[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

Michael Belanger mrb at ciclops.org
Tue Aug 16 11:26:38 MDT 2005


Well... If this is a rootkit, you can't trust ANY command.  You can read the 
BLUG archives for our discussion on this from about 2 months ago.

Get yourself the latest Fedora or Redhat (longer lifecycle), and fdisk the 
drives, start again.

Remember to only allow exec and suid from valid filesystems like /usr.  DONT let 
TMP do suid or exec!! This is the easiest path towards rootkit.

  /tmp       loop,noexec,nosuid,rw


Then google 'securing php' for more tips.

I have our rebuilt Fedora Core 4 webserver behind an Astaro Secure Gateway for 
added security.


-M

Bill Thoen wrote:
> I just realized that "..." is a directory. This is what's in it:
> [root at gisnet tmp]# cd ...
> [root at gisnet ...]# ls -al
> total 2580
> drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 .
> drwxrwxrwt    3 root     root         4096 Jul 30 23:03 ..
> drwxr-xr-x    2 apache   apache       4096 Aug 10 23:09 bnc2.8.4
> -rw-r--r--    1 apache   apache      48400 Feb 20  2004 bnc2.8.4.tar.gz
> drwxr-xr-x    7 apache   apache       4096 Jul 31 00:45 eggdrop1.4.5
> -rw-r--r--    1 apache   apache     677273 Jul 31 00:44 
> eggdrop1.4.5.tar.gz
> drwxr-xr-x   11 apache   apache       4096 Jul 30 23:24 ps
> drwxr-xr-x    9 apache   apache       4096 Aug 10 23:13 psybnc
> -rw-r--r--    1 apache   apache     200798 Apr 18  2004 psyBNC2.2.2.tar.gz
> -rw-r--r--    1 apache   apache     631973 Apr 18  2004 
> psyBNC2.3.1-8.precompiled.tar.gz
> drwxr-xr-x    2 apache   apache       4096 Jul 31 00:42 telor
> -rw-r--r--    1 apache   apache    1026171 Jul 31 00:33 telor.zip
> 
> Anyone recognize these?
> Can I repair the damage or is it time to fire up the bulldozer?
> 
> - Bill Thoen
> 
> 
> On Tue, 16 Aug 2005, Bill Thoen wrote:
> 
> 
>>Damme and Blast! I think you've put your finger on it! I am running RH 9 
>>and PHP and see that there's a new directory created on Jul 30 (when the 
>>odd process started) and here's what's in it:
>>
>>[root at gisnet tmp]# ls -al
>>total 12
>>drwxrwxrwt    3 root     root         4096 Jul 30 23:03 .
>>drwxr-xr-x   21 root     root         4096 Oct  6  2004 ..
>>drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 ...
>>
>>I'm sure that any file named "..." and owned by apache is bad news.
>>
>>Now what do I do? I hope it isn't "rebuild from the ground up" time. Can I 
>>defuse this process some how?
>>
>>
>>
>>On Tue, 16 Aug 2005, Michael Belanger wrote:
>>
>>
>>>Check your /var/tmp /tmp dirs for executables -- I had a rootkit installed 
>>>recently using a php exploit -- Redhat 9 machine using latest httpd and php from 
>>>source (and default filesystem mount options).
>>>
>>>Bill Thoen wrote:
>>>
>>>>I've checked the logs for Jul 30 (when the process started) but found 
>>>>nothing I can recognize. Is there a standard checklist of things to look 
>>>>for when trying to find out if this is a hack or just a broken pointer 
>>>>that could be fixed by just rebooting?
>>>>
>>>>- Bill Thoen
>>>>
>>>>On Tue, 16 Aug 2005, Hugh Brown wrote:
>>>>
>>>>
>>>>
>>>>>That looks like process 537 (sendmail) is listening on 443.  Very odd.
>>>>>The fact that you are running on RH9 suggests that you might be a bit out
>>>>>of date on your patching.  There was a patch released recently for
>>>>>mod_ssl.
>>>>>
>>>>>I'd take the machine offline and starting looking around for signs of
>>>>>hacking.
>>>>>
>>>>>Hugh
>>>>>
>>>>>On Tue, 16 Aug 2005, Bill Thoen wrote:
>>>>>
>>>>>
>>>>>
>>>>>>When I first tried netstat -vantp|grep 443 (per somene's suggestion) it
>>>>>>cane back with some sort of samba -d process (I'm not running samba as far
>>>>>>as I know), so I killed that process. It died but a new one appeared with
>>>>>>a more disturbing hint. And I can't kill this one, either. What should
>>>>>>apache have to do with sendmail? Is this evidence of a hack? I now get
>>>>>>this:
>>>>>>
>>>>>>[root]# netstat -vantp|grep 443
>>>>>>tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
>>>>>>537/sendmail: accep
>>>>>>tcp      317      0 206.168.217.249:80      192.200.5.40:44378
>>>>>>CLOSE_WAIT  -
>>>>>>
>>>>>>
>>>>>>- Bill Thoen
>>>>>>
>>>>>>
>>>>>>On Tue, 16 Aug 2005, Michael Belanger wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>It may not have shutdown completely/gracefully.  Check for running httpd
>>>>>>>processes and also httpd.pid or equiv in /var/run or where configured.
>>>>>>>
>>>>>>>
>>>>>>>Bill Thoen wrote:
>>>>>>>
>>>>>>>
>>>>>>>>My web server (apache on RH 9) has been ticking along perfectly for months
>>>>>>>>with no restarts, but then someone told me one of my web pages wasn't
>>>>>>>>producing the right mime type for an SVG file. So I added
>>>>>>>>
>>>>>>>>AddType image/svg+xml .svg
>>>>>>>>
>>>>>>>>to /etc/httpd/conf/httpd.conf, and tried to resart the httpd service.
>>>>>>>>Well, it stopped allright, but it won't start now, and I get this message:
>>>>>>>>
>>>>>>>>Starting httpd: (98)Address already in use: make_sock: could not bind to
>>>>>>>>address 0.0.0.0:443 no listening sockets available, shutting down
>>>>>>>>
>>>>>>>>Does anyone know what this means (besides the fact that my web site is now
>>>>>>>>flatlined?)
>>>>>>>>
>>>>>>>>TIA,
>>>>>>>>
>>>>>>>>- Bill Thoen
>>>>>>>>
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>Web Page:  http://lug.boulder.co.us
>>>>>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>_______________________________________________
>>>>>>Web Page:  http://lug.boulder.co.us
>>>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>>>
>>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>Web Page:  http://lug.boulder.co.us
>>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>Web Page:  http://lug.boulder.co.us
>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>
>>>
>>>
>>_______________________________________________
>>Web Page:  http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug




More information about the LUG mailing list