Apache compromised?
On the apache server that I run I also host a few phpBB forums and I think that an exploit has allowed a worm to access all my files in the web root.
I host about 12 sites on the server and every index.php file has been altered from what it should be to:
Quote:
SPYKIDS GROUP 2005
AONDE VC GUARDA O SEU RACISMO?
Racismo em pleno século XXI?
Desde abolição da escravatura buscamos o fim do racismo, onde temos uma sociedade sem distinção nem discriminação das pessoas pela etnia, mais o que você acha do sistema de quotas para negros em universidades? Você não acha que ao aderirem a isso está sendo praticado um ato de racismo? Pois para pedir quota parte-se do princípio que são inferiores aos outros por ser negro? Ou seja, neste mundo moderno onde vivemos existe ato de racismo maior que adoção de sistemas de quotas?
E ai nos volta aquela 1ª pergunta, e você AONDE GUARDA O SEU RACISMO?
insecurity@clubedolinux.com.br
Forever...
Lutamos por um mundo melhor...
A UNIÃO FAZ A FORÇA, AGRADECIMENTOS AOS GRUPOS: #H4ck3rsBr , #SimienS , #Priv8Crew , #SPYKIDS
/server irc.gigachat.net
|
I have pulled the plug on the server so that it can't make any network connections at the moment, but I don't know what is the best course of action to take.
I have complete backups of all of the /var/www and databases from before this happened so gettting everything back to it's original state will not be too much of a problem. But I want to know if I need to do a fesh install, or how do I check to makesure that whatever caused this is off my server.
I am running Debian if that makes any difference.
Here is a copy of ps -aux
Code:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.0 1492 512 ? S 14:32 0:02 init [2]
root 2 0.0 0.0 0 0 ? SW 14:32 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SWN 14:32 0:00 [ksoftirqd_CPU0]
root 4 0.0 0.0 0 0 ? SW 14:32 0:00 [kswapd]
root 5 0.0 0.0 0 0 ? SW 14:32 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? SW 14:32 0:00 [kupdated]
root 103 0.0 0.0 0 0 ? SW 14:32 0:00 [kjournald]
root 240 0.0 0.0 0 0 ? SW 14:33 0:00 [kjournald]
root 241 0.0 0.0 0 0 ? SW 14:33 0:00 [kjournald]
root 401 0.0 0.0 0 0 ? SW 14:33 0:00 [khubd]
daemon 552 0.0 0.0 1608 440 ? S 14:33 0:00 /sbin/portmap
root 644 0.0 0.1 2240 804 ? S 14:33 0:00 /sbin/syslogd
root 648 0.0 0.2 2168 1328 ? S 14:33 0:00 /sbin/klogd
Debian-e 682 0.0 0.2 4224 1608 ? S 14:33 0:00 /usr/sbin/exim4 -
root 687 0.0 0.1 2220 724 ? S 14:33 0:00 /usr/sbin/inetd
lp 692 0.0 0.1 2452 860 ? S 14:33 0:00 /usr/sbin/lpd -s
root 704 0.0 0.1 2496 1236 ? S 14:33 0:00 /bin/sh /usr/bin/
mysql 740 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
root 741 0.0 0.0 1476 488 ? S 14:33 0:00 logger -p daemon.
mysql 742 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 743 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 744 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 745 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 746 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 749 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 750 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 751 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 752 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
mysql 753 0.0 2.7 97408 17472 ? S 14:33 0:00 /usr/sbin/mysqld
root 776 0.0 0.2 3720 1536 ? S 14:33 0:00 /usr/sbin/sshd
root 784 0.0 0.9 9380 6384 ? S 14:33 0:00 /usr/bin/perl /us
root 785 0.0 0.6 6748 4468 ? S 14:33 0:00 /usr/bin/python2.
zope 786 1.9 4.2 30016 27576 ? S 14:33 0:21 /usr/bin/python2.
