Forensics on Incident 2
Revision as of 10:20, 15 May 2007 by <bdi>213.219.144.246</bdi> (talk)
Breach in j.b.i. @ y.i
Analysis
Initial report: one defaced page http://vserverX/eshare/catalog redirecting to http: // www . test . we-create . org
Note that if redirection works apparently with IE it didn't work with iceweasel, I could just see the attempt of redirection in the source of the page: <script> window.location=\"http: // www . test . we-create . org/\"; </script> # On host: apt-get install tct sleuthkit # Isolate the vserverX iptables -I INPUT -d <ip_of_vserverX> -j DROP # Grep mactimes before touching the system grave-robber -o LINUX2 -c /path/to/vserverX/ -b ./vserverX -m # mactime from one week ago till now mactime -b vserverX -p /path/to/vserverX/etc/passwd mm/dd/yyyy |tee vserverX.mactime # apparently mactime could work directly on live system with -d ... # Search string we-create in /var/www and /var/lib/mysql: /var/lib/mysql/oscommerce/configuration.MYD # Extract corresponding sql table: vserverX:/# mysqldump -uuserX -p --opt oscommerce > oscommerce.sql # Analyse sql dump: INSERT INTO `configuration` VALUES (1,'Store Name','STORE_NAME','<script> window.location=\"http: // www . test . we-create . org/\"; </script>','The name of my store',1,1,'2007-05-11 21:04:30','2006-12-22 09:32:15',NULL,NULL)... # This is the modification apparent on the defaced page, done at '2007-05-11 21:04:30' # note that there were other defacing attempts here: INSERT INTO `categories_description` VALUES (... ,(25,4,'<script> window.location=\"http:/') ,(25,2,'<script> window.location=\"http:/') # extract infos around that time from mactime dump: May 11 07 21:04:30 25168 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/configuration.MYD # this is the defacing itself May 11 07 21:12:15 3480 m.c drwxrwxrwx root root /path/to/vserverX/var/www/eshop/catalog/images 4396 mac -rwxrwxrwx www-data www-data /path/to/vserverX/var/www/eshop/catalog/images/images.jpg # upload of a "we hacked you" image 1164 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/categories.MYD 2508 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/categories_description.MYD # this is the second attempt of defacing of the categories # extract infos around that time from apache logs (logs cleaned from .js and .gif urls) # hacker client: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 85.105.88.202 - - [11/May/2007:20:55:14 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=40&sa=N&filter=0" 85.105.88.202 - - [11/May/2007:20:55:58 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2 HTTP/1.1" 200 10648 "http://vserverX/eshop/catalog/admin/backup.php?action=restorelocal" 85.105.88.202 - - [11/May/2007:21:04:07 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2" 85.105.88.202 - - [11/May/2007:21:04:11 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php" 85.105.88.202 - - [11/May/2007:21:04:13 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php" 85.105.88.202 - - [11/May/2007:21:04:16 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22252 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french" 85.105.88.202 - - [11/May/2007:21:04:22 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit HTTP/1.1" 200 22550 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration" 85.105.88.202 - - [11/May/2007:21:04:29 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 85.105.88.202 - - [11/May/2007:21:04:30 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit" 85.105.88.202 - - [11/May/2007:21:04:47 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-" 85.105.88.202 - - [11/May/2007:21:05:05 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-" 85.105.88.202 - - [11/May/2007:21:05:28 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-" 85.105.88.202 - - [11/May/2007:21:05:29 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 17760 "-" 85.105.88.202 - - [11/May/2007:21:05:40 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools&osCAdminID=7f009d2bed82fc3c7c9da8f616307e6a HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/" 85.105.88.202 - - [11/May/2007:21:05:46 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-" 85.105.88.202 - - [11/May/2007:21:05:49 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php" 85.105.88.202 - - [11/May/2007:21:05:52 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=edit" 85.105.88.202 - - [11/May/2007:21:05:55 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=new_file HTTP/1.1" 200 110032 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php" 85.105.88.202 - - [11/May/2007:21:11:49 +0200] "GET /eshop/catalog/admin/categories.php?selected_box=catalog HTTP/1.1" 200 14826 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=new_file" 85.105.88.202 - - [11/May/2007:21:11:51 +0200] "GET /eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category HTTP/1.1" 200 15717 "http://vserverX/eshop/catalog/admin/categories.php?selected_box=catalog" 85.105.88.202 - - [11/May/2007:21:11:52 +0200] "GET /eshop/catalog/images/homepic4.jpg HTTP/1.1" 404 354 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category" [Fri May 11 21:11:52 2007] [error] [client 85.105.88.202] File does not exist: /var/www/eshop/catalog/images/homepic4.jpg, referer: http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category 85.105.88.202 - - [11/May/2007:21:12:15 +0200] "POST /eshop/catalog/admin/categories.php?action=update_category&cPath= HTTP/1.1" 200 1872 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category" 85.105.88.202 - - [11/May/2007:21:12:32 +0200] "GET /eshop/catalog HTTP/1.1" 301 369 "-" 85.105.88.202 - - [11/May/2007:21:12:37 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-" 85.105.88.202 - - [11/May/2007:21:12:53 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-" 85.105.88.202 - - [12/May/2007:21:42:13 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=30&sa=N&filter=0" 85.105.88.202 - - [12/May/2007:21:42:45 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2 HTTP/1.1" 200 10648 "-" 85.105.88.202 - - [12/May/2007:21:42:47 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2" 85.105.88.202 - - [12/May/2007:21:42:51 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php" 85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php" 85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 8152 "-" 85.105.88.202 - - [12/May/2007:21:43:06 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-" 85.105.88.202 - - [12/May/2007:21:43:09 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "http://vserverX/eshop/" 85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-" 85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 16044 "-" 85.105.88.202 - - [12/May/2007:21:43:20 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/" 85.105.88.202 - - [12/May/2007:21:43:37 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-" 85.105.88.202 - - [12/May/2007:21:43:45 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php" 85.105.88.202 - - [12/May/2007:21:43:57 +0200] "GET /admin HTTP/1.1" 404 326 "-" [Sat May 12 21:43:57 2007] [error] [client 85.105.88.202] File does not exist: /var/www/admin
Conclusions
- Initial breach
- attack came from 85.105.88.202 = dsl.static.85-105-22730.ttnet.net.tr (Turkish ADSL)
- this site was found initially by a simple google search (Google Turkey!) for "catalog/admin/backup.php"
easy was to find unprotected oscommerce websites...
I visit another one from the Google list: http: // oscommerce . uksz . net/catalog/admin/
and surprise, Store Name = window.location="http: // www . test . we-create . org/";
no comment! - eshare was defaced via eshop, simply both were sharing the same DB
- Counter-measures
- Protect access to catalog/admin
This was done but only for https, default conf with Apache was still AllowOverride None for http connections
- Protect access to catalog/admin