We have a virtual webserver with ubuntu 12.04. Today we recived a message form the webhoster, because there are illegaly activities on this server.
I found bad code on different joomla installations and cleaned it. Now i have two proccess on this server, startet form our ftp-user with the following commands:
/tmp/ntp.client -p9406 -d
/tmp/smartctl.dump -p3218 -d
they used a lot cpu time and are similar and google says nothing to ntp.client or smartctl.dump
Can anybody say somthing about this processes. Can I kill them?
Thanks
PS: sorry for my english!
Unless you installed it to /tmp yourself, get rid of it. And reinstall the server. Those two are easy to spot. You have no idea how many well hidden backdoors you already have on the system. Or better yet - get someone to install it for you and take care of it/secure it for you ...
edit: And see this canonical question and the other linked questions on ServerFault, where this question actually belongs.
Related
2.5 months ago, I was running a website on a Linux server to do a user study on 3 variations of a tool. All 3 variations ran on the same website. While I was conducting my user study, the website (i.e., process hosting the website) crashed. In my sleep-deprived state, I unfortunately did not record when the crash happened. However, I now need to know a) when the crash happened, and b) for how long the website was down until I brought it back up. I only have a rough timeframe for when the crash happened and for long it was down, but I need to pinpoint this information as precisely as possible to do some time-on-task analyses with my user study data.
The server runs Linux 16.04.4 LTS (GNU/Linux 4.4.0-165-generic x86_64) and has been minimally set up to run our website. As such, it is unlikely that any utilities aside from those that came with the OS have been installed. Similarly, no additional setup has likely been done. For example, I tried looking at a history of commands used in hopes that HISTTIMEFORMAT was previously set so that I could see timestamps. This ended up not being the case; while I can now see timestamps for commands, setting HISTTIMEFORMAT is not retroactive, meaning I can't get accurate timestamps for the commands I ran 2.5 months ago. That all being said, if you have an idea that you think might work, I'm willing to try (as long as it doesn't break our server)!
It is also worth mentioning that I currently do not know if it's possible to see a remote desktop or something of the like; I've been just ssh'ing in and use the terminal to interact with the server.
I've been bouncing ideas off with friends and colleagues, and we all feel that there must be SOMETHING we could use to pinpoint when the server went down (e.g., network activity logs showing spikes around the time that the user study began as well as when the website was revived, a log of previous/no longer running processes, etc.). Unfortunately, none of us know about Linux logs or commands to really dig deep into this very specific issue.
In summary:
I need a timestamp for either when the website crashed or when it was revived. It would be nice to have both (or otherwise determine for how long the website was down for), but this is not completely necessary
I'm guessing only a "native" Linux command will be useful since nothing new/special has been installed on our server. Otherwise, any additional command/tool/utility will have to be retroactive.
It may or may not be possible to get a remote desktop working with the server (e.g., to use some tool that has a GUI you interact with to help get some information)
Myself and my colleagues have that sense of "there must be SOMETHING we could use" between various logs or system information, such at network activity, process start times, etc., but none of us know enough about Linux to do deep digging without some help
Any ideas for what I can try to help figure out at least when the website crashed (if not also for how long it was down)?
A friend of mine pointed me to the journalctl command, which apparently maintains timestamps of past commands separately from HISTTIMEFORMAT and keeps logs that for me went as far back as October 7. It contained enough information for me to determine both when I revived my Node js server as well as when my Node js server initially went down
I'm having an issue with an SSH tunnel and I understand it may be a permissions issue with my local ports, most probably 127.0.0.1:3308. However I've run my program as an administrator (sudo python3 myprogram.py) and I still have the same problem - but surely the administrator should have access to everything? I've tried searching on here and Googling "permission on local ports" but I didn't find anything useful.
Context: I'm still trying to complete step 2 of my original request. I didn't get very far with my original question so I asked again on Github which is where I got the feedback about the permissions issue.
I'm also not sure what tags to put on this question - feel free to improve them. For me, this is Python 3 on a Raspberry Pi but if it's an issue with permissions then it's probably not specific to Python and it's likely to be Linux generally rather than Raspian specifically!
Thanks in advance.
So in this end, this wasn't an issue with permissions on ports (which is maybe why the question was downvoted) so I'm closing this question. I'll put the solution on the original question.
I'm trying to deploy a nodejs application to google cloud, I've posted several SO questions about the errors I've been getting and how to fix them. Let me illustrate my endeavours...
problem 1) I tried following the tutorial, the hello world app deployment. When I entered the command to deploy,
$ gcloud preview app deploy app.yaml --set-default
It gave me an error saying managed vms aren't available for your application's region. I contacted someone from Google, a technical support representative from google, said his name was Ling, and he said he "wasn't aware managed vms weren't supported in India" and he wanted me to point out where I found that information. So I sent him this, note one of the answers. OK.....
problem 2) So, I was stuck, didn't really know what to do. Searched "how to deploy nodejs app on google cloud" and found a video in which a google developer informed me that there are "two main ways to run your application in the cloud, infrastructure as a service and platform as a service". Running it on app engine was the platform as a service, and that was off the list so I went with my only remaining option. There is a tutorial, the bookshelf app tutorial, also by google, and the last part describes how to run your application on the compute engine. I tried to go through the tutorial, but when I entered the command
git push cloud 7-gce:master
to push my code to the repository, it's asking me for my username and password, It never mentioned that in the tutorial, I don't know what to enter. I found this question but I'm not sure it applies to my situation. So next I went through some tutorials suggested by Zachary Newman, and I wasn't able to follow the tutorial where they use the ubuntu because when they tell you to hello.js file, it's really weird because I had to ssh into the ubuntu image vm I created and everything was really slow, I'm not familiar with commands on linux so I had to look up how to "save and exit" after creating the hello.js file. I got the "web server" to run, it's the reverse proxy nginx server, but since I don't know what the APP_PRIVATE_IP_ADDRESS is, when I accessed the page, I could see the nginx page but not the "hello world" message that's supposed to display. Please see the Prerequisites heading to see what the tutorial was trying to teach me. OK....
problem 3) On the google developers console, once you log in, there is a navigation section on the left, there is a link to the "Cloud Launcher". In there I found a link to create a Virtual Machine with nodejs installed, it's created by Bitnami. I clicked it and my vm was running, I went to the external ip address provided, and saw a Congratulations (ugh...) page by Bitnami. I didn't really know what to do from there, so I posted another SO question. A bitnami developer told me I "need to copy your files to the remote repository, create the configuration files and after that you have to include that configuration in the configuration of Apache to serve the application". How?!?! He just posted a link as well to a bitnami wiki page. I used filezilla to connect to my vm, and I tried to upload my application files to the vm. I was able to upload everything except the node modules (they were taking too long to upload and for some reason the ftp client kept loosing the connection with the server after 10 minutes or so of uploading). So I thought I would just ssh into the instance and try to npm install my dependencies. But it gave me more errors...
problem 4) I don't know why this post was put on hold, but I found this. I can't find the exact page right now but I read somewhere in the google docs that we can't ssh into an instance as root/administrator by design, and that we have to perform some advanced configuration in order to be able to do this. THE PROBLEM is that I can't install the dependencies unless I ssh in as an administrator....:'( So I just uploaded my node modules with filezilla. Everything looks good to go, I ssh into my instance and I cd into my application directory and enter the command
node app.js
and almost as if to taunt me, it console logs out "connected to mongo...." and "Listening on port 3000.....". I get so excited, I think it's working.....
problem 4) The server never really started running I think, it wasn't able to connect to the mongodb database (another instance) that I was running, this was the command to connect to the mongodb instance in my app.js file
mongoose.connect('mongodb://****/myappdatabase');
where the **** indicates the external IP of my mongodb instances. After about 5 minutes, I get an error on the ssh browser
Error: connect ETIMEDOUT ****:27017
BUT WHO HAS TIME TO READ ALL OF THIS RIGHT?
