During the last days I've noticed a weird behavior on one of a web server I manage. It all started with an abnormal utilization of system resources - but no further evidence was detected. Until I saw weird processes running as Apache user which shouldn't be there:
www-data 10979 0.0 0.0 23672 3788 ? S Jan19 0:00 /usr/sbin/cron
www-data 11005 0.0 0.0 22744 3396 ? S Jan19 0:00 /usr/sbin/httpd
www-data 28561 0.1 0.1 23564 4436 ? S 09:12 0:24 /sbin/log
There were several different processes at different times of the day but I won't list them all now. Even a Linux novice will see that these processes don't fit in so where the hell did they come from? That they've been started by a web browser is obvious but the difficult thing is to find the exact method for about 300 websites on that server.
After some research in the right files I found this:
18.104.22.168 - - [24/Jan/2011:09:12:42 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"
22.214.171.124 - - [24/Jan/2011:09:12:44 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"
This clearly shows the POST method which was used to upload files into a chmodded 777 directory. After a manual check of the web account's files and websites this turned out to be an OSCommerce webshop. The hacker used a security vulnerability of this web-application to be able to upload anything he wanted to - which turned out to be STUNSHELL. A kind of small hacking-webpage built with tools and scripts to execute on the attacked server.
I hope this information can help any administrator out there who finds such processes mentioned above running on his system. My research on the Internet didn't get me any results. Watch out for files named like these
These are typical files used by the discovered STUNSHELL. Already if some customers on your webserver uses OSCommerce, administrators should be very careful!
Claudio from Switzerland wrote on Jul 12th, 2011:
The hacker used the vulnerability of OSCommerce to upload files to the server - as mentioned. Stunshell isn't a real shell, it's a very smart php script using several files. Once these files are all on the server, the 'shell' can be launched via browser.
Paul from Ausralia wrote on Jul 12th, 2011:
Any idea how the stunshell got there in the first place?
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu