Category: Linux System

Analysing an attack from WordPress Hello Dolly plugin

You might notice a heavy CPU usage consumption on your machine. Some may be a natural cause, for example, a known script being executed at a specific time whilst others may be due to a simple attack. Even if the attack is not a successful one, you may encounter a high CPU usage of your server which may eventually cause several kernels hangs or even cause other applications to be deprived of CPU usage. What I mean is that the goal of the attacker though it has not been reached, you may encounter a worse situation on your server.

Let’s see a brief analysis of an attack caused by a WordPress plugin known as “Hello Dolly”. The event started with a high CPU consumption on a server. Of course, by viewing the Htop or Atop processes, you can determine processes consuming more CPU.

Photo credits: Komodosec.com
Photo credits: Komodosec.com

1. Here is an idea of the Processes consuming more CPU by firing a simple ps command. The processes 829 and 4416 were the one consuming more CPU.

[[email protected]:/www/website.com/htdocs/wp-content]# ps aux|grep php

apache     829  6.2  0.5 351212 97492 ?        S    Oct05 127:36 php -q /tmp/tmp

apache    3459  0.3  0.3 416340 60080 ?        S    Oct06   1:43 php-fpm: pool www                                                                                            

apache    4416  7.2  0.5 336860 82656 ?        D    Oct05 146:43 php -q /tmp/tmp

apache    4753  0.2  0.3 420176 64048 ?        S    Oct06   1:20 php-fpm: pool www                                                                                            

root      7539  0.0  0.0 103248   868 pts/3    S+   06:55   0:00 grep php

2. We can notice that the process php -q /tmp/tmp emanate from a plugin on the server. For example, the PID 4416 corroborate with the lsof command.

[[email protected]:/www/website.com/htdocs/wp-content]# lsof plugins/

COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF      NODE NAME

php       829 apache  cwd    DIR   0,20     4096 168820763 plugins

php      4416 apache  cwd    DIR   0,20     4096 168820763 plugins

bash    22664   root  cwd    DIR   0,20     4096 168820763 plugins

php     29199 apache  cwd    DIR   0,20     4096 168820763 plugins

php     29304 apache  cwd    DIR   0,20     4096 168820763 plugins

php     30153 apache  cwd    DIR   0,20     4096 168820763 plugins

3. If we make a strace -p of 2919 we can notice that it is trying to open the /etc/hosts file. 

[[email protected]:/www/website.com/htdocs/wp-content/plugins]# strace -p 29199

Process 29199 attached - interrupt to quit

socket(PF_NETLINK, SOCK_RAW, 0)         = -1 EMFILE (Too many open files)

open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = -1 EMFILE (Too many open files)

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)

alarm(0)                                = 15

rt_sigaction(SIGALRM, {SIG_DFL, [], SA_RESTORER, 0x7f66381729a0}, NULL, 8) = 0

poll([{fd=3447, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)

4. Another interesting information to know which website or URL does the intrusion emanating from is by firing a lsof -p on the PID:

[[email protected]:/www/website.com/logs]# lsof -p 29304

COMMAND   PID   USER   FD   TYPE     DEVICE SIZE/OFF       NODE NAME

php     29304 apache  cwd    DIR       0,20     4096  168820763 /www/website.com/htdocs/wp-content/plugins 

php     29304 apache  rtd    DIR      253,0     4096          2 /

php     29304 apache  txt    REG      253,2  4105624      16544 /usr/bin/php

5. If we now try to analyze the log by sorting only the bot, we can find some “POST” being carried out which comes from IP 92.62.129.97 . At first glimpse, it looks like a google bot. Are we sure?

92.62.129.97 - - [05/Oct/2015:20:45:49 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com

/bot.html)"

92.62.129.97 - - [05/Oct/2015:21:20:43 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com

/bot.html)"

6. Who is 92.62.129.97 ?

92.62.129.97

GeoIP Country Edition: LT, Lithuania

GeoIP City Edition, Rev 1: LT, N/A, N/A, N/A, N/A, 56.000000, 24.000000, 0, 0

GeoIP ASNum Edition: AS42549 UAB Baltnetos komunikacijos

7. Did we notice that this IP is well reputed for attacks?

Check out this website https://cleantalk.org/blacklists/92.62.129.97. You would notice that there were attacks even on some Windows server reported by some people.