I'm not a developer, I don't have much experience with programming (close to zero actually). I'm a hobbyist. I picked up a book on c programming by stephen g. kochan about 5 or 6 months ago, and since then, I've just been following tutorials on the internet, a programming in java book, and some reference material. I wanted to create a website.
I learned some html, css, javascript and jquery off of w3schools and went through some tutorials on creating a basic node server and serving some html pages, that's literally all my application does. That's all I want it to do.
I used the express framework for node, and mongoose to connect to my mongodb running locally. Socket.io for a little bit of networking. I created the website for fun and I would really like to host it and share it with my friends, I made it this far, it would be really embarrassing to quit now because I can't host the website. I went through a lot more than what I posted on this question by the way.
Now I would really appreciate some help, even some guidance as to what I need to know, maybe books I should read or documentation I should go through to become more familiar with website hosting would be great. I am going to offer this question up for a bounty in 2 days but until then, if there is anyone that went through this and would like to help for no personal gain of their own, your saving my life. I've been going at this for about 4 days with no luck. Thanks and let me know if there is anything you would like to know about my application. I mean seriously, how hard could it be, I'm doing something (or everything) terribly wrong.
Wow dude. I thought about flagging this, but you appear to genuinely want to learn to program and need help. And experienced coders teaching novice coders is what this site is all about. So, here we go.
First and foremost, Linux is your friend. Learn it. Use it. I don’t use Ubuntu, but you should. Use 14.04 because it’s a forgiving disto and comes cram-packed with things you need when you’re just learning.
Time to address your questions:
Problem 1: you are using a gcloud preview product. Those are awesome, but not for beginners because you don’t know what you’re doing. Just stand up an Ubuntu instance on an n1-standard and rock it. No bells. No whistles. Learn Ubuntu linux with the same passion that you taught yourself how to program a web site.
Problem 2: Don’t use git. I use git every day and it’s awesome, but you have a long way to go and git is hella confusing. Take your workspace, tar/gzip it and just ssh the whole shebang to cloud. Then unzip it and you’ll have your whole code right there on your server. Caveat: never do this professionally. But for someone just learning … small bites dude … small bites.
Problem 3: Don’t use Bitnami pre-built images. It robs you of the opportunity learning how to do this from scratch and that is an invaluable experience. Here are two commands you must learn:
apt-get update
apt-get install <insert thing you want to install>
That’s it. Not rocket science and you will discover the power of package management on linux.
Problem 4: You are over-thinking this. For real, learn apt-get. It will get you so far, you’ll curse yourself for not using it earlier. apt-get node. apt-get mongo. And slam it all on one instance. Is that what I do professionally? Hell no. But it’s all about baby steps when you combine dev-ops with programming and you need to take those steps.
Errata: You wanted someone to recommend a book or a website or guidance. All you need to know is already on Ubuntu. They are called man pages. It’s short for manual. You can buy all the books in the world off Amazon and watch infinite youtube pages. It won’t compare to simply maning commands. You gotta trust me on this.
In summary: Just create an Ubuntu instance. tar and gzip all your code and scp it to your instance. Learn apt-get and for real, you are set. You will totally destroy your instance many times. So just delete it, re-create it, and keep starting over. Each time, you will be wiser and smarter than the time before. I tutor novice developers all the time. You gotta start small and work your way up. Eventually you’ll understand why you’d want to use git. Why you want to scale. Why LXC is amazing. Why GCE’s managed instance and VMs are crazy baller, and why scripting your deployment is a best practice. But first you have to understand how to build an instance and get your code there in any way possible. You’ll grow from there. Good luck, buddy.
