Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
with no date or time entry, which I have not seen before in my error logs?
output from #top was showing a program called EXE running as user apache on port 80? One of the instances of this strange EXE program was connected from my server to stream.jmi.or.jp:auth. This connection seemed to send packets every couple of minutes, I didnt determine what type. My apache server was still working fine, but when I stopped httpd, the port 80 was still open and running by the EXE program? I had to kill -9 (pid) to get EXE to stop so that I could restart apache
if I did #lsof -g | grep exe
it showed that the program had been started from /var/tmp/dsadas (deleted)
So it looks like something uploaded by one of my php scripts which was called dsadas, executed and then deleted, which caused my server to have a permanent connection established to stream.jmi.or.jp:auth??
The thing is I cannot determine is if my server has been compromised with root access or whether it is just some kind of dos attack? Given the EXE program was only working as user apache.
I added a rule in my iptables to block stream.jmi.or.jp and so far it has worked, but it is hard to know without the scripts being run externally, and last time it happened was about a month ago?
Does anyone have any clues? Is this a php vunerability?
if I did #lsof -g | grep exe
it showed that the program had been started from /var/tmp/dsadas (deleted)
Next time, logged in as root, try "cp /proc/$(pidof exe)/exe /root/tmp/deleted_exe" to catch deleted binaries.
There is a russian site that talks exactly about the problem I am having
...roughly translated at: http://www.mail-archive.com/debian-s.../msg13667.html ,and another account of the same is at http://tweetypie.doc.ic.ac.uk/~agl02/. Can't verify solution "allow_url_fopen = off", as mentioned this has the potential to break a lot. Please try and report if it works for you, because too many threads on this subject don't post a solution that works (lack of feedback I guess). Please audit your Apache/PHP setup, your php.ini minimally has to have "register globals off", for the rest see the doc suggestions below. Possible workarounds: curl: http://www.php.net/manual/en/ref.curl.php or snoopy: http://sourceforge.net/projects/snoopy/.
Distribution: At home: Arch, OpenBSD, Solaris. At work: CentOS, Debian, Ubuntu
Posts: 3,625
Rep:
Register globals actuallt isn't THAT big a risk. it does, however, encourage sloppy coding that violates one of the commandments of programming, "Thou shalt not trust user input." If the PHP code is well written, then register_globals should not matter. Of course, things bering as they are, I always prefer to keep it off.
I guess the question is... if I'm expecting a cookie to be set, and the user appends ?cookiename=username to the URL... with register_globals coding, you can't really tell unless you do things the right way. it's a way for sysadmins to enforce proper secure coding on users.
Well, I know this is a bit of an old thread, but nearly the same thing happened to me. The process was running as "exe" and was apparently started with command line:
usr/local/apach/bin/httpd
It used the same delete after run trick
exe -> /tmp/upxCYUJPIOAN0L (deleted)
I fixed my php scripts to validate any GET variables, blocked the ip, and am about to do:
allow_url_fopen = off
Thanks for the suggestion.
On my machine the script ran as "nobody" and was connecting to january.medical9.gr.jp (210.169.91.66)
From what I can tell, my server was not root kitted...(ran chkrootkit) but there where hours on end when outbound traffic was maxed out and I couldn't connect.
Killing the process didn't work.... it came back after an hour or so. Checked
/var/spool/cron and found a script called "nobody"... the culprit... that was placed there by the php hole.
Looking inside "nobody" (after moving it to my windows machine ) showed the actual ELF as a bunch of octals. The process didn't restart after removing it.
Does anyone know how to tell if it tried to upload my server files elsewhere? I've converted the octals to make an ELF, but don't know if there is more I can do. Maybe some assembly guru can just look and give an estimate on how malevolent it is ?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
) showed the actual ELF as a bunch of octals. The process didn't restart after removing it.
