my server has been compromised, what next?
Hi all,
I have an old P4 which serves as a home gateway/webserver/WAP. Yesterday morning, I noticed a perl process using up excessive CPU time. After some investigation, I have determined that it is highly persistent, ie, it starts up after I kill it, even after rebooting. This script runs as a webserver process (user www): Code:
$ ps aux | grep www From this: Code:
$ sudo lsof | grep perl I am currently using the following bash command to keep it down while I decide what to do next: Code:
$ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; done I am very much a parttime sysAdmin, and I have no experience with any kind of security forensics, hence I'd be most grateful for suggestions to point me in the right direction. The server runs FreeBSD 7-stable i386, and has been kept fully up-to-date with security patches. Thanks for any ideas. |
You should pull the network cable.
|
In short what you should do before doing anything else is do nothing but read. The CERT Intruder Detection Checklist (http://web.archive.org/web/200801092...checklist.html) may be outdated but still provides a good checklist if you have none.
Before you start your investigation it is advisable to 0) save a complete detailed listing of users, network connections, processes, open files and 1) raise the firewall to only allow traffic from and to your (management) IP (range) to mitigate damage and 2) save (copies of) logs and then stop services that are not vital for your investigation including databases, web, mail and other servers: basically all you need is SSH. Because the process runs as user "www" the first question you want to ask yourself is who has, or rather: what has, allowed this process to run. To come up with an answer you will need to 3) verify the integrity of all directories and files owned (writable to) by user "www" ('find / -user www -ls'), including temporary directories and files in users homes, 4) (visually) inspect files and cronjobs that can not be verified using your distributions package manager or filesystem integrity checker and then 5) inspect auth databases, system, firewall and application logs. Please be verbose in your reporting (the more information the better) and please ask question before you do anything if unsure / unclear. Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
Thanks unSpawn.
I will take the questions a few at a time. First: Quote:
Code:
9 704 -rw-r--r-- 1 www wheel 337548 Feb 11 2009 /tmp/kas.tgz |
Quote:
I use PF as firewall. Essentially I block all incoming traffic unless explicitly allowed. Everything allowed out. Code:
pass out quick on $ext_if proto 41 For the time being, I am killing the script every 15 seconds, as I indicated above. Quote:
the box is sitting next to my desk; only one user, me. Quote:
Quote:
Code:
sudo lsof -p 11544 Quote:
|
OK, I have found the cronjob that launches the script:
[root@venus /var/cron/tabs]# ls -l Code:
total 12 Code:
# DO NOT EDIT THIS FILE - edit the master and reinstall. |
How do I disable the cronjob for user www? I can't login as www. Obviously just commenting out that line doesn't help:
Code:
[root@venus /var/cron/tabs]# cat www |
* CYP contact me by email? I'd like a (tarball) copy of those contents.
Quote:
Quote:
Quote:
Quote:
I suggest you bring the box down now and investigate using a Live CD. |
OK. This machine is now physically offline. I have temporarily changed my mailserver to Rollernet.
I will now proceed to study it at leisure, and if I have to copy files I can use a USB stick Quote:
|
Quote:
|
Quote:
The file "colin" was also written by root. It contains the cron jobs I have configured in my non-root account by that name. I don't use root to edit that file, just crontab -e. Is there not some way the script could have executed that as user "www" as well? |
Quote:
|
Quote:
|
Quote:
There are a fair number of hits for "roundcube" in my www logs in July and August. I'm going to take a closer look tomorrow. |
grepping my web logs for 2009, I see 226 lines pertaining to roundcube. Here is an example:
Code:
lighttpd.access.20090628:94.199.181.117 n.n.n.n - [27/Jun/2009:02:21:40 +0200] "GET /roundcube//bin/msgimport HTTP/1.1" 200 2730 "-" "Toata dragostea mea pentru diavola" Can someone explain to me in generic terms approximately how an exploit like this works? FWIW, "Toata dragostea mea pentru diavola" is Romanian and according to Google Translate means "All my love for the devil" |
All times are GMT -5. The time now is 01:57 PM. |