access logs on Nov 30

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

access logs on Nov 30

jdd@dodin.org
Hello,

Some malicious files where written to my openSUSE (13.1, I know...
obsolete :-() on nov 30

How can I trace what access was used, I suspect ftp, but it may also be php

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Darin Perusich-3
Check the owner/group/time-stamps of these malicious files and try and
correlate those with entries in your ftp/apache/susefirewall/app logs.
If you don't have logging enabled for said app then shame on you, if
log entries for those times are "missing" you've been pwned. Don't
forget logs from your router, if you're storing them, since they may
also be able to help correlate the connections/activity.
--
Later,
Darin


On Tue, Dec 13, 2016 at 12:14 PM, Darin Perusich <[hidden email]> wrote:

> Check the owner/group/time-stamps of these malicious files and try and
> correlate those with entries in your ftp/apache/susefirewall/app logs. If
> you don't have logging enabled for said app then shame on you, if log
> entries for those times are "missing" you've been pwned. Don't forget logs
> from your router, if you're storing them, since they may also be able to
> help correlate the connections/activity.
>
> --
> Later,
> Darin
>
> On Tue, Dec 13, 2016 at 9:48 AM, jdd <[hidden email]> wrote:
>>
>> Hello,
>>
>> Some malicious files where written to my openSUSE (13.1, I know...
>> obsolete :-() on nov 30
>>
>> How can I trace what access was used, I suspect ftp, but it may also be
>> php
>>
>> thanks
>> jdd
>>
>> --
>> To unsubscribe, e-mail: [hidden email]
>> To contact the owner, e-mail: [hidden email]
>>
>

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Per Jessen
In reply to this post by jdd@dodin.org
jdd wrote:

> Hello,
>
> Some malicious files where written to my openSUSE (13.1, I know...
> obsolete :-() on nov 30
>
> How can I trace what access was used, I suspect ftp, but it may also
> be php

Try running a rootkit scanner.  



--
Per Jessen, Zürich (1.1°C)
http://www.dns24.ch/ - your free DNS host, made in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
Le 13/12/2016 à 18:28, Per Jessen a écrit :

> jdd wrote:
>
>> Hello,
>>
>> Some malicious files where written to my openSUSE (13.1, I know...
>> obsolete :-() on nov 30
>>
>> How can I trace what access was used, I suspect ftp, but it may also
>> be php
>
> Try running a rootkit scanner.
>
>
>
like?

by the way I don't think it's a root kit, only an obscure account is
compromised, not my main one (gladfully)

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
In reply to this post by jdd@dodin.org
Le 13/12/2016 à 18:14, Darin Perusich a écrit :
> Check the owner/group/time-stamps of these malicious files

I was sure I could make an error... I copied out the faulty folder, but
didn't do this as root and so the owner is no more the initial one.

At first glance I only noted the date (nov 30)

  and try and
> correlate those with entries in your ftp/apache/susefirewall/app logs.

yes but where are these logs. No "ftp" in /var/logs. Probably some
syntax with journalctl I certainly have them for the FW

yes, I have them and for the dedicated day. but there are 15223 lines...
how can I find the lines giving access to the computer? what have I to
search for?

> If you don't have logging enabled for said app then shame on you, if log
> entries for those times are "missing" you've been pwned. Don't forget
> logs from your router, if you're storing them, since they may also be
> able to help correlate the connections/activity.
>

it's a hosted computer, online, no router

thanks
jdd


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Darin Perusich-3
On Tue, Dec 13, 2016 at 12:43 PM, jdd <[hidden email]> wrote:

> Le 13/12/2016 à 18:14, Darin Perusich a écrit :
>>
>> Check the owner/group/time-stamps of these malicious files
>
>
> I was sure I could make an error... I copied out the faulty folder, but
> didn't do this as root and so the owner is no more the initial one.
>
> At first glance I only noted the date (nov 30)
>
>  and try and
>>
>> correlate those with entries in your ftp/apache/susefirewall/app logs.
>
>
> yes but where are these logs. No "ftp" in /var/logs. Probably some syntax
> with journalctl I certainly have them for the FW

Check your ftp daemon config to see what file or syslog service is
uses to save logs, they may just be in /var/log/messages

> yes, I have them and for the dedicated day. but there are 15223 lines... how
> can I find the lines giving access to the computer? what have I to search
> for?

In the FW logs grep for SPT=21, source port 21/ftp, to limit to only
those connections and review the SRC=x.x.x.x address for the host that
initiated those connection. Then it becomes a game of tracking down
who owns that address, looking at for other log entries from the
address, etc.

>> If you don't have logging enabled for said app then shame on you, if log
>> entries for those times are "missing" you've been pwned. Don't forget
>> logs from your router, if you're storing them, since they may also be
>> able to help correlate the connections/activity.
>>
>
> it's a hosted computer, online, no router
>
>
> thanks
> jdd
>
>
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
Le 13/12/2016 à 19:06, Darin Perusich a écrit :

> In the FW logs grep for SPT=21, source port 21/ftp, to limit to only
> those connections

yes. and I guess only the "ACC" mean accepted? like this one:

2016-11-30T16:45:16.136115+01:00 ks311900 kernel: SFW2-INext-ACC-TCP (...)
SRC=163.172.66.5 DST=188.xxx LEN=60 TOS=0x02 PREC=0x00 TTL=58 ID=63972
DF PROTO=TCP SPT=21834 DPT=80 WINDOW=29200 RES=0x00 CWR ECE SYN URGP=0
OPT (020405B40402080A4540D5330000000001030307)


vstpd may not be so secure, after all

I almost never use it, I will stop it

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Per Jessen
In reply to this post by jdd@dodin.org
jdd wrote:

> Le 13/12/2016 à 18:28, Per Jessen a écrit :
>> jdd wrote:
>>
>>> Hello,
>>>
>>> Some malicious files where written to my openSUSE (13.1, I know...
>>> obsolete :-() on nov 30
>>>
>>> How can I trace what access was used, I suspect ftp, but it may also
>>> be php
>>
>> Try running a rootkit scanner.
>>
>>
>>
> like?

rkhunter for instance.

> by the way I don't think it's a root kit, only an obscure account is
> compromised, not my main one (gladfully)

Even when it's only an unprivileged account, it's still worrying.  I
guess you don't which account it is?



--
Per Jessen, Zürich (1.1°C)
http://www.hostsuisse.com/ - virtual servers, made in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
Le 13/12/2016 à 19:56, Per Jessen a écrit :

> Even when it's only an unprivileged account, it's still worrying.  I
> guess you don't which account it is?
>
>
>
I stupidly neglected to look at the (evil) file owner, but I know what
account it is, for sure

I'm not the only one that have the problem (search for "piwigo cialis").
the piwigo dev that works on it said that he think its a ftp problem. It
may be if the susefirewall2 log I published on the other post mean an
accepted connection.

jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Carlos E. R.-2
In reply to this post by Darin Perusich-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2016-12-13 19:06, Darin Perusich wrote:
> On Tue, Dec 13, 2016 at 12:43 PM, jdd <> wrote:

>> yes but where are these logs. No "ftp" in /var/logs. Probably
>> some syntax with journalctl I certainly have them for the FW
>
> Check your ftp daemon config to see what file or syslog service is
> uses to save logs, they may just be in /var/log/messages

which may mean journalctl.

Scan for the user name of the account in journalctl or /var/messages.

- --
Cheers / Saludos,

                Carlos E. R.

  (from 13.1 x86_64 "Bottle" (Minas Tirith))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlhQT9YACgkQja8UbcUWM1zvaQEAllYksRsX4UGVU9WuucA5o0mB
eyfn3G1Faytw6c7/deoA/1RppV33NFhvWlqewoAInwdoTmrEh4+zQ4EZv/6USpvU
=GjTv
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Per Jessen
In reply to this post by jdd@dodin.org
jdd wrote:

> Le 13/12/2016 à 19:56, Per Jessen a écrit :
>
>> Even when it's only an unprivileged account, it's still worrying.  I
>> guess you don't which account it is?
>>
>>
>>
> I stupidly neglected to look at the (evil) file owner, but I know what
> account it is, for sure
>
> I'm not the only one that have the problem (search for "piwigo
> cialis").

aha, I see. So the weakness is clearly in the gallery software.
I googled "piwigo vulnerabilities", quite a few interesting hits.