8. After more research, we can conclude that several WordPress users have encountered the same situation where the Hello Dolly plugin was causing a heavy load on their servers. After they have removed it, things have changed. Ref:

We can deduce how unknown plugins on WordPress can be dangerous if the codes are not properly audited by security experts. An analysis is very important before using such kind of plugins.

Note: This information might be incomplete in some sort as it may happen that the Hello Dolly was already compromised prior to the attack. The aim of the article is to get show an analysis methodology due to a high CPU consumption.


KIWI – Cross-distro images on the cloud with OpenSUSE

Rest assured, Kiwi is neither a bird nor a fruit in the OpenSUSE world! Kiwi is an open source project licensed under the the GPLv2 and it is written in Perl. The project is sponsored by SUSE to build OS image and Appliance. “The KIWI Image System provides a complete operating system image solution for Linux supported hardware platforms as well as for virtualisation systems like KVM (Qemu), Xen, or VMware. KIWI is a command line tool and is the backend of SUSE Studio. The project is sponsored by SUSE. “ – OpenSUSE. OS images are heavily used in cloud environment whether you need  a .vmdk .img .ovf or even a raw file etc.. In brief, Kiwi provides a raw disk images with no additional configuration needed. The idea of the Kiwi project is to maintain efficiency duing the development , building, testing and deployment phases

Screenshot from 2016-04-03 13-48-57

The kiwi tool itself is a command line tool, however, the SUSE Studio web app provides the GUI facility. Let’s now get on some basic commands.

1.To check packages installed on your machine for Kiwi do a zypper se kiwi. These are the packages I got for ‘S’ in means state in the first columns and ‘I’ for installed

Screenshot from 2016-04-03 14-07-56

2. To list all templates available, do a kiwi -l As you can see i have templates for the RHEL and SUSE environments. There are other templates available on the Open build service repository.

Screenshot from 2016-04-03 14-10-48

3. The template locations on an OpenSUSE machine will usually be at /usr/share/kiwi/image where you will find another directory say rhel-06.6-jeOS and some configuration files are found there for the boot process. The file config.xml will gave your an overall idea of which repository, packages etc.. you are going to use with your templates.

4. So, lets create a  suse-13.2 vmx file file with kiwi. The following command is building the image. The parameter -d is the destination and the –type is simply the type of the image. I also created a directory /kiwi Point youself in the directory /usr/share/kiwi and launch

kiwi –build image/suse13.2-JeOS -d /kiwi –type vmx

5. Once the build is finished, you can use the .vmx file to run your machine.

There is also a KIWI cookbook free for you at this link made by Marcus Schäfer which is really interesting. The SUSE Cloud stack will also give you several tools to run and test your images. The OpenSUSE stack environment provides facilities for mixed distros.  The SUSE Studio is a collection of tools designed to improve the efficiency of building managing and maintaining software virtual and cloud applications.


Converting a deb into rpm using alien on openSUSE

The alien command is used by almost all system administrators. You might come across situations where you may need to install a .deb package on an OpenSUSE machine. You will need to convert it to a .rpm prior to doing the installation. The alien command is simply a way to convert or install an alien binary package.

Photo credits: comicvine.com
Photo credits: comicvine.com

Installing Alien on OpenSUSE Leap

A general idea of how to install a .deb package on an OpenSUSE by converting it to a .rpm file can be done with the command alien. If you have freshly install OpenSUSE Leap, you might notice that command zypper install alien gives you the following error.

Screenshot from 2016-03-29 16-37-48

This can be solved easily as there is no repositories available. You can just jump on the Kamikaz Repo of the openSUSE factory. and fire the following commands :

zypper addrepo http://download.opensuse.org/repositories/home:KAMiKAZOW/openSUSE_Leap_42.1/home:KAMiKAZOW.repo
zypper refresh
zypper install alien

You  would have a result similar to this with all the dependencies installed.

Screenshot from 2016-03-29 16-43-42

You can finally launched the zypper install alien which will look similar to this.

Screenshot from 2016-03-29 16-44-24

Let’s now convert a .deb into a .rpm

I will take the example of the nmap tool. I have downloaded the nmap .deb file from the Ubuntu repo. You can choose your own deb file. This is the link to download the nmap from the Ubuntu repo.

wget http://mirrors.kernel.org/ubuntu/pool/main/n/nmap/nmap_7.01-2ubuntu1_amd64.deb

So to convert the file into a .rpm you need to launch the following command

alien --to-rpm <deb file name here>

Of course, on an openSUSE machine you would need the spec file. Here is an idea what kind of error you might came across.

