LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-21-2005, 08:36 AM   #1
jme
Member
 
Registered: Sep 2003
Location: Hull, UK
Distribution: Debian
Posts: 49

Rep: Reputation: 15
Apache compromised?


On the apache server that I run I also host a few phpBB forums and I think that an exploit has allowed a worm to access all my files in the web root.

I host about 12 sites on the server and every index.php file has been altered from what it should be to:

Quote:
SPYKIDS GROUP 2005

AONDE VC GUARDA O SEU RACISMO?
Racismo em pleno século XXI?

Desde abolição da escravatura buscamos o fim do racismo, onde temos uma sociedade sem distinção nem discriminação das pessoas pela etnia, mais o que você acha do sistema de quotas para negros em universidades? Você não acha que ao aderirem a isso está sendo praticado um ato de racismo? Pois para pedir quota parte-se do princípio que são inferiores aos outros por ser negro? Ou seja, neste mundo moderno onde vivemos existe ato de racismo maior que adoção de sistemas de quotas?

E ai nos volta aquela 1ª pergunta, e você AONDE GUARDA O SEU RACISMO?

insecurity@clubedolinux.com.br

Forever...

Lutamos por um mundo melhor...

A UNIÃO FAZ A FORÇA, AGRADECIMENTOS AOS GRUPOS: #H4ck3rsBr , #SimienS , #Priv8Crew , #SPYKIDS

/server irc.gigachat.net
I have pulled the plug on the server so that it can't make any network connections at the moment, but I don't know what is the best course of action to take.

I have complete backups of all of the /var/www and databases from before this happened so gettting everything back to it's original state will not be too much of a problem. But I want to know if I need to do a fesh install, or how do I check to makesure that whatever caused this is off my server.

I am running Debian if that makes any difference.

