PhilippeTeuwen: Reverted edits by Etegohy (Talk) to last revision by Dpasquazzo

2010-11-24T20:32:49Z

Reverted edits by Etegohy (Talk) to last revision by Dpasquazzo

Can't load revision 6795

at 00:26, 24 November 2010

2010-11-24T00:26:44Z

Can't load revision 6636

Dpasquazzo at 11:53, 15 May 2007

2007-05-15T11:53:39Z

← Older revision		Revision as of 11:53, 15 May 2007
Line 99:		Line 99:
	* Counter-measures		* Counter-measures
	** Protect access to catalog/admin<br>This was done but only for https, default conf with Apache was still AllowOverride None for http connections		** Protect access to catalog/admin<br>This was done but only for https, default conf with Apache was still AllowOverride None for http connections

			===OsCommerce Hacked Sites===
			google Turkey :
			*http://www.starrynightsoftware.net/stl-web/ecommerce/os/catalog/admin
			*http://fashionist.se/catalog/admin/
			*http://usengines.us/
			*http://oscommerce.uksz.net/catalog/admin/


			*http://www.bsunlimitedshop.com/catalog/admin/

213.219.144.246 at 09:20, 15 May 2007

2007-05-15T09:20:48Z

New page

==Breach in j.b.i. @ y.i==
===Analysis===
Initial report: one defaced page http://vserverX/eshare/catalog redirecting to http: // www . test . we-create . org
<pre>
Note that if redirection works apparently with IE it didn't work with iceweasel, I could just see the attempt of redirection in the source of the page:
<script> window.location=\"http: // www . test . we-create . org/\"; </script>

# On host:
apt-get install tct sleuthkit

# Isolate the vserverX
iptables -I INPUT -d <ip_of_vserverX> -j DROP

# Grep mactimes before touching the system
grave-robber -o LINUX2 -c /path/to/vserverX/ -b ./vserverX -m
# mactime from one week ago till now
mactime -b vserverX -p /path/to/vserverX/etc/passwd mm/dd/yyyy |tee vserverX.mactime
# apparently mactime could work directly on live system with -d ...

# Search string we-create in /var/www and /var/lib/mysql:
/var/lib/mysql/oscommerce/configuration.MYD

# Extract corresponding sql table:
vserverX:/# mysqldump -uuserX -p --opt oscommerce > oscommerce.sql

# Analyse sql dump:
INSERT INTO `configuration` VALUES (1,'Store Name','STORE_NAME','<script> window.location=\"http: // www . test . we-create . org/\"; </script>','The name of my store',1,1,'2007-05-11 21:04:30','2006-12-22 09:32:15',NULL,NULL)...

# This is the modification apparent on the defaced page, done at '2007-05-11 21:04:30'
# note that there were other defacing attempts here:
INSERT INTO `categories_description` VALUES (...
,(25,4,'<script> window.location=\"http:/')
,(25,2,'<script> window.location=\"http:/')

# extract infos around that time from mactime dump:
May 11 07 21:04:30 25168 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/configuration.MYD
# this is the defacing itself
May 11 07 21:12:15 3480 m.c drwxrwxrwx root root /path/to/vserverX/var/www/eshop/catalog/images
4396 mac -rwxrwxrwx www-data www-data /path/to/vserverX/var/www/eshop/catalog/images/images.jpg
# upload of a "we hacked you" image
1164 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/categories.MYD
2508 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/categories_description.MYD
# this is the second attempt of defacing of the categories