Screenshot from 2016-03-29 16-56-07

Solving the error

The error “rpmbuild not found” clearly give a hint that the package rpmbuild is not found on the machine. Just install in with :

zypper install rpmbuild

Now that the rpmbuild package is installed with all the dependencies you can relaunch the command which in my case is

alien --to-rpm nmap_7.01-2ubuntu1_amd64.deb 

A nice message message where the package.rpm is generated will be prompted. I have just taken the nmap package as a example. It’s generally inadvisable to run alien on a machine having both RPMs and DEBs package because the two systems do not share installed-file database information. You can chose your own .deb file. Have funs with aliens.

 


Installing and configuring OpenVAS on OpenSUSE Leap

“openSUSE Leap is a brand new way of building openSUSE and is new type of hybrid Linux distribution. Leap uses source from SUSE Linux Enterprise (SLE), which gives Leap a level of stability unmatched by other Linux distributions, and combines that with community developments to give users, developers and sysadmins the best Linux experience available. Contributor and enterprise efforts for Leap bridge a gap between matured packages and newer packages found in openSUSE’s other distribution Tumbleweed.”– OpenSUSE

I would welcome all OpenSUSE fans, system and security administrators and students to try out OpenVAS on an OpenSUSE machine which works pretty fine. OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and mangement solutions.

Photo credits: OpenSUSE & OpenVAS
Photo credits: OpenSUSE & OpenVAS

After you have installed your OpenSUSE Leap on your machine, you will need to open YAST and install the OpenVAS. Let’s installed OpenVAS on the OpenSUSE machine.

1.Open the YAST Control center and under the Software tab click on the software management.

Screenshot from 2016-03-07 10-49-32

2. The YAST2 software management tool will open. Simply type the keyword OpenVAS which will prompt you to install it togather will all the libraries. You will also need to install GreenBone-security-assistant which is a nice tool to use with OpenVAS

Screenshot from 2016-03-07 10-54-12

3. Once, you have installed OpenVAS and Greenbone-security-assistant, now the fun begins. Open a terminal, log in as root user, you will notice that there are several tools which have been installed from the OpenVAS.

Screenshot from 2016-03-07 11-04-06

4. Launch the openvas-setup which will download some bunch of files and libraries.

5. The next step is to create a user which can be done with the command openvas-adduser

6. Create a certificate with openvas-mkcert

7. openvasmd –rebuild which will rebuild openvas with the new configuration

8. Now set address and port number with the command openvasmd -p 9300 -a 127.0.0.1

9. After that set for administrative purpose local address with the command openvasmd -a 127.0.0.1 -p 9393

10. Setting the http for the GreenBone with the command gsad –http-only –listen=127.0.0.1 -p 9392

11. You can now navigate on your browser on http://127.0.0.1:9392 to access the Greenbone security assistant.

OpenVAS will give you information about the ports summary and information about the possible vulnerabilities that OpenVAS has discovered. Please be aware that many times you will get false positives when there are not any vulnerability or the vulnerability is not accessible to anybody. However, its cool to find out what vulnerability OpenVAS has find on your system for future security enhancements.


Configure your LVM via Ansible

Some days back, I gave some explanations about LVM such as creations of LVM partitions and a detailed analogy of the LVM structure as well as tips for using PVMOVE. We can also automate such task using the power of Ansible. Cool isn’t it?

ansible

So, I have my two hosts Ansible1 and Ansible2. Ansible1 is the controller and has Ansible installed and Ansible2 is the hosts that the disk will be added to the LVM.

1. Here is the status of the disk of Ansible2 where a disk /dev/sdc has been added

Screenshot from 2016-03-08 11-05-29

2. I have now added a disk of 1GB from the VirtualBox settings. You can refer to the past article on LVM how to add the disk. As we can see on the screenshot below it shows the disk sdc with the size 1GB added on the machine Ansible2 which I have formatted as LVM

Screenshot from 2016-03-08 11-22-17

4. Lets now get into the controller machine – Ansible1 and prepare our Playbook. You can view it on my Git account here. The aim is to get a 500Mb from the /dev/sdc1 to create a new VG called vgdata in the LV called lvdisk.

5. Here is the output

Screenshot from 2016-03-08 11-36-00

Articles on LVM

Articles on Ansible