Here is a copy of ps -aux

Code:
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.0  1492  512 ?        S    14:32   0:02 init [2]  
root         2  0.0  0.0     0    0 ?        SW   14:32   0:00 [keventd]
root         3  0.0  0.0     0    0 ?        SWN  14:32   0:00 [ksoftirqd_CPU0]
root         4  0.0  0.0     0    0 ?        SW   14:32   0:00 [kswapd]
root         5  0.0  0.0     0    0 ?        SW   14:32   0:00 [bdflush]
root         6  0.0  0.0     0    0 ?        SW   14:32   0:00 [kupdated]
root       103  0.0  0.0     0    0 ?        SW   14:32   0:00 [kjournald]
root       240  0.0  0.0     0    0 ?        SW   14:33   0:00 [kjournald]
root       241  0.0  0.0     0    0 ?        SW   14:33   0:00 [kjournald]
root       401  0.0  0.0     0    0 ?        SW   14:33   0:00 [khubd]
daemon     552  0.0  0.0  1608  440 ?        S    14:33   0:00 /sbin/portmap
root       644  0.0  0.1  2240  804 ?        S    14:33   0:00 /sbin/syslogd
root       648  0.0  0.2  2168 1328 ?        S    14:33   0:00 /sbin/klogd
Debian-e   682  0.0  0.2  4224 1608 ?        S    14:33   0:00 /usr/sbin/exim4 -
root       687  0.0  0.1  2220  724 ?        S    14:33   0:00 /usr/sbin/inetd
lp         692  0.0  0.1  2452  860 ?        S    14:33   0:00 /usr/sbin/lpd -s
root       704  0.0  0.1  2496 1236 ?        S    14:33   0:00 /bin/sh /usr/bin/
mysql      740  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
root       741  0.0  0.0  1476  488 ?        S    14:33   0:00 logger -p daemon.
mysql      742  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      743  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      744  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      745  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      746  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      749  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      750  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      751  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      752  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
mysql      753  0.0  2.7 97408 17472 ?       S    14:33   0:00 /usr/sbin/mysqld 
root       776  0.0  0.2  3720 1536 ?        S    14:33   0:00 /usr/sbin/sshd
root       784  0.0  0.9  9380 6384 ?        S    14:33   0:00 /usr/bin/perl /us
root       785  0.0  0.6  6748 4468 ?        S    14:33   0:00 /usr/bin/python2.
zope       786  1.9  4.2 30016 27576 ?       S    14:33   0:21 /usr/bin/python2.
root       790  0.0  0.1  2368  920 ?        S    14:33   0:00 /sbin/rpc.statd
daemon     803  0.0  0.0  1672  628 ?        S    14:33   0:00 /usr/sbin/atd
root       806  0.0  0.1  1756  808 ?        S    14:33   0:00 /usr/sbin/cron
root       819  0.0  0.1  2484 1196 ?        S    14:33   0:00 /bin/sh /command/
root       821  0.0  0.0  1484  476 tty1     S    14:33   0:00 /sbin/getty 38400
root       822  0.0  0.0  1484  476 tty2     S    14:33   0:00 /sbin/getty 38400
root       826  0.0  0.0  1484  476 tty3     S    14:33   0:00 /sbin/getty 38400
root       828  0.0  0.0  1484  476 tty4     S    14:33   0:00 /sbin/getty 38400
root       829  0.0  0.0  1484  476 tty5     S    14:33   0:00 /sbin/getty 38400
root       830  0.0  0.0  1484  476 tty6     S    14:33   0:00 /sbin/getty 38400
root       837  0.0  0.0  1504  324 ?        S    14:33   0:00 svscan /service
root       838  0.0  0.0  1336  244 ?        S    14:33   0:00 readproctitle ser
root       839  0.0  0.0  1348  280 ?        S    14:33   0:00 supervise qmail-s
root       840  0.0  0.0  1348  280 ?        S    14:33   0:00 supervise log
root       841  0.0  0.0  1348  280 ?        S    14:33   0:00 supervise qmail-s
root       842  0.0  0.0  1348  280 ?        S    14:33   0:00 supervise log
root       843  0.0  0.0  1348  280 ?        S    14:33   0:00 supervise qmail-p
root       844  0.0  0.0  1348  280 ?        S    14:33   0:00 supervise log
qmails     845  0.0  0.0  1520  472 ?        S    14:33   0:00 qmail-send
qmaill     846  0.0  0.0  1356  288 ?        S    14:33   0:00 multilog t s10000
qmaill     848  0.0  0.0  1484  344 ?        S    14:33   0:00 multilog t s10000
root       849  0.0  0.0  1372  284 ?        S    14:33   0:00 tcpserver -H -R -
qmaill     850  0.0  0.0  1356  288 ?        S    14:33   0:00 multilog t s10000
root       856  0.0  0.0  1484  312 ?        S    14:33   0:00 qmail-lspawn ./Ma
qmailr     857  0.0  0.0  1480  340 ?        S    14:33   0:00 qmail-rspawn
qmailq     858  0.0  0.0  1472  312 ?        S    14:33   0:00 qmail-clean
root      1285  0.0  0.3  7176 2164 ?        S    14:35   0:00 sshd: jme [priv]
root      1287  0.0  0.3  7176 2164 ?        S    14:35   0:00 sshd: jme [priv]
jme       1299  0.0  0.3  7352 2276 ?        S    14:35   0:00 sshd: jme@pts/0
jme       1306  0.0  0.2  3016 1680 pts/0    S    14:35   0:00 -bash
root      2270  0.0  0.2  3020 1680 pts/0    S    14:38   0:00 bash
root      3617  0.0  0.1  2056  700 pts/0    T    14:42   0:00 more
root      4669  0.0  0.9 12836 6220 pts/0    S    14:46   0:00 /usr/sbin/apache
www-data  4670  0.0  1.0 12968 6540 pts/0    S    14:46   0:00 /usr/sbin/apache
www-data  4671  0.0  0.9 12836 6324 pts/0    S    14:46   0:00 /usr/sbin/apache
www-data  4672  0.0  1.0 12968 6504 pts/0    S    14:46   0:00 /usr/sbin/apache
www-data  4673  0.0  1.0 12968 6540 pts/0    S    14:46   0:00 /usr/sbin/apache
www-data  4674  0.0  1.1 13644 7528 pts/0    S    14:46   0:00 /usr/sbin/apache
www-data  4695  0.0  0.9 12836 6324 pts/0    S    14:46   0:00 /usr/sbin/apache
root      6254  0.0  0.0     0    0 ?        Z    14:51   0:00 [tcpserver <defun
root      6259  0.0  0.2  3400 1368 pts/0    R    14:51   0:00 ps aux
If there's anything else you need just shout!

Many thanks.

Jamie
 
Old 03-21-2005, 10:16 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Start out by running rootkit hunter on the system. It checks critical system files against a database of 'known good" md5 hashes and can help identify file alteration as well as run a number of checks for the presence of rootkits and sniffers. Also, look through all the other system logs for anything abnormal, check /etc/passwd for any new users or users other than root with a UID/GID of 0. Check /tmp for any abnormal files of folders. Check for any abnormal suid/sgid root files with 'find / -user root -perm -4000 -print' and 'find / -user root -perm -2000 -print'. Check the output of netstat -pantu for anything listening on abnormal ports. Hopefully that should get you started.

There have been a number of phpbb vulnerabilities released in the last 6 months so it's hard to say which one was exploited without knowing anything else (like what version of phpbb were you running?)

Last edited by Capt_Caveman; 03-21-2005 at 11:41 AM.
 
Old 03-21-2005, 11:36 AM   #3
mikeheggy
Member
 
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
I use phpbb as well. After you restore the server, look into mod_security for apache which might help with popular web exploits. Also, signup for the phpbb newsletter so you'll know about updates as soon as they're released.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server Compromised? stlyz3 Linux - Security 6 09-07-2005 04:28 PM
Apache server compromised? lacerto Linux - Security 3 04-13-2005 03:26 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
Help! My system's been compromised.... DaVenom Linux - Security 1 11-12-2004 02:49 PM
Am I compromised? dripter Linux - Security 5 01-27-2004 12:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration