LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-03-2008, 10:11 PM   #1
NetSaint
LQ Newbie
 
Registered: Mar 2008
Posts: 2

Rep: Reputation: 0
Question Rogue script forensics help


Hey everyone... I'm looking for some help tracking down a rogue script or scripts on my clients website that is sending spam....

I noticed a ton of returned mail that was sent from the server right after I added this new client to the new server

I tried the obvious....

Apache Access logs for anything suspicious... nothing
I set up a watch on lsof for open php files... nothing

As I watched the mail log I could see multiple max connection warnings...

So I decided to shut off postfix to see if the php script is still generating mail.... and it did..... the mail que quickly filled up with email spam gernerated from the server (the apache user)....

My question is... is there any way to see which script generated certain emails...?????

lsof I thought would do it but no dice.....

Thanks in advance for any insight..
 
Old 03-04-2008, 08:20 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian Squeeze
Posts: 5,772

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
You could try any of several packet sniffer around, but that would probably just tell you what you already know. I think what you need is process accounting such as provided by acct. Be warned: it generates large log files quickly. You only want to run it when the client is loged on.

From the man 5 acct page:
Quote:
DESCRIPTION
If the kernel was compiled with the process accounting option enabled, the system call
acct("/somewhere/accountingfile");
will start the process accounting. Each time a process terminates a record for this process is appended to the account-
ing file. The accounting structure struct acct is also described in the file /usr/include/linux/acct.h.
From the file acct.h named above:
Quote:
struct acct
{
char ac_flag; /* Flags */
char ac_version; /* Always set to ACCT_VERSION */
/* for binary compatibility back until 2.0 */
__u16 ac_uid16; /* LSB of Real User ID */
__u16 ac_gid16; /* LSB of Real Group ID */
__u16 ac_tty; /* Control Terminal */
__u32 ac_btime; /* Process Creation Time */
comp_t ac_utime; /* User Time */
comp_t ac_stime; /* System Time */
comp_t ac_etime; /* Elapsed Time */
comp_t ac_mem; /* Average Memory Usage */
comp_t ac_io; /* Chars Transferred */
comp_t ac_rw; /* Blocks Read or Written */
comp_t ac_minflt; /* Minor Pagefaults */
comp_t ac_majflt; /* Major Pagefaults */
comp_t ac_swaps; /* Number of Swaps */
/* m68k had no padding here. */
#if !defined(CONFIG_M68K) || !defined(__KERNEL__)
__u16 ac_ahz; /* AHZ */
#endif
__u32 ac_exitcode; /* Exitcode */
char ac_comm[ACCT_COMM + 1]; /* Command Name */
__u8 ac_etime_hi; /* Elapsed Time MSB */
__u16 ac_etime_lo; /* Elapsed Time LSB */
__u32 ac_uid; /* Real User ID */
__u32 ac_gid; /* Real Group ID */
};
and
Quote:
struct acct_v3
{
char ac_flag; /* Flags */
char ac_version; /* Always set to ACCT_VERSION */
__u16 ac_tty; /* Control Terminal */
__u32 ac_exitcode; /* Exitcode */
__u32 ac_uid; /* Real User ID */
__u32 ac_gid; /* Real Group ID */
__u32 ac_pid; /* Process ID */
__u32 ac_ppid; /* Parent Process ID */
__u32 ac_btime; /* Process Creation Time */
#ifdef __KERNEL__
__u32 ac_etime; /* Elapsed Time */
#else
float ac_etime; /* Elapsed Time */
#endif
comp_t ac_utime; /* User Time */
comp_t ac_stime; /* System Time */
comp_t ac_mem; /* Average Memory Usage */
comp_t ac_io; /* Chars Transferred */
comp_t ac_rw; /* Blocks Read or Written */
comp_t ac_minflt; /* Minor Pagefaults */
comp_t ac_majflt; /* Major Pagefaults */
comp_t ac_swaps; /* Number of Swaps */
char ac_comm[ACCT_COMM]; /* Command Name */
};
As you can see, the user id, group id, process id, and parent process id are reported.

It might be helpful if acct were also installed on the client's computer.
 
Old 03-05-2008, 06:40 AM   #3
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
If there is a rogue script on the system then it has been compromised. The most likely method is php injection. If the script user is apache the most likely place to find the script is in /tmp.

Because intrusion has occurred you need to establish the level of penetration and the likely method of intrusion. It is likely to be a php application that has vulnerabilities. The system is not being updated and security warnings not monitored. If you cannot establish a time line and depth of penetration then you need to wipe the whole system and do a re-install. If the server is running php based apps check for the latest releases and regularly check for security warnings and security updates. I would also recommend standard stuff like tripwire and mod-security.
 
Old 03-05-2008, 12:11 PM   #4
NetSaint
LQ Newbie
 
Registered: Mar 2008
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks

Thanks to you both...... I narrowed it down to an application called "amember" that the client had installed and after some googling.... this app has soooooo many issues.....


Thanks you both for your help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Computer Forensics: Linux Style! LXer Syndicated Linux News 0 10-15-2007 11:00 AM
computer forensics metallica1973 Linux - Security 8 11-08-2005 12:23 PM
Helix Data Forensics/System Repair iso AwesomeMachine Linux - Software 2 09-21-2005 05:53 PM
Where can I find Forensics Software? abefroman Linux - Security 6 08-03-2005 08:10 AM
HDD forensics... How to restore a partition? Thetargos Linux - Hardware 2 07-02-2004 03:59 PM


All times are GMT -5. The time now is 07:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration