[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

Bill Thoen bthoen at gisnet.com
Tue Aug 16 11:18:30 MDT 2005 

Damme and Blast! I think you've put your finger on it! I am running RH 9 
and PHP and see that there's a new directory created on Jul 30 (when the 
odd process started) and here's what's in it:

[root at gisnet tmp]# ls -al
total 12
drwxrwxrwt    3 root     root         4096 Jul 30 23:03 .
drwxr-xr-x   21 root     root         4096 Oct  6  2004 ..
drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 ...

I'm sure that any file named "..." and owned by apache is bad news.

Now what do I do? I hope it isn't "rebuild from the ground up" time. Can I 
defuse this process some how?



On Tue, 16 Aug 2005, Michael Belanger wrote:

> Check your /var/tmp /tmp dirs for executables -- I had a rootkit installed 
> recently using a php exploit -- Redhat 9 machine using latest httpd and php from 
> source (and default filesystem mount options).
> 
> Bill Thoen wrote:
> > I've checked the logs for Jul 30 (when the process started) but found 
> > nothing I can recognize. Is there a standard checklist of things to look 
> > for when trying to find out if this is a hack or just a broken pointer 
> > that could be fixed by just rebooting?
> > 
> > - Bill Thoen
> > 
> > On Tue, 16 Aug 2005, Hugh Brown wrote:
> > 
> > 
> >>That looks like process 537 (sendmail) is listening on 443.  Very odd.
> >>The fact that you are running on RH9 suggests that you might be a bit out
> >>of date on your patching.  There was a patch released recently for
> >>mod_ssl.
> >>
> >>I'd take the machine offline and starting looking around for signs of
> >>hacking.
> >>
> >>Hugh
> >>
> >>On Tue, 16 Aug 2005, Bill Thoen wrote:
> >>
> >>
> >>>When I first tried netstat -vantp|grep 443 (per somene's suggestion) it
> >>>cane back with some sort of samba -d process (I'm not running samba as far
> >>>as I know), so I killed that process. It died but a new one appeared with
> >>>a more disturbing hint. And I can't kill this one, either. What should
> >>>apache have to do with sendmail? Is this evidence of a hack? I now get
> >>>this:
> >>>
> >>>[root]# netstat -vantp|grep 443
> >>>tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
> >>>537/sendmail: accep
> >>>tcp      317      0 206.168.217.249:80      192.200.5.40:44378
> >>>CLOSE_WAIT  -
> >>>
> >>>
> >>>- Bill Thoen
> >>>
> >>>
> >>>On Tue, 16 Aug 2005, Michael Belanger wrote:
> >>>
> >>>
> >>>>It may not have shutdown completely/gracefully.  Check for running httpd
> >>>>processes and also httpd.pid or equiv in /var/run or where configured.
> >>>>
> >>>>
> >>>>Bill Thoen wrote:
> >>>>
> >>>>>My web server (apache on RH 9) has been ticking along perfectly for months
> >>>>>with no restarts, but then someone told me one of my web pages wasn't
> >>>>>producing the right mime type for an SVG file. So I added
> >>>>>
> >>>>>AddType image/svg+xml .svg
> >>>>>
> >>>>>to /etc/httpd/conf/httpd.conf, and tried to resart the httpd service.
> >>>>>Well, it stopped allright, but it won't start now, and I get this message:
> >>>>>
> >>>>>Starting httpd: (98)Address already in use: make_sock: could not bind to
> >>>>>address 0.0.0.0:443 no listening sockets available, shutting down
> >>>>>
> >>>>>Does anyone know what this means (besides the fact that my web site is now
> >>>>>flatlined?)
> >>>>>
> >>>>>TIA,
> >>>>>
> >>>>>- Bill Thoen
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>Web Page:  http://lug.boulder.co.us
> >>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>
> >>>>
> >>>>
> >>>
> >>>_______________________________________________
> >>>Web Page:  http://lug.boulder.co.us
> >>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>
> >>>
> >>
> >>_______________________________________________
> >>Web Page:  http://lug.boulder.co.us
> >>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>
> > 
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 
> 
>

More information about the LUG mailing list