On a Hacker's trail

Written by - 2 comments

Published on - Listed in Internet Linux PHP Hacks


During the last days I've noticed a weird behavior on one of a web server I manage. It all started with an abnormal utilization of system resources - but no further evidence was detected. Until I saw weird processes running as Apache user which shouldn't be there:

www-data 10979  0.0  0.0  23672  3788 ?        S    Jan19   0:00 /usr/sbin/cron
www-data 11005  0.0  0.0  22744  3396 ?        S    Jan19   0:00 /usr/sbin/httpd
www-data 28561  0.1  0.1  23564  4436 ?        S    09:12   0:24 /sbin/log

There were several different processes at different times of the day but I won't list them all now. Even a Linux novice will see that these processes don't fit in so where the hell did they come from? That they've been started by a web browser is obvious but the difficult thing is to find the exact method for about 300 websites on that server.

After some research in the right files I found this:

199.124.61.3 - - [24/Jan/2011:09:12:42 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"
199.124.61.3 - - [24/Jan/2011:09:12:44 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"

This clearly shows the POST method which was used to upload files into a chmodded 777 directory. After a manual check of the web account's files and websites this turned out to be an OSCommerce webshop. The hacker used a security vulnerability of this web-application to be able to upload anything he wanted to - which turned out to be STUNSHELL. A kind of small hacking-webpage built with tools and scripts to execute on the attacked server.

Stunshell

I hope this information can help any administrator out there who finds such processes mentioned above running on his system. My research on the Internet didn't get me any results. Watch out for files named like these

./catalog/images/tmp.php
./catalog/images/read.php

These are typical files used by the discovered STUNSHELL. Already if some customers on your webserver uses OSCommerce, administrators should be very careful!


Add a comment

Show form to leave a comment

Comments (newest first)

Claudio from Switzerland wrote on Jul 12th, 2011:

The hacker used the vulnerability of OSCommerce to upload files to the server - as mentioned. Stunshell isn't a real shell, it's a very smart php script using several files. Once these files are all on the server, the 'shell' can be launched via browser.


Paul from Ausralia wrote on Jul 12th, 2011:

Any idea how the stunshell got there in the first place?


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder