Results 1 to 10 of 11

Thread: Fx29Shell attack

Hybrid View

  1. #1
    Join Date
    Apr 2008
    Location
    England
    Beans
    243
    Distro
    Ubuntu 10.04 Lucid Lynx

    Fx29Shell attack

    Hi All,

    Just wanted to ask you all for some advice about what to do about something that I noticed this morning. When checking my emails this morning I noticed that I had 20 or so permanent delivery failures to mails from myself as www-data to another email address saying:

    Boss, there was an injected target on cj13579.dyndns-server.com/blog/wp-admin/css/xml.php?x=ls&d=/var/www/blog/wp-admin/css/.ccs/&sort=0a by 186.73.255.87
    I went on my server and looked at this xml.php because i didn't recognise it and saw that it's ownership was different from the other file ownership within this folder. I also noticed that the permissions were much more open than I hoped. xml.php actually turned out to be a binary file and a quick google search shows that Fx29Shell is backdoor shell program for getting entry into systems. From what I can read, it seems as though they wanted to use my box for mail spamming.

    My checks to see if they had succeeded were pretty rudenmentary. My server can send mails via the mail command and I use my gmail stuff as the gateway thing. A check of my sent mails showed all of the mails that had delivery folders. I *think* i might has escaped...

    I have deleted the xml.php file and closed the permissions on these folders and others in my webserver directory. I also saw that I was running a relatively old version of Apache so I have upgraded this in case they exploited a vunerability in that to get in.

    Additionally, I have updated ClamAV and have done a clamscan on the webserver idrectory which came back with no infected files. I am currently running a scan on the rest of the box to confirm that nothing else is elsewhere.

    Apart from these things, I would be interested to get peoples opinions on what else I could do to tighten up security and/or ensure that nothing else on my system is infected.

    I would also be interested to hear if anyone else has come across this issue.

    Thanks in advance.

  2. #2
    Join Date
    Nov 2007
    Location
    Newry, Northern Ireland
    Beans
    1,258

    Re: Fx29Shell attack

    The box has been owned, I would suggest getting any data off it and re-installing with the most recent versions of Apache etc.
    Can't think of anything profound or witty.
    My Blog: http://gonzothegeek.blogspot.co.uk/

  3. #3
    Join Date
    Nov 2008
    Location
    Sheffield, UK
    Beans
    1,517
    Distro
    Ubuntu

    Re: Fx29Shell attack

    what do you use for the alerts?

  4. #4
    Join Date
    Apr 2008
    Location
    England
    Beans
    243
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Fx29Shell attack

    Quote Originally Posted by spynappels View Post
    The box has been owned, I would suggest getting any data off it and re-installing with the most recent versions of Apache etc.
    Oh, that's rubbish. I was hoping that wasn't going to come. A bit of an update, the full scan finished and only found 1 infected file which was some dodgey .exe that I was keeping in a backup folder for a old Windows box.

    Quote Originally Posted by SlugSlug View Post
    what do you use for the alerts?
    I'm not using anything. The message that I posted was the body of an email that was trying to go from my server (as www-data) to another gmail account via mine. I only noticed because I got a load of permanent delivery failures to that address. It doesn't seem to have tried to send anything anywhere else.

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Fx29Shell attack

    The general rule when a machine is owned is to wipe it and restore from backups.

    You can run all the scans you want, but you still cannot trust that machine completely.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Nov 2007
    Location
    Newry, Northern Ireland
    Beans
    1,258

    Re: Fx29Shell attack

    Quote Originally Posted by cj13579 View Post
    Oh, that's rubbish. I was hoping that wasn't going to come. A bit of an update, the full scan finished and only found 1 infected file which was some dodgey .exe that I was keeping in a backup folder for a old Windows box.
    You did ask for advice, sorry you didn't like it....

    As CharlesA said, this is standard practice when a box has been owned, but it's your box, you can do what you like with it.
    Can't think of anything profound or witty.
    My Blog: http://gonzothegeek.blogspot.co.uk/

  7. #7
    Join Date
    Oct 2008
    Location
    /var/log/uk :-)
    Beans
    208
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Fx29Shell attack

    I agree with what has been said above, wipe the server, Have you got any backups?

  8. #8
    Join Date
    Jan 2012
    Location
    Kerry/Dublin
    Beans
    109

    Re: Fx29Shell attack

    Wipe it clean. It's the only way to be sure.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •