Trying to indentify exploit.

stefaandk · 12-28-2005, 06:53 PM

Was getting these random crashes on our server but never was able to see things before they happened, so I kept my eye on top and then it showed up a process using 99% CPU run by apache called exe.

I did an lsof on the PID and it showed me this:

exe 28760 apache cwd DIR 9,2 4096 2 /
exe 28760 apache rtd DIR 9,2 4096 2 /
exe 28760 apache txt REG 9,2 17828 7914085 /tmp/upxBQEJWR4A2CV (deleted)
exe 28760 apache mem REG 9,2 106400 3686484 /lib/ld-2.3.2.so
exe 28760 apache mem REG 9,2 1539996 7782401 /lib/tls/libc-2.3.2.so
exe 28760 apache 0r CHR 1,3 132585 /dev/null
exe 28760 apache 1r CHR 1,3 132585 /dev/null
exe 28760 apache 2r CHR 1,3 132585 /dev/null
exe 28760 apache 3u IPv4 22411320 TCP myserver.com:46726->sv4.rapha.ac:3434 (ESTABLISHED)

THen the list continues with all my domains access_log files being open and ending with:

exe 28760 apache 1232w REG 9,2 0 2293915 /var/log/httpd/ssl_access_log
exe 28760 apache 1233w REG 9,2 0 2293916 /var/log/httpd/ssl_request_log
exe 28760 apache 1234u REG 9,2 0 7913686 /tmp/ZCUD7YqeMz (deleted)
exe 28760 apache 1235u sock 0,0 22410237 can't identify protocol
exe 28760 apache 1236u unix 0xecfeea40 22410238 socket

this sv4.rapha.ac is a japanese thing and I don't have japanese clients on my server really, but the subnet in iptables but I would like to know what it was and how it got onto my server?

Thanks

Matir · 12-28-2005, 08:11 PM

If you have it still running, dumping the /proc/PID information for it might be useful as well. If you can get ahold of the binary, a disassembly may reveal more.

unSpawn · 12-28-2005, 08:41 PM

I would like to know what it was and how it got onto my server
Next to undeleting and examining the file, find out what software people can interface with, check anything PHP or Perl related first, check your access/error logs.

stefaandk · 12-28-2005, 09:50 PM

I can't actually find the file, there is no file called exe that's for sure. Tracing the process did not seem to give me an actual file that was running.

sundialsvcs · 12-30-2005, 09:39 AM

Judging from man lsof, I am not entirely persuaded that the string "exe" actually indicates the name of an intruder.

What other evidence do you have that an intrusion actually occurred here? Just to be sure, you know . . .

enigmasoldier · 12-31-2005, 12:28 PM

You might want to check to see if you have a rootkit installed ASAP!
www.chkrootkit.org/