# extract infos around that time from apache logs (logs cleaned from .js and .gif urls)
# hacker client: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.105.88.202 - - [11/May/2007:20:55:14 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=40&sa=N&filter=0"
85.105.88.202 - - [11/May/2007:20:55:58 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2 HTTP/1.1" 200 10648 "http://vserverX/eshop/catalog/admin/backup.php?action=restorelocal"
85.105.88.202 - - [11/May/2007:21:04:07 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2"
85.105.88.202 - - [11/May/2007:21:04:11 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php"
85.105.88.202 - - [11/May/2007:21:04:13 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php"
85.105.88.202 - - [11/May/2007:21:04:16 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22252 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french"
85.105.88.202 - - [11/May/2007:21:04:22 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit HTTP/1.1" 200 22550 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration"
85.105.88.202 - - [11/May/2007:21:04:29 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:47 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-"
85.105.88.202 - - [11/May/2007:21:05:05 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-"
85.105.88.202 - - [11/May/2007:21:05:28 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-"
85.105.88.202 - - [11/May/2007:21:05:29 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 17760 "-"
85.105.88.202 - - [11/May/2007:21:05:40 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools&osCAdminID=7f009d2bed82fc3c7c9da8f616307e6a HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/"
85.105.88.202 - - [11/May/2007:21:05:46 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-"
85.105.88.202 - - [11/May/2007:21:05:49 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php"
85.105.88.202 - - [11/May/2007:21:05:52 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=edit"
85.105.88.202 - - [11/May/2007:21:05:55 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=new_file HTTP/1.1" 200 110032 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php"
85.105.88.202 - - [11/May/2007:21:11:49 +0200] "GET /eshop/catalog/admin/categories.php?selected_box=catalog HTTP/1.1" 200 14826 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=new_file"
85.105.88.202 - - [11/May/2007:21:11:51 +0200] "GET /eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category HTTP/1.1" 200 15717 "http://vserverX/eshop/catalog/admin/categories.php?selected_box=catalog"
85.105.88.202 - - [11/May/2007:21:11:52 +0200] "GET /eshop/catalog/images/homepic4.jpg HTTP/1.1" 404 354 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category"
[Fri May 11 21:11:52 2007] [error] [client 85.105.88.202] File does not exist: /var/www/eshop/catalog/images/homepic4.jpg, referer: http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category
85.105.88.202 - - [11/May/2007:21:12:15 +0200] "POST /eshop/catalog/admin/categories.php?action=update_category&cPath= HTTP/1.1" 200 1872 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category"
85.105.88.202 - - [11/May/2007:21:12:32 +0200] "GET /eshop/catalog HTTP/1.1" 301 369 "-"
85.105.88.202 - - [11/May/2007:21:12:37 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-"
85.105.88.202 - - [11/May/2007:21:12:53 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-"

85.105.88.202 - - [12/May/2007:21:42:13 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=30&sa=N&filter=0"
85.105.88.202 - - [12/May/2007:21:42:45 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2 HTTP/1.1" 200 10648 "-"
85.105.88.202 - - [12/May/2007:21:42:47 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2"
85.105.88.202 - - [12/May/2007:21:42:51 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php"
85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php"
85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 8152 "-"
85.105.88.202 - - [12/May/2007:21:43:06 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-"
85.105.88.202 - - [12/May/2007:21:43:09 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "http://vserverX/eshop/"
85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-"
85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 16044 "-"
85.105.88.202 - - [12/May/2007:21:43:20 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/"
85.105.88.202 - - [12/May/2007:21:43:37 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-"
85.105.88.202 - - [12/May/2007:21:43:45 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php"
85.105.88.202 - - [12/May/2007:21:43:57 +0200] "GET /admin HTTP/1.1" 404 326 "-"
[Sat May 12 21:43:57 2007] [error] [client 85.105.88.202] File does not exist: /var/www/admin

</pre>

===Conclusions===
* Initial breach
** attack came from 85.105.88.202 = dsl.static.85-105-22730.ttnet.net.tr (Turkish ADSL)
** this site was found initially by a simple google search (Google Turkey!) for "catalog/admin/backup.php"<br>easy was to find unprotected oscommerce websites...<br>I visit another one from the Google list: http: // oscommerce . uksz . net/catalog/admin/<br>and surprise, Store Name = window.location="http: // www . test . we-create . org/";<br>no comment!
** eshare was defaced via eshop, simply both were sharing the same DB
* Counter-measures
** Protect access to catalog/admin<br>This was done but only for https, default conf with Apache was still AllowOverride None for http connections

Forensics on Incident 2 - Revision history

PhilippeTeuwen: Reverted edits by Etegohy (Talk) to last revision by Dpasquazzo

at 00:26, 24 November 2010

Dpasquazzo at 11:53, 15 May 2007

213.219.144.246 at 09:20, 15 May 2007