root 790 0.0 0.1 2368 920 ? S 14:33 0:00 /sbin/rpc.statd
daemon 803 0.0 0.0 1672 628 ? S 14:33 0:00 /usr/sbin/atd
root 806 0.0 0.1 1756 808 ? S 14:33 0:00 /usr/sbin/cron
root 819 0.0 0.1 2484 1196 ? S 14:33 0:00 /bin/sh /command/
root 821 0.0 0.0 1484 476 tty1 S 14:33 0:00 /sbin/getty 38400
root 822 0.0 0.0 1484 476 tty2 S 14:33 0:00 /sbin/getty 38400
root 826 0.0 0.0 1484 476 tty3 S 14:33 0:00 /sbin/getty 38400
root 828 0.0 0.0 1484 476 tty4 S 14:33 0:00 /sbin/getty 38400
root 829 0.0 0.0 1484 476 tty5 S 14:33 0:00 /sbin/getty 38400
root 830 0.0 0.0 1484 476 tty6 S 14:33 0:00 /sbin/getty 38400
root 837 0.0 0.0 1504 324 ? S 14:33 0:00 svscan /service
root 838 0.0 0.0 1336 244 ? S 14:33 0:00 readproctitle ser
root 839 0.0 0.0 1348 280 ? S 14:33 0:00 supervise qmail-s
root 840 0.0 0.0 1348 280 ? S 14:33 0:00 supervise log
root 841 0.0 0.0 1348 280 ? S 14:33 0:00 supervise qmail-s
root 842 0.0 0.0 1348 280 ? S 14:33 0:00 supervise log
root 843 0.0 0.0 1348 280 ? S 14:33 0:00 supervise qmail-p
root 844 0.0 0.0 1348 280 ? S 14:33 0:00 supervise log
qmails 845 0.0 0.0 1520 472 ? S 14:33 0:00 qmail-send
qmaill 846 0.0 0.0 1356 288 ? S 14:33 0:00 multilog t s10000
qmaill 848 0.0 0.0 1484 344 ? S 14:33 0:00 multilog t s10000
root 849 0.0 0.0 1372 284 ? S 14:33 0:00 tcpserver -H -R -
qmaill 850 0.0 0.0 1356 288 ? S 14:33 0:00 multilog t s10000
root 856 0.0 0.0 1484 312 ? S 14:33 0:00 qmail-lspawn ./Ma
qmailr 857 0.0 0.0 1480 340 ? S 14:33 0:00 qmail-rspawn
qmailq 858 0.0 0.0 1472 312 ? S 14:33 0:00 qmail-clean
root 1285 0.0 0.3 7176 2164 ? S 14:35 0:00 sshd: jme [priv]
root 1287 0.0 0.3 7176 2164 ? S 14:35 0:00 sshd: jme [priv]
jme 1299 0.0 0.3 7352 2276 ? S 14:35 0:00 sshd: jme@pts/0
jme 1306 0.0 0.2 3016 1680 pts/0 S 14:35 0:00 -bash
root 2270 0.0 0.2 3020 1680 pts/0 S 14:38 0:00 bash
root 3617 0.0 0.1 2056 700 pts/0 T 14:42 0:00 more
root 4669 0.0 0.9 12836 6220 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4670 0.0 1.0 12968 6540 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4671 0.0 0.9 12836 6324 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4672 0.0 1.0 12968 6504 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4673 0.0 1.0 12968 6540 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4674 0.0 1.1 13644 7528 pts/0 S 14:46 0:00 /usr/sbin/apache
www-data 4695 0.0 0.9 12836 6324 pts/0 S 14:46 0:00 /usr/sbin/apache
root 6254 0.0 0.0 0 0 ? Z 14:51 0:00 [tcpserver <defun
root 6259 0.0 0.2 3400 1368 pts/0 R 14:51 0:00 ps aux
If there's anything else you need just shout!
Many thanks.
Jamie |