> the piwigo dev that works on it said that he think its a ftp
> problem.

TBH, that sounds like a lame excuse for "I don't know, but surely it
isn't me".

ftp is easy to set up so it is safe to use and any setup would be
separate from piwigo anyway.

if this is an ongoing problem, apparmor could probably help you.



--
Per Jessen, Zürich (0.8°C)
http://www.dns24.ch/ - your free DNS host, made in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
Le 14/12/2016 à 07:40, Per Jessen a écrit :

> aha, I see. So the weakness is clearly in the gallery software.

may be the software use some "ftp like" php functions, I dunno. I had
vsftp active (and removed it, I don't use it now)

> I googled "piwigo vulnerabilities", quite a few interesting hits.

not so bad:

https://www.cvedetails.com/product/17862/?q=Piwigo
>
>> the piwigo dev that works on it said that he think its a ftp
>> problem.
>
> TBH, that sounds like a lame excuse for "I don't know, but surely it
> isn't me".

I dont think so, the dev I think of is really smart

>
> ftp is easy to set up so it is safe to use

it's not the reputation it have

  and any setup would be
> separate from piwigo anyway.

in fact I just notice this piwigo version is the only one I have that is
setup in a personal account (user/public_html). The other are
unaffected. It's easy to see because the attacker added files on the
install that are easy to look at

>
> if this is an ongoing problem, apparmor could probably help you.
>
>
>
dunno how, if the attacker uses "official" disk access methods

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2016-12-14 09:19, jdd wrote:

>> if this is an ongoing problem, apparmor could probably help you.
>>
> dunno how, if the attacker uses "official" disk access methods

Doesn't matter. AA can confine any process you configure to confine.

- --
Cheers / Saludos,

                Carlos E. R.

  (from 13.1 x86_64 "Bottle" (Minas Tirith))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlhRAqwACgkQja8UbcUWM1wDlAD+LiJqZyVksFMTB4W4eLkDm31r
muSI0GmKUGnWS9zuxx8A/RMK9vmijLYrCZmZ8ngB2+iayHh1vGXpDMXD6HRpQJw9
=len9
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
Le 14/12/2016 à 09:28, Carlos E. R. a écrit :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 2016-12-14 09:19, jdd wrote:
>
>>> if this is an ongoing problem, apparmor could probably help you.
>>>
>> dunno how, if the attacker uses "official" disk access methods
>
> Doesn't matter. AA can confine any process you configure to confine.
>

sure, but "official" access may be nedded for the app work :-)

jdd


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
In reply to this post by jdd@dodin.org
Le 13/12/2016 à 19:53, jdd a écrit :

> Le 13/12/2016 à 19:06, Darin Perusich a écrit :
>
>> In the FW logs grep for SPT=21, source port 21/ftp, to limit to only
>> those connections
>
> yes. and I guess only the "ACC" mean accepted? like this one:
>
> 2016-11-30T16:45:16.136115+01:00 ks311900 kernel: SFW2-INext-ACC-TCP (...)
> SRC=163.172.66.5 DST=188.xxx LEN=60 TOS=0x02 PREC=0x00 TTL=58 ID=63972
> DF PROTO=TCP SPT=21834 DPT=80 WINDOW=29200 RES=0x00 CWR ECE SYN URGP=0
> OPT (020405B40402080A4540D5330000000001030307)
>

my error. I was following an advice found on the net. The most important
for this is not the source port (the one of the client) but my own port
(my server's one), so DPT, not SPT. And then, I didn't notice grep did
found SPT=21834, not SPT=21, due to the lack of the -w option

so this mean the firewall (suse one) did accept to connect a browser to
my web server, perfectly normal

grep -w DPT=21 didn't show anything at the date

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Carlos E. R.-2
In reply to this post by jdd@dodin.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2016-12-14 09:32, jdd wrote:
> Le 14/12/2016 à 09:28, Carlos E. R. a écrit :

