[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

Bill Thoen bthoen at gisnet.com
Tue Aug 16 11:23:56 MDT 2005 

I just realized that "..." is a directory. This is what's in it:
[root at gisnet tmp]# cd ...
[root at gisnet ...]# ls -al
total 2580
drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 .
drwxrwxrwt    3 root     root         4096 Jul 30 23:03 ..
drwxr-xr-x    2 apache   apache       4096 Aug 10 23:09 bnc2.8.4
-rw-r--r--    1 apache   apache      48400 Feb 20  2004 bnc2.8.4.tar.gz
drwxr-xr-x    7 apache   apache       4096 Jul 31 00:45 eggdrop1.4.5
-rw-r--r--    1 apache   apache     677273 Jul 31 00:44 
eggdrop1.4.5.tar.gz
drwxr-xr-x   11 apache   apache       4096 Jul 30 23:24 ps
drwxr-xr-x    9 apache   apache       4096 Aug 10 23:13 psybnc
-rw-r--r--    1 apache   apache     200798 Apr 18  2004 psyBNC2.2.2.tar.gz
-rw-r--r--    1 apache   apache     631973 Apr 18  2004 
psyBNC2.3.1-8.precompiled.tar.gz
drwxr-xr-x    2 apache   apache       4096 Jul 31 00:42 telor
-rw-r--r--    1 apache   apache    1026171 Jul 31 00:33 telor.zip

Anyone recognize these?
Can I repair the damage or is it time to fire up the bulldozer?

- Bill Thoen


On Tue, 16 Aug 2005, Bill Thoen wrote:

> Damme and Blast! I think you've put your finger on it! I am running RH 9 
> and PHP and see that there's a new directory created on Jul 30 (when the 
> odd process started) and here's what's in it:
> 
> [root at gisnet tmp]# ls -al
> total 12
> drwxrwxrwt    3 root     root         4096 Jul 30 23:03 .
> drwxr-xr-x   21 root     root         4096 Oct  6  2004 ..
> drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 ...
> 
> I'm sure that any file named "..." and owned by apache is bad news.
> 
> Now what do I do? I hope it isn't "rebuild from the ground up" time. Can I 
> defuse this process some how?
> 
> 
> 
> On Tue, 16 Aug 2005, Michael Belanger wrote:
> 
> > Check your /var/tmp /tmp dirs for executables -- I had a rootkit installed 
> > recently using a php exploit -- Redhat 9 machine using latest httpd and php from 
> > source (and default filesystem mount options).
> > 
> > Bill Thoen wrote:
> > > I've checked the logs for Jul 30 (when the process started) but found 
> > > nothing I can recognize. Is there a standard checklist of things to look 
> > > for when trying to find out if this is a hack or just a broken pointer 
> > > that could be fixed by just rebooting?
> > > 
> > > - Bill Thoen
> > > 
> > > On Tue, 16 Aug 2005, Hugh Brown wrote:
> > > 
> > > 
> > >>That looks like process 537 (sendmail) is listening on 443.  Very odd.
> > >>The fact that you are running on RH9 suggests that you might be a bit out
> > >>of date on your patching.  There was a patch released recently for
> > >>mod_ssl.
> > >>
> > >>I'd take the machine offline and starting looking around for signs of
> > >>hacking.
> > >>
> > >>Hugh
> > >>
> > >>On Tue, 16 Aug 2005, Bill Thoen wrote:
> > >>
> > >>
> > >>>When I first tried netstat -vantp|grep 443 (per somene's suggestion) it
> > >>>cane back with some sort of samba -d process (I'm not running samba as far
> > >>>as I know), so I killed that process. It died but a new one appeared with
> > >>>a more disturbing hint. And I can't kill this one, either. What should
> > >>>apache have to do with sendmail? Is this evidence of a hack? I now get
> > >>>this:
> > >>>
> > >>>[root]# netstat -vantp|grep 443
> > >>>tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
> > >>>537/sendmail: accep
> > >>>tcp      317      0 206.168.217.249:80      192.200.5.40:44378
> > >>>CLOSE_WAIT  -
> > >>>
> > >>>
> > >>>- Bill Thoen
> > >>>
> > >>>
> > >>>On Tue, 16 Aug 2005, Michael Belanger wrote:
> > >>>
> > >>>
> > >>>>It may not have shutdown completely/gracefully.  Check for running httpd
> > >>>>processes and also httpd.pid or equiv in /var/run or where configured.
> > >>>>
> > >>>>
> > >>>>Bill Thoen wrote:
> > >>>>
> > >>>>>My web server (apache on RH 9) has been ticking along perfectly for months
> > >>>>>with no restarts, but then someone told me one of my web pages wasn't
> > >>>>>producing the right mime type for an SVG file. So I added
> > >>>>>
> > >>>>>AddType image/svg+xml .svg
> > >>>>>
> > >>>>>to /etc/httpd/conf/httpd.conf, and tried to resart the httpd service.
> > >>>>>Well, it stopped allright, but it won't start now, and I get this message:
> > >>>>>
> > >>>>>Starting httpd: (98)Address already in use: make_sock: could not bind to
> > >>>>>address 0.0.0.0:443 no listening sockets available, shutting down
> > >>>>>
> > >>>>>Does anyone know what this means (besides the fact that my web site is now
> > >>>>>flatlined?)
> > >>>>>
> > >>>>>TIA,
> > >>>>>
> > >>>>>- Bill Thoen
> > >>>>>
> > >>>>>
> > >>>>>_______________________________________________
> > >>>>>Web Page:  http://lug.boulder.co.us
> > >>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >>>>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>>_______________________________________________
> > >>>Web Page:  http://lug.boulder.co.us
> > >>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > >>>
> > >>>
> > >>
> > >>_______________________________________________
> > >>Web Page:  http://lug.boulder.co.us
> > >>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > >>
> > > 
> > > 
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > 
> > 
> > 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list