I would like to start out by apologizing. I have very little knowledge in the areas of Linux and Servers. I have been asked at work to set up a Linux box running Apache Tomcat. The Server needs to be enabled to allow websockets. I managed to get Debian installed. During the installation it gave me the option to make it a web server, which I did. There are now some different folders and files that are named "apache" in the files system, so my guess is that I am in fact running Apache, but to be honest I'm not 100% sure, and if it is, I don't know if its Tomcat. I fumbled around a bit and figured out the IP address of the computer I installed on and tried going to that IP from another computer in the network and it worked. I was able to see the html file that I put in the /var/www folder on the host machine. I then went out and found a nice piece of code, someone was kind enough to share, that is suppose to test websockets capability but I cant seem to get it working. My thinking is that my server isn't allowing PHP to run. I came to this conclusion by testing. I took a web page from my other server, its written in PHP, that when opened will send a text to my phone. Its just a small piece of code that I used for testing. When I tried running it from the Linux server it wont run, meaning it wont send the text to my phone. So here I am. I realize I'm asking for a simple solution to a complex problem, but I'm under the gun so to speak. I have about a week to get this going, so I just don't have the time to really immerse my self in this stuff the way I would like to. My question in its simplest form is"How do I configure my server to run PHP?" Any help/advice would be greatly appreciated! Thank you all for your time and patience.
Have you tried running a simple PHP script like echo 'Hello World';??
If not then try, if it works then your PHP is up, but sockets are just not configured to use.
If it doesn't work then install Ubuntu, a simple newbie friendly interface for Linux, and then install LAMP, here its how to do it.
And don't panic.
Is there a way to execute commands using directory traversal attacks?
For instance, I access a server's etc/passwd file like this
http://server.com/..%01/..%01/..%01//etc/passwd
Is there a way to run a command instead? Like...
http://server.com/..%01/..%01/..%01//ls
..... and get an output?
To be clear here, I've found the vuln in our company's server. I'm looking to raise the risk level (or bonus points for me) by proving that it may give an attacker complete access to the system
Chroot on Linux is easily breakable (unlike FreeBSD). Better solution is to switch on SELinux and run Apache in SELinux sandbox:
run_init /etc/init.d/httpd restart
Make sure you have mod_security installed and properly configured.
If you are able to view /etc/passwd as a result of the document root or access to Directory not correctly configured on the server, then the presence of this vulnerability does not automatically mean you can execute commands of your choice.
On the other hand if you are able view entries from /etc/passwd as a result of the web application using user input (filename) in calls such as popen, exec, system, shell_exec, or variants without adequate sanitization, then you may be able to execute arbitrary commands.
Unless the web server is utterly hideously programmed by someone with no idea what they're doing, trying to access ls using that (assuming it even works) would result in you seeing the contents of the ls binary, and nothing else.
Which is probably not very useful.
Yes it is possible (the first question) if the application is really really bad (in terms of security).
http://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
Edit#2: I have edited out my comments as they were deemed sarcastic and blunt. Ok now as more information came from gAMBOOKa about this, Apache with Fedora - which you should have put into the question - I would suggest:
Post to Apache forum, highlighting you're running latest version of Apache and running on Fedora and submit the exploit to them.
Post to Fedora's forum, again, highlighting you're running the latest version of Apache and submit the exploit to them.
It should be noted, include the httpd.conf to both of the sites when posting to their forums.
To minimize access to passwd files, look into running Apache in a sandbox/chrooted environment where any other files such as passwd are not visible outside of the sandbox/chrooted environment...have you a spare box lying around to experiment with it or even better use VMWARE to simulate the identical environment you are using for the Apache/Fedora - try get it to be IDENTICAL environment, and make the httpd server run within VMWare, and remotely access the Virtual machine to check if the exploit is still visible. Then chroot/sandbox it and re-run the exploit again...
Document the step-by-step to reproduce it and include a recommendation until a fix is found, meanwhile if there is minimal impact to the webserver running in sandbox/chrooted environment - push them to do so...
Hope this helps,
Best regards,
Tom.
If you already can view etc/passwd then the server must be poorly configured...
if you really want to execute commands then you need to know the php script running in the server whether there is any system() command so that you can pass commands through the url..
eg: url?command=ls
try to view the .htaccess files....it may do the trick..