Opened 19 months ago

Last modified 13 months ago

#12333 assigned Bug/Something is broken

memoriaviva site compromise

Reported by: https://id.mayfirst.org/jamie Owned by: https://id.mayfirst.org/jaimev
Priority: Urgent Component: Tech
Keywords: peery spam Cc: memoriaviva@…
Sensitive: no

Description

The site memoriavivachiapas has a compromise causing it to send massive amounts of spam.

The method used is injection, so I've added the affected user to /etc/postfix/unauthorized-submit-users.

Change History (6)

comment:1 Changed 19 months ago by https://id.mayfirst.org/jamie

  • Owner set to https://id.mayfirst.org/jaimev
  • Status changed from new to assigned

I just cleared the mailq also.

Jaime - would you mind notifying the member? The site is still up and functional but no email can be sent.

comment:2 Changed 19 months ago by https://id.mayfirst.org/jaimev

  • Cc memoriaviva@… added

I've sent them e-mail and advised them to comment on this thread.

comment:3 Changed 17 months ago by https://id.mayfirst.org/jamie

I disabled the site after receiving another spam complaint (and since there doesn't seem to have been a response to your notification).

comment:4 Changed 15 months ago by https://id.mayfirst.org/jamie

I received a spam complaint identifying peery as a source of sent spam:

Received: from peery.mayfirst.org [162.247.75.205] by nm10.cms.usa.net via smtad (C8.MAIN.4.10T) with ESMTP id XID661VcRo314826X10; Sat, 18 Mar 2017 14:54:52 -0000

There was nothing in the mail log corresponding to that time, so I suspected that it was a stand-alone process sending mail directly to the targets.

I searched for processes with network connections to port 25 and happened to catch this:

0 peery:~# lsof -i -n -P | grep :25
smtpd       815            postfix    6u  IPv4     18574      0t0  TCP *:25 (LISTEN)
smtpd       815            postfix    9u  IPv4 103008487      0t0  TCP 162.247.75.205:25->122.171.165.175:49735 (ESTABLISHED)
master     2451               root   12u  IPv4     18574      0t0  TCP *:25 (LISTEN)
proc      19538 memoriavivachiapas    3u  IPv4 103007805      0t0  TCP 162.247.75.205:47379->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas    6u  IPv4 103007806      0t0  TCP 162.247.75.205:47380->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas    7u  IPv4 103007807      0t0  TCP 162.247.75.205:47381->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas    8u  IPv4 103007808      0t0  TCP 162.247.75.205:47382->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas    9u  IPv4 103008647      0t0  TCP 162.247.75.205:33994->152.163.0.67:25 (ESTABLISHED)
proc      19538 memoriavivachiapas   10u  IPv4 103008370      0t0  TCP 162.247.75.205:56114->65.55.37.120:25 (SYN_SENT)
proc      19538 memoriavivachiapas   11u  IPv4 103007797      0t0  TCP 162.247.75.205:47371->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   16u  IPv4 103007798      0t0  TCP 162.247.75.205:47372->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   17u  IPv4 103007799      0t0  TCP 162.247.75.205:47373->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   18u  IPv4 103007800      0t0  TCP 162.247.75.205:47374->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   19u  IPv4 103007801      0t0  TCP 162.247.75.205:47375->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   20u  IPv4 103007802      0t0  TCP 162.247.75.205:47376->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   21u  IPv4 103007803      0t0  TCP 162.247.75.205:47377->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   22u  IPv4 103007804      0t0  TCP 162.247.75.205:47378->68.87.20.5:25 (SYN_SENT)
proc      19538 memoriavivachiapas   23u  IPv4 103008320      0t0  TCP 162.247.75.205:45835->104.44.194.233:25 (SYN_SENT)
proc      19538 memoriavivachiapas   25u  IPv4 103008637      0t0  TCP 162.247.75.205:33985->152.163.0.67:25 (ESTABLISHED)
proc      19538 memoriavivachiapas   26u  IPv4 103008638      0t0  TCP 162.247.75.205:33986->152.163.0.67:25 (ESTABLISHED)
proc      19538 memoriavivachiapas   29u  IPv4 103008506      0t0  TCP 162.247.75.205:56234->65.55.37.120:25 (SYN_SENT)
proc      19538 memoriavivachiapas   30u  IPv4 103008631      0t0  TCP 162.247.75.205:57181->152.163.0.99:25 (ESTABLISHED)
proc      19538 memoriavivachiapas   33u  IPv4 103008642      0t0  TCP 162.247.75.205:33990->152.163.0.67:25 (ESTABLISHED)
proc      19538 memoriavivachiapas   36u  IPv4 103008353      0t0  TCP 162.247.75.205:48489->104.44.194.236:25 (ESTABLISHED)
proc      19538 memoriavivachiapas   39u  IPv4 103008655      0t0  TCP 162.247.75.205:34002->152.163.0.67:25 (ESTABLISHED)
proc      19538 memoriavivachiapas   41u  IPv4 103008351      0t0  TCP 162.247.75.205:48487->104.44.194.236:25 (ESTABLISHED)
smtpd     21464            postfix    6u  IPv4     18574      0t0  TCP *:25 (LISTEN)
smtpd     21464            postfix    9u  IPv4 102994957      0t0  TCP 162.247.75.205:25->105.110.75.84:60472 (ESTABLISHED)
smtpd     32740            postfix    6u  IPv4     18574      0t0  TCP *:25 (LISTEN)
smtpd     32741            postfix    6u  IPv4     18574      0t0  TCP *:25 (LISTEN)
smtpd     32741            postfix    9u  IPv4 103008566      0t0  TCP 162.247.75.205:25->210.83.80.18:50272 (ESTABLISHED)
smtpd     32744            postfix    6u  IPv4     18574      0t0  TCP *:25 (LISTEN)
smtpd     32744            postfix    9u  IPv4 103008614      0t0  TCP 162.247.75.205:25->138.121.131.50:3633 (ESTABLISHED)
smtpd     32745            postfix    6u  IPv4     18574      0t0  TCP *:25 (LISTEN)
0 peery:~#

