[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

Tue Aug 16 10:59:41 MDT 2005

Check your /var/tmp /tmp dirs for executables -- I had a rootkit installed 
recently using a php exploit -- Redhat 9 machine using latest httpd and php from 
source (and default filesystem mount options).

Bill Thoen wrote:
> I've checked the logs for Jul 30 (when the process started) but found 
> nothing I can recognize. Is there a standard checklist of things to look 
> for when trying to find out if this is a hack or just a broken pointer 
> that could be fixed by just rebooting?
> 
> - Bill Thoen
> 
> On Tue, 16 Aug 2005, Hugh Brown wrote:
> 
> 
>>That looks like process 537 (sendmail) is listening on 443.  Very odd.
>>The fact that you are running on RH9 suggests that you might be a bit out
>>of date on your patching.  There was a patch released recently for
>>mod_ssl.
>>
>>I'd take the machine offline and starting looking around for signs of
>>hacking.
>>
>>Hugh
>>
>>On Tue, 16 Aug 2005, Bill Thoen wrote:
>>
>>
>>>When I first tried netstat -vantp|grep 443 (per somene's suggestion) it
>>>cane back with some sort of samba -d process (I'm not running samba as far
>>>as I know), so I killed that process. It died but a new one appeared with
>>>a more disturbing hint. And I can't kill this one, either. What should
>>>apache have to do with sendmail? Is this evidence of a hack? I now get
>>>this:
>>>
>>>[root]# netstat -vantp|grep 443
>>>tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
>>>537/sendmail: accep
>>>tcp      317      0 206.168.217.249:80      192.200.5.40:44378
>>>CLOSE_WAIT  -
>>>
>>>
>>>- Bill Thoen
>>>
>>>
>>>On Tue, 16 Aug 2005, Michael Belanger wrote:
>>>
>>>
>>>>It may not have shutdown completely/gracefully.  Check for running httpd
>>>>processes and also httpd.pid or equiv in /var/run or where configured.
>>>>
>>>>
>>>>Bill Thoen wrote:
>>>>
>>>>>My web server (apache on RH 9) has been ticking along perfectly for months
>>>>>with no restarts, but then someone told me one of my web pages wasn't
>>>>>producing the right mime type for an SVG file. So I added
>>>>>
>>>>>AddType image/svg+xml .svg
>>>>>
>>>>>to /etc/httpd/conf/httpd.conf, and tried to resart the httpd service.
>>>>>Well, it stopped allright, but it won't start now, and I get this message:
>>>>>
>>>>>Starting httpd: (98)Address already in use: make_sock: could not bind to
>>>>>address 0.0.0.0:443 no listening sockets available, shutting down
>>>>>
>>>>>Does anyone know what this means (besides the fact that my web site is now
>>>>>flatlined?)
>>>>>
>>>>>TIA,
>>>>>
>>>>>- Bill Thoen
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>Web Page:  http://lug.boulder.co.us
>>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>
>>>>
>>>>
>>>
>>>_______________________________________________
>>>Web Page:  http://lug.boulder.co.us
>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>
>>>
>>
>>_______________________________________________
>>Web Page:  http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

-- 
Michael Belanger
CICLOPS, Space Science Institute

phone. 720-974-5853   Jabber: mrb at jabber.ciclops.org
fax.   720-974-5860

DISCLAIMER:
The Sender and Cassini Imaging Central Laboratory for Operations
accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in
writing. If you are not the intended recipient you are notified
that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.