During the last days I've noticed a weird behavior on one of a web server I manage. It all started with an abnormal utilization of system resources - but no further evidence was detected. Until I saw weird processes running as Apache user which shouldn't be there:
www-data 10979 0.0 0.0 23672 3788 ? S Jan19 0:00 /usr/sbin/cron
www-data 11005 0.0 0.0 22744 3396 ? S Jan19 0:00 /usr/sbin/httpd
www-data 28561 0.1 0.1 23564 4436 ? S 09:12 0:24 /sbin/log
There were several different processes at different times of the day but I won't list them all now. Even a Linux novice will see that these processes don't fit in so where the hell did they come from? That they've been started by a web browser is obvious but the difficult thing is to find the exact method for about 300 websites on that server.
After some research in the right files I found this:
199.124.61.3 - - [24/Jan/2011:09:12:42 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"
199.124.61.3 - - [24/Jan/2011:09:12:44 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"
This clearly shows the POST method which was used to upload files into a chmodded 777 directory. After a manual check of the web account's files and websites this turned out to be an OSCommerce webshop. The hacker used a security vulnerability of this web-application to be able to upload anything he wanted to - which turned out to be STUNSHELL. A kind of small hacking-webpage built with tools and scripts to execute on the attacked server.
I hope this information can help any administrator out there who finds such processes mentioned above running on his system. My research on the Internet didn't get me any results. Watch out for files named like these
./catalog/images/tmp.php
./catalog/images/read.php
These are typical files used by the discovered STUNSHELL. Already if some customers on your webserver uses OSCommerce, administrators should be very careful!
Claudio from Switzerland wrote on Jul 12th, 2011:
The hacker used the vulnerability of OSCommerce to upload files to the server - as mentioned. Stunshell isn't a real shell, it's a very smart php script using several files. Once these files are all on the server, the 'shell' can be launched via browser.
Paul from Ausralia wrote on Jul 12th, 2011:
Any idea how the stunshell got there in the first place?
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder