20131116

Problems with a rootkit


During this week I've been struggling with a problem with one of our servers.

The server started to collapse with no aparent reason, sometimes we see suspicious processes like this:

./m64 -o stratum+tcp://mine.pool-x.eu:9000 -u gvsall.64 -p 64 --algo scrypt --no-longpoll -B

Searching in google found that it's a miner of bitcoins WTF???

Killing the process and changing the root password seems to have no effect, then I've got to make deeper analysis.

Finally I figured out that the problem was a rootkit installed on the server, then I've taken two curses of action:

1) Remove the rogue software installed
2) Avoid being hacked again addressing the server's vulnerability

1) Remove the malicious software installed by the rootkit


Usually those kind of programs install in temporary folders, look at:
/tmp
/var/tmp

ALERT: Always look with -a flag because usually there are lots of hidden files 

ls -la 

You must look too for crontabs installed by the rootkit.

cd /var/spool/cron/crontabs
ls -la 

Look specially for www-data crontabs or users that you don't control and musn't be there.

Look too in the /etc/passwd file looking for uncontrolled users, use the last command to see last logins into the system.

To find suspicius files and processes you can use this programs, are really easy to use and will give you clues about how to solve the server's vulnerability too:


Look for the reports generated by those and rm or quarantine the rogue files.

2) Avoid being hacked again addressing the server's vulnerability


Usually those kinds of programs are installed using some webserver vulnerability.

Years ago I've found a similar rootkit that exploited a vulnerability of PHPMyAdmin, the rule of thumb is try to update your software often to avoid this kind of problems.

This time it was a problem with php running in CGI mode.

You must look at clues using chkrootkit and rkhunter, then look at the apache logs for suspicius strings like:

GET /w00tw00t.at.ISC.SANS...
POST //%63%67%69%2D%62%69%...
POST cgi-bin/php-cgi?-d+allow_url_include=on+-d...
POST cgi-bin/php5?-d+allow_url_include=on+-d...

Often you didn't even need the cgi-bin/php running at all because the standard installation doesn't work through CGI. That's old configuration and probably you don't even need that.

If you can avoid using cgi-bin look at the sites-enabled folder and try to get rid of cgi configurations. Look specially at default site, you can find old lines of config that you don't use at all.

Restart the Apache server after that.


Interesting posts and links:

Posted by Agustí Pons at 21:21 0 comments

Labels: , , , , ,

20130218

Como transformar tablas MyISAM a InnoDB masivamente en MySQL

He encontrado este truco en StackOverflow funciona bien con tablas relativamente pequeñas, del orden de Megas, si pasamos a tablas de Gigas el tema empieza a tardar y ya tienes que hacer algun tipo de exportación e importación.

El script:

SELECT CONCAT('ALTER TABLE `',table_schema,'`.'
,table_name,' ENGINE=InnoDB;') InnoDBConversionSQL
FROM information_schema.tables 
WHERE engine='MyISAM' AND table_schema NOT IN
('information_schema','mysql','performance_schema') 
ORDER BY (data_length+index_length);

Si quereis ver el tamaño de cada tabla antes de ejecutarlo:

SELECT CONCAT('ALTER TABLE `',table_schema,'`.'
,table_name,' ENGINE=InnoDB;') InnoDBConversionSQL
, data_length+index_length
FROM information_schema.tables 
WHERE engine='MyISAM' AND table_schema NOT IN
('information_schema','mysql','performance_schema') 
ORDER BY (data_length+index_length);

Recomiendo siempre empezar por las primeras tablas (más pequeñas) e ir subiendo, hasta que veamos que el proceso tarda demasiado.

Posted by Agustí Pons at 15:59 0 comments

Labels: , , , ,

20130103

Post resum del 2012

Gadgets of the year (comprats o regalats):
Carregador solar iPhone
iPad mini

Samarretes del any:
Twitter entre ocells
El pingüi emperador
El ciclop i les ulleres 3D
El dinosaure jugant als asteroids
Lobezno looney tunes
La tassa "I was here"
Conversa ipod walkman
Arquitectura d'Star Wars
Che-Waka
Han Solo
May the force be with you (Halcon milenario)
Human after all
Los planetas


Friky coses guays:
3D printing
Descubrir que "The Wizard of Oz" era una critica al patro Or i una crida a incorporar la Plata. Silver Bugs
Trello
Git
phpfog
redis
blitz
pingdom
siege
emberjs
divshot
http://www.senado.es/web/composicionorganizacion/senadores/composicionsenado/senadoresenactivo/consultaordenalfabetico/index.html?id=500K%20FOR%20THIS%20CRAP
Que Joss Weddon va ser un dels guionistes de Toy Story

Jocs als que m'he viciat aquest any:
DESERT

Grups guays que he descobert aquest any:
DESERT

Millors concerts als que he anat:
The Pains of being pure at heart (razz2)
Stone Roses
Maximo Park
The Cure
Sr. Chinarro

Millors pelis que he vist:
Batman capucha roja
La verdadera historia de la Princesa Leia (Wishful Drinking)
The help
Sherlock Holmes juego de sombras
Toy Story 3
Cisne negro
Un dios salvaje
Los chicos estan bien
Solo una noche
Insidious
Kidnapped: historia de un secuestro
Sombras tenebrosas
No tengas miedo a la oscuridad
Caperucita roja
Contagio
La dama de hierro
Batman a–o uno
Los juegos del hambre
Moonrise Kingdom
Brave
J. Edgard
La pesca del salmon en Yemen
TED
Prometheus
Batman: Dark Knight Rises

Curts:
No tomorrow
Simiocracia

Llibres que he llegit i m'han agradat:
Los juegos del hambre
Una forma de vida, Amelie Nothomb

Comics:
Molts, no ho he registrat però l'ultim "Sonrisas de Bombay"

Series a les que m'he enganxat (per ordre d'adiccio):
Boardwalk empire s2 s3
Walking Dead s2 s3
Downtown Abbey s2 s3
Big Bang s6
Sherlock s1 s2
Mentes criminales s6 s7 s8

Documentals:
Profesion IT-Girl
Perl Jam 20

Sortides al Extranjer:
DESERT

Millors Hotels als que he anat:
DESERT

Millors restaurants:
Els Pescadors
Gorria

Posted by Agustí Pons at 09:16 0 comments

Suscribirse a: Entradas (Atom)