>> On 2016-12-14 09:19, jdd wrote:
>>
>>>> if this is an ongoing problem, apparmor could probably help
>>>> you.
>>>>
>>> dunno how, if the attacker uses "official" disk access methods
>>
>> Doesn't matter. AA can confine any process you configure to
>> confine.
>>
>
> sure, but "official" access may be nedded for the app work :-)

Ah, you mean that the confined app will need to write into the
directories it serves for write. True. But not outside, meaning that
it would not be able to compromise the system, "only" the served data.


- --
Cheers / Saludos,

                Carlos E. R.

  (from 13.1 x86_64 "Bottle" (Minas Tirith))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlhRCeYACgkQja8UbcUWM1xasgD6A3IkQ5/y9YTHpuJdsgdY/CG4
/uMjgn1ugoK4zas5syUA/jfp0ePQKjgDRzG964MfTziFUFMoslXAy75oJqcJKZ+3
=/eTS
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
In reply to this post by Per Jessen
Le 13/12/2016 à 19:56, Per Jessen a écrit :

> rkhunter for instance.

don't seems to ind anything odd. I have this on the server (13.1) that
is not on my station (42.1). I guess it's normal??

  /dev/.sysconfig/network/config-tunl0: ASCII text
          /dev/.sysconfig/network/config-sit0: ASCII text
          /dev/.sysconfig/network/config-ip6tnl0: ASCII text
          /dev/.sysconfig/network/config-dummy0: ASCII text
          /dev/.sysconfig/network/config-bond0: ASCII text
(... some others)

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Per Jessen
In reply to this post by jdd@dodin.org
jdd wrote:

> Le 14/12/2016 à 07:40, Per Jessen a écrit :
>
>> aha, I see. So the weakness is clearly in the gallery software.
>
> may be the software use some "ftp like" php functions, I dunno.

With a webserver, I think there are only two options - file upload with
POST or some sort of webDAV.

>>
>> ftp is easy to set up so it is safe to use
>
> it's not the reputation it have

Maybe due to poorly skilled admins.  I have had a few vsftpd setups
running over a few years, no problems.

> in fact I just notice this piwigo version is the only one I have that
> is setup in a personal account (user/public_html). The other are
> unaffected. It's easy to see because the attacker added files on the
> install that are easy to look at
>
>>
>> if this is an ongoing problem, apparmor could probably help you.
>>
>>
> dunno how, if the attacker uses "official" disk access methods

Well, either it's "official" or it's "unofficial".  Assuming you're
running apache under 'wwwrun', it's easy to control where wwwrun is
allowed to write to.  


--
Per Jessen, Zürich (1.1°C)
http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

jdd@dodin.org
In reply to this post by Carlos E. R.-2
Le 14/12/2016 à 09:59, Carlos E. R. a écrit :

> Ah, you mean that the confined app will need to write into the
> directories it serves for write. True. But not outside, meaning that
> it would not be able to compromise the system, "only" the served data.

yes. The attacker here only uses the attack to display pharmacy
advertisements. Nothing really compromised

I even wonder is the gain is worth the work (for him :-)

or may be it's a robot work?

jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: access logs on Nov 30

Per Jessen
In reply to this post by jdd@dodin.org
jdd wrote:

> Le 13/12/2016 à 19:56, Per Jessen a écrit :
>
>> rkhunter for instance.
>
> don't seems to ind anything odd. I have this on the server (13.1) that
> is not on my station (42.1). I guess it's normal??
>
>   /dev/.sysconfig/network/config-tunl0: ASCII text
>           /dev/.sysconfig/network/config-sit0: ASCII text
>           /dev/.sysconfig/network/config-ip6tnl0: ASCII text
>           /dev/.sysconfig/network/config-dummy0: ASCII text
>           /dev/.sysconfig/network/config-bond0: ASCII text
> (... some others)

Yep, I have those too.



--
Per Jessen, Zürich (1.2°C)
http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

12