Forensics on Incident 2

From YobiWiki
Jump to navigation Jump to search

Breach in j.b.i. @ y.i

Analysis

Initial report: one defaced page http://vserverX/eshare/catalog redirecting to http: // www . test . we-create . org

Note that if redirection works apparently with IE it didn't work with iceweasel, I could just see the attempt of redirection in the source of the page: 
<script> window.location=\"http: // www . test . we-create . org/\"; </script>

# On host: 
apt-get install tct sleuthkit

# Isolate the vserverX
iptables -I INPUT -d <ip_of_vserverX> -j DROP

# Grep mactimes before touching the system
grave-robber -o LINUX2 -c /path/to/vserverX/ -b ./vserverX -m 
# mactime from one week ago till now
mactime -b vserverX -p /path/to/vserverX/etc/passwd mm/dd/yyyy |tee vserverX.mactime
# apparently mactime could work directly on live system with -d ...

# Search string we-create in /var/www and /var/lib/mysql:
/var/lib/mysql/oscommerce/configuration.MYD

# Extract corresponding sql table:
vserverX:/# mysqldump -uuserX -p  --opt oscommerce > oscommerce.sql

# Analyse sql dump:
INSERT INTO `configuration` VALUES (1,'Store Name','STORE_NAME','<script> window.location=\"http: // www . test . we-create . org/\"; </script>','The name of my store',1,1,'2007-05-11 21:04:30','2006-12-22 09:32:15',NULL,NULL)...

# This is the modification apparent on the defaced page, done at '2007-05-11 21:04:30'
# note that there were other defacing attempts here:
INSERT INTO `categories_description` VALUES (...
   ,(25,4,'<script> window.location=\"http:/')                                                                                                                               
   ,(25,2,'<script> window.location=\"http:/')                                                                                                                               

# extract infos around that time from mactime dump:
May 11 07 21:04:30    25168 m.c -rw-rw---- mysql    munin    /path/to/vserverX/var/lib/mysql/oscommerce/configuration.MYD                                           
# this is the defacing itself
May 11 07 21:12:15     3480 m.c drwxrwxrwx root     root     /path/to/vserverX/var/www/eshop/catalog/images                                                         
                       4396 mac -rwxrwxrwx www-data www-data /path/to/vserverX/var/www/eshop/catalog/images/images.jpg                                              
# upload of a "we hacked you" image
                       1164 m.c -rw-rw---- mysql    munin    /path/to/vserverX/var/lib/mysql/oscommerce/categories.MYD                                              
                       2508 m.c -rw-rw---- mysql    munin    /path/to/vserverX/var/lib/mysql/oscommerce/categories_description.MYD                                  
# this is the second attempt of defacing of the categories

# extract infos around that time from apache logs (logs cleaned from .js and .gif urls)
# hacker client: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.105.88.202 - - [11/May/2007:20:55:14 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=40&sa=N&filter=0"
85.105.88.202 - - [11/May/2007:20:55:58 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2 HTTP/1.1" 200 10648 "http://vserverX/eshop/catalog/admin/backup.php?action=restorelocal" 
85.105.88.202 - - [11/May/2007:21:04:07 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2" 
85.105.88.202 - - [11/May/2007:21:04:11 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php" 
85.105.88.202 - - [11/May/2007:21:04:13 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php" 
85.105.88.202 - - [11/May/2007:21:04:16 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22252 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french" 
85.105.88.202 - - [11/May/2007:21:04:22 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit HTTP/1.1" 200 22550 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration" 
85.105.88.202 - - [11/May/2007:21:04:29 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 
85.105.88.202 - - [11/May/2007:21:04:47 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-" 
85.105.88.202 - - [11/May/2007:21:05:05 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-" 
85.105.88.202 - - [11/May/2007:21:05:28 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-" 
85.105.88.202 - - [11/May/2007:21:05:29 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 17760 "-" 
85.105.88.202 - - [11/May/2007:21:05:40 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools&osCAdminID=7f009d2bed82fc3c7c9da8f616307e6a HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/" 
85.105.88.202 - - [11/May/2007:21:05:46 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-" 
85.105.88.202 - - [11/May/2007:21:05:49 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php" 
85.105.88.202 - - [11/May/2007:21:05:52 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=edit" 
85.105.88.202 - - [11/May/2007:21:05:55 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=new_file HTTP/1.1" 200 110032 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php" 
85.105.88.202 - - [11/May/2007:21:11:49 +0200] "GET /eshop/catalog/admin/categories.php?selected_box=catalog HTTP/1.1" 200 14826 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=new_file" 
85.105.88.202 - - [11/May/2007:21:11:51 +0200] "GET /eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category HTTP/1.1" 200 15717 "http://vserverX/eshop/catalog/admin/categories.php?selected_box=catalog" 
85.105.88.202 - - [11/May/2007:21:11:52 +0200] "GET /eshop/catalog/images/homepic4.jpg HTTP/1.1" 404 354 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category" 
[Fri May 11 21:11:52 2007] [error] [client 85.105.88.202] File does not exist: /var/www/eshop/catalog/images/homepic4.jpg, referer: http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category
85.105.88.202 - - [11/May/2007:21:12:15 +0200] "POST /eshop/catalog/admin/categories.php?action=update_category&cPath= HTTP/1.1" 200 1872 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category" 
85.105.88.202 - - [11/May/2007:21:12:32 +0200] "GET /eshop/catalog HTTP/1.1" 301 369 "-" 
85.105.88.202 - - [11/May/2007:21:12:37 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-" 
85.105.88.202 - - [11/May/2007:21:12:53 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-" 

85.105.88.202 - - [12/May/2007:21:42:13 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=30&sa=N&filter=0" 
85.105.88.202 - - [12/May/2007:21:42:45 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2 HTTP/1.1" 200 10648 "-" 
85.105.88.202 - - [12/May/2007:21:42:47 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2" 
85.105.88.202 - - [12/May/2007:21:42:51 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php" 
85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php" 
85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 8152 "-" 
85.105.88.202 - - [12/May/2007:21:43:06 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-" 
85.105.88.202 - - [12/May/2007:21:43:09 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "http://vserverX/eshop/" 
85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-" 
85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 16044 "-" 
85.105.88.202 - - [12/May/2007:21:43:20 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/" 
85.105.88.202 - - [12/May/2007:21:43:37 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-" 
85.105.88.202 - - [12/May/2007:21:43:45 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php" 
85.105.88.202 - - [12/May/2007:21:43:57 +0200] "GET /admin HTTP/1.1" 404 326 "-" 
[Sat May 12 21:43:57 2007] [error] [client 85.105.88.202] File does not exist: /var/www/admin

Conclusions

  • Initial breach
    • attack came from 85.105.88.202 = dsl.static.85-105-22730.ttnet.net.tr (Turkish ADSL)
    • this site was found initially by a simple google search (Google Turkey!) for "catalog/admin/backup.php"
      easy was to find unprotected oscommerce websites...
      I visit another one from the Google list: http: // oscommerce . uksz . net/catalog/admin/
      and surprise, Store Name = window.location="http: // www . test . we-create . org/";
      no comment!
    • eshare was defaced via eshop, simply both were sharing the same DB
  • Counter-measures
    • Protect access to catalog/admin
      This was done but only for https, default conf with Apache was still AllowOverride None for http connections

OsCommerce Hacked Sites

google Turkey :