[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

Bamm Visscher bamm.visscher at gmail.com
Tue Aug 16 11:28:16 MDT 2005 

BNC and psyBNC  are IRC bouncers (relay).  Eggdrop is an IRC bot.

Bammkkkk

On 8/16/05, Bill Thoen <bthoen at gisnet.com> wrote:
> I just realized that "..." is a directory. This is what's in it:
> [root at gisnet tmp]# cd ...
> [root at gisnet ...]# ls -al
> total 2580
> drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 .
> drwxrwxrwt    3 root     root         4096 Jul 30 23:03 ..
> drwxr-xr-x    2 apache   apache       4096 Aug 10 23:09 bnc2.8.4
> -rw-r--r--    1 apache   apache      48400 Feb 20  2004 bnc2.8.4.tar.gz
> drwxr-xr-x    7 apache   apache       4096 Jul 31 00:45 eggdrop1.4.5
> -rw-r--r--    1 apache   apache     677273 Jul 31 00:44
> eggdrop1.4.5.tar.gz
> drwxr-xr-x   11 apache   apache       4096 Jul 30 23:24 ps
> drwxr-xr-x    9 apache   apache       4096 Aug 10 23:13 psybnc
> -rw-r--r--    1 apache   apache     200798 Apr 18  2004 psyBNC2.2.2.tar.gz
> -rw-r--r--    1 apache   apache     631973 Apr 18  2004
> psyBNC2.3.1-8.precompiled.tar.gz
> drwxr-xr-x    2 apache   apache       4096 Jul 31 00:42 telor
> -rw-r--r--    1 apache   apache    1026171 Jul 31 00:33 telor.zip
> 
> Anyone recognize these?
> Can I repair the damage or is it time to fire up the bulldozer?
> 
> - Bill Thoen
> 
> 
> On Tue, 16 Aug 2005, Bill Thoen wrote:
> 
> > Damme and Blast! I think you've put your finger on it! I am running RH 9
> > and PHP and see that there's a new directory created on Jul 30 (when the
> > odd process started) and here's what's in it:
> >
> > [root at gisnet tmp]# ls -al
> > total 12
> > drwxrwxrwt    3 root     root         4096 Jul 30 23:03 .
> > drwxr-xr-x   21 root     root         4096 Oct  6  2004 ..
> > drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 ...
> >
> > I'm sure that any file named "..." and owned by apache is bad news.
> >
> > Now what do I do? I hope it isn't "rebuild from the ground up" time. Can I
> > defuse this process some how?
> >
> >
> >
> > On Tue, 16 Aug 2005, Michael Belanger wrote:
> >
> > > Check your /var/tmp /tmp dirs for executables -- I had a rootkit installed
> > > recently using a php exploit -- Redhat 9 machine using latest httpd and php from
> > > source (and default filesystem mount options).
> > >
> > > Bill Thoen wrote:
> > > > I've checked the logs for Jul 30 (when the process started) but found
> > > > nothing I can recognize. Is there a standard checklist of things to look
> > > > for when trying to find out if this is a hack or just a broken pointer
> > > > that could be fixed by just rebooting?
> > > >
> > > > - Bill Thoen
> > > >
> > > > On Tue, 16 Aug 2005, Hugh Brown wrote:
> > > >
> > > >
> > > >>That looks like process 537 (sendmail) is listening on 443.  Very odd.
> > > >>The fact that you are running on RH9 suggests that you might be a bit out
> > > >>of date on your patching.  There was a patch released recently for
> > > >>mod_ssl.
> > > >>
> > > >>I'd take the machine offline and starting looking around for signs of
> > > >>hacking.
> > > >>
> > > >>Hugh
> > > >>
> > > >>On Tue, 16 Aug 2005, Bill Thoen wrote:
> > > >>
> > > >>
> > > >>>When I first tried netstat -vantp|grep 443 (per somene's suggestion) it
> > > >>>cane back with some sort of samba -d process (I'm not running samba as far
> > > >>>as I know), so I killed that process. It died but a new one appeared with
> > > >>>a more disturbing hint. And I can't kill this one, either. What should
> > > >>>apache have to do with sendmail? Is this evidence of a hack? I now get
> > > >>>this:
> > > >>>
> > > >>>[root]# netstat -vantp|grep 443
> > > >>>tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
> > > >>>537/sendmail: accep
> > > >>>tcp      317      0 206.168.217.249:80      192.200.5.40:44378
> > > >>>CLOSE_WAIT  -
> > > >>>
> > > >>>
> > > >>>- Bill Thoen
> > > >>>
> > > >>>
> > > >>>On Tue, 16 Aug 2005, Michael Belanger wrote:
> > > >>>
> > > >>>
> > > >>>>It may not have shutdown completely/gracefully.  Check for running httpd
> > > >>>>processes and also httpd.pid or equiv in /var/run or where configured.
> > > >>>>
> > > >>>>
> > > >>>>Bill Thoen wrote:
> > > >>>>
> > > >>>>>My web server (apache on RH 9) has been ticking along perfectly for months
> > > >>>>>with no restarts, but then someone told me one of my web pages wasn't
> > > >>>>>producing the right mime type for an SVG file. So I added
> > > >>>>>
> > > >>>>>AddType image/svg+xml .svg
> > > >>>>>
> > > >>>>>to /etc/httpd/conf/httpd.conf, and tried to resart the httpd service.
> > > >>>>>Well, it stopped allright, but it won't start now, and I get this message:
> > > >>>>>
> > > >>>>>Starting httpd: (98)Address already in use: make_sock: could not bind to
> > > >>>>>address 0.0.0.0:443 no listening sockets available, shutting down
> > > >>>>>
> > > >>>>>Does anyone know what this means (besides the fact that my web site is now
> > > >>>>>flatlined?)
> > > >>>>>
> > > >>>>>TIA,
> > > >>>>>
> > > >>>>>- Bill Thoen
> > > >>>>>
> > > >>>>>
> > > >>>>>_______________________________________________
> > > >>>>>Web Page:  http://lug.boulder.co.us
> > > >>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>
> > > >>>_______________________________________________
> > > >>>Web Page:  http://lug.boulder.co.us
> > > >>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > > >>>
> > > >>>
> > > >>
> > > >>_______________________________________________
> > > >>Web Page:  http://lug.boulder.co.us
> > > >>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > > >>
> > > >
> > > >
> > > > _______________________________________________
> > > > Web Page:  http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > >
> > >
> > >
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

More information about the LUG mailing list