tmp/ .. # ls -la
total 1580112096
drwxr-xr-x 2 www-data www-data       36864 2014-10-27 00:11 .
drwxrwxrwt 4 root     root            4096 2014-10-29 06:30 ..
-rw-r--r-- 1 www-data www-data   644663385 2014-10-18 18:05 10.Things.You.Dont.Know.About.S01E02.Abraham.Lincoln.720p.HDTV.x264-DHD.mkv
-rw-r--r-- 1 www-data www-data   634213806 2014-10-24 09:44 10.Things.You.Dont.Know.About.S01E05.The.OK.Corral.720p.HDTV.x264-DHD.mkv
-rw-r--r-- 1 www-data www-data  4743372800 2014-09-19 01:41 21.2008.BluRay.720p.x264-WiKi.tar

... 1,5 To of films and series sent "I don't know how" and stocked in my /var/tmp

How can I find the script allows to write this ? What are the logs files or commands I can use for tracking what happened ?

here is my OS information :

Linux ns384990.ovh.net 3.8.13-xxxx-std-ipv6-64 #3 SMP Fri May 31 13:14:59 CEST 2013 x86_64 GNU/Linux Ubuntu 10.04.2 LTS

Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ Ubuntu 10.04.2 LTS

** EDIT 1 : Just found the script : **

** link removed as it contains malware** (too long for putting it here)

user9517
  • 114,104
  • 20
  • 206
  • 289
Raphaël
  • 143
  • 7
  • OK ... it's worst than I thought... He creates a file called sitemaps.php at the root of my website... When you try to open this file (link in pastebinà), it opens a "404"... but there is an hidden form... I comment some line on this script and I'm in a kind of superconsole and I can try to bruteforce my own server... The question is : How the fck is succeed to put this file on my website !! – Raphaël Oct 29 '14 at 13:29

1 Answers1

1

It's not question which script was used to make these uploads; question is what vulnerability was used to create script which was used to make these uploads.

You could go through apache access logs and try co-relate creation time stamps of those files with http requests made.

Additionally I would recommend to look into hardening your open_basedir option. What types of sites do you run? Try searching for strange php files owned by www-data user like

find / -type f -iname '*.php*' -user www-data

Another trick frequently used is defining AddHandler or AddType in .htaccess to parse non php extensions as php code. So you may want to review all .htaccess files on your system for those matches and if there are any weird extensions mapped to run as php code examine files with such extensions as well.

Hrvoje Špoljar
  • 5,162
  • 25
  • 42
  • Ok, I just found the script used. I use plesk, so all my script have another uid/gid than www-data. I just edit my answer ... look at that script... Now the question is : how he succeed to import this script on my website ??? – Raphaël Oct 29 '14 at 13:16
  • I could use +1 here and tick... :) ok back to business... don't touch that script; do 'stat script_file' to determine when script was last changed. This will help co-relate when it happened and it's basically reading web server access log (if you have copies that old). He got in via some vulnerable plugin/script you are using. What kind of things do you have hosted? Wordpress? Joomla? phpmyadmin? some web shop? forum? basically I would advise to upgrade to latest versions if you really want to find out how; check exploit-db.com it has list of publicly known vulnerabilities – Hrvoje Špoljar Oct 29 '14 at 13:24
  • I use only one CMS, it's Prestashop 1.4.4.1. Only one form in the frontend as a multipart, it's the form on contact page. – Raphaël Oct 29 '14 at 13:42
  • looks like it's oldish version which has some vulnerabilties http://www.cvedetails.com/vulnerability-list/vendor_id-8950/Prestashop.html "Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4.7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to "parameter names and values." – Hrvoje Špoljar Oct 29 '14 at 13:45
  • Wow... shit, that's a lot of vulnerabilities... Well. We are renewing the website... So this version will disappear soon. What I have to to, wainting this new version ? Deleting the console script ? Deleting the videos files posted ? I can't upgrade the prestashop version actually, too many modifications, not enought time. Some advise ? – Raphaël Oct 29 '14 at 13:58
  • videos are not problem; backup all data; move to some dir which is not reachable via web; and install latest version and migrate media files you need from backup (old dir); in essence that is safest way to go. – Hrvoje Špoljar Oct 29 '14 at 14:14
  • My server runs a version of Plesk 10. This server will be changed to a VPS, it was planned... So I will just delete all, and let the vulnerabilites for a month... All datas are already saved on a distant FTP. But, I'm so mad when I see that... In one month, It will be a new OS (a centOs), a new Plesk version (12) and a new prestashop version (1.6). And all will be upgraded in time. Thanks for your help mate. – Raphaël Oct 29 '14 at 14:23