I started to examine that process:

0 peery:~# ps -eFH | grep 19538
root      1069 29047  0  3182  2068   0 10:05 pts/2    00:00:00               grep 19538
memoria+ 19538     1  4  9022  6344   0 Mar13 ?        08:09:45   proc
0 peery:~#

It has the suspiciously innocuously sounding name "proc"...

It seems to be running a perl script:

0 peery:~# cd /proc/19538
0 peery:/proc/19538# ls
attr       cgroup      comm             cwd      fd       io        map_files  mountinfo   net        oom_adj        pagemap      root       setgroups  stat    syscall  uid_map
autogroup  clear_refs  coredump_filter  environ  fdinfo   limits    maps       mounts      ns         oom_score      personality  sched      smaps      statm   task     wchan
auxv       cmdline     cpuset           exe      gid_map  loginuid  mem        mountstats  numa_maps  oom_score_adj  projid_map   sessionid  stack      status  timers
0 peery:/proc/19538# ls -l
total 0
dr-xr-xr-x 2 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 attr
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 autogroup
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 auxv
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 cgroup
--w------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 clear_refs
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 15 04:09 cmdline
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 comm
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 coredump_filter
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 cpuset
lrwxrwxrwx 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 cwd -> /
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 environ
lrwxrwxrwx 1 memoriavivachiapas memoriavivachiapas 0 Mar 15 04:09 exe -> /usr/bin/perl
dr-x------ 2 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:04 fd
dr-x------ 2 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:04 fdinfo
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 gid_map
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 15 04:07 io
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 limits
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 loginuid
dr-x------ 2 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 map_files
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 maps
-rw------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 mem
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 mountinfo
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 mounts
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 mountstats
dr-xr-xr-x 5 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 net
dr-x--x--x 2 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 ns
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 numa_maps
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 oom_adj
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 oom_score
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 oom_score_adj
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 pagemap
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 personality
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 projid_map
lrwxrwxrwx 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 root -> /
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 sched
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 sessionid
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 setgroups
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 smaps
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 stack
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 15 04:07 stat
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 statm
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 15 04:07 status
-r-------- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 syscall
dr-xr-xr-x 3 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 task
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 timers
-rw-r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 uid_map
-r--r--r-- 1 memoriavivachiapas memoriavivachiapas 0 Mar 20 10:05 wchan
0 peery:/proc/19538#

And it looks like there are compromised files in the web root: w24946552n.php

I see there is a member called Memoriaviva, but this hosting under (on peery) seems to belong to an individual membership.

And ... Woops. This web site is already disabled!

So I suspect that whoever is doing this is doing so via ssh/sftp.

comment:5 Changed 15 months ago by https://id.mayfirst.org/jamie

I just killed the processes and disabled the user.

comment:6 Changed 13 months ago by https://id.mayfirst.org/cubiorg

Yo trabajé la página web de memoria viva chiapas hace unos años. Hace tiempo que no tengo contacto con las compañeras. Sospecho que es un sitio abandonado. Trataré de localizarlas para preguntar. fraterno, carloseugenio

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.