Root Compromise: A Spammer Hiding in Plain Sight CAIT Security Roundtable Thursday, June 10, 2010 Brian Allen, CISSP [email protected]Network Security Analyst Washington University in St. Louis http://nso.wustl.edu/presentations/ Copyright Brian Allen 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
52
Embed
Root Compromise: A Spammer Hiding in Plain Sight CAIT Security Roundtable Thursday, June 10, 2010 Brian Allen, CISSP [email protected] Network Security.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Network Security AnalystWashington University in St. Louis
http://nso.wustl.edu/presentations/
Copyright Brian Allen 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying
is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Washington University in St. Louis, MO
• Private University Founded in 1853• 11,000+ Full Time Students• 3,000+ Full Time/Adjunct Faculty• Hosted four of the past five Presidential and VP Debates• U.S. News & World Report 2009: School of
Medicine = third in nation• Decentralized Campus Network
I. A Hacked WebsiteII. False PathsIII. A Hacker’s ScriptIV. Whodunit + Motivation?V. Hunting Spammers
Part I:A Hacked Website
Solaris 10 Apache Webserver
Drupal CMS
PHP Web Apps
Hiding In Plain Sight
Part II:False Paths
“Eliminate all other factors, and the one which remains must be the truth”--Sherlock Holmes, in "The Sign of the Four"
1.It must be Yahoo!
False Paths
“Eliminate all other factors, and the one which remains must be the truth”--Sherlock Holmes, in "The Sign of the Four"
1.It must be Yahoo!2.It must be Yahoo and Google!3.A World Writable Online Calendar?4.Arp Cache Poisoning?
“Have you tried turning itoff and back on again?”
-Roy
THE IT CROWD
“Eliminate all other factors, and the one which remains must be the truth”--Sherlock Holmes, in "The Sign of the Four"
1. It must be Yahoo!2. It must be Yahoo and Google!3. A World Writable Online Calendar?4. Arp Cache Poisoning?5. Have you tried turning it off and back on again?6. Control the web server?
• “It is elementary my dear Watson, they have ROOT!”
--Sherlock HolmesHound of the Spammervilles
PART III:A Hacker’s Script
Files Involved
1. ./apache/conf/httpd.conf – Apache config file
2. x-txt.xml – List of webpages
3. xml_dbm – List of subnets
4. ./apache/conf/map.mime – ModRewrite commands
5. spec.php – Hacker script
httpd.conf
• #Apache Config stuff here• #• #• Include /usr/local/apache/conf/map.mime• #• #• #More Apache Config stuff here
• Pharm-search.com = 88.214.X.Y• netname: UK-UAONLINE-20060118 • descr: Real International Business Corp. country: GB • address: Real International Business Corp. 145-157 St John
Street 2nd Floor EC1V 4PY LONDON UNITED KINGDOM • phone: +16462333035 • e-mail: [email protected] • person: Soldatov Maxim • address: Marylebone high street 78 • address: W1U 5AP London • phone: +380 50 4985406 • e-mail: [email protected]
SpamHaus -> Russian Business Network?
• Pharm-search.com = 88.214.217.248• 88.214.192.0/18 is listed on the Spamhaus Block List• Ipipe/UAOnline• Canadian Pharmacy -> Russian Business Network
• “This is a long time pharmacy spam operation which uses both bullet proof hosting and botnets to host their sites. They have dozens of terminations.”
Part V:Spammer Hunting
Time to Catch the Hacker in the Act
• Solaris 10 has Dtrace = System Monitor, plus a script called shellsnoop
• We broke the link to the spec.php script and waited
• Sure enough, he logged in a couple nights later• We could see how he was getting root and
where he was hiding
IT’S ATRAP!
How Did He Get Root?
1) SSH <user>@nts.wustl.edu2) # LD_PRELOAD=/usr/lib/secure/... 3) # su – 4) Now he has root• Local Solaris 10 exploit in NetScape Portable
Runtime (NSPR) is fixed by a patch• http://www.milw0rm.com/exploits/2569
Hacker Time
1. Checked to see what was running2. Checked to see what was in cron3. Cleaned Log files with a script he stashed4. Changed time stamps on some files
Conclusion: Is Your Server Safe?
• Beside the standard recommendations to secure any web server, try these good tools:– Subscribe your site to Google Webmaster Tool and
Yahoo Site Explorer– Set a Google Alert on the site – this will notify if there
are any changes related to the site from the search engine’s point of view