Spam sent from my host

vbfischer · 01-17-2006, 11:09 AM

I got an email today from my provider saying they had gotten 5 complaints about spam coming from my system. Taking a look at the headers, it is indeed coming from my system.

Code:

Received: from unknown (HELO server1.berzerker-soft.com) ([65.98.84.210])
          (envelope-sender <apache@berzerker-soft.com>)
          by mta8 (qmail-ldap-1.03) with SMTP
          for <mp128@mail.telepac.pt>; 15 Jan 2006 22:41:14 -0000
Received: by server1.berzerker-soft.com (Postfix, from userid 48)

userid 48 is the apache user.

Given the above headers, it looks like its coming from my Apache server.

I host a handful of friend's websites, who mostly use PHPNuke. I don't want to have to shut Apache down, but I don't want anymore spam to go through my system.

Anyone have any suggestions on troubleshooting this? Any other suggestions?

Thanks

vbfischer · 01-17-2006, 12:16 PM

I noticed something weird. I shut down apache, and the following entry was still there (ps -aux | grep apache):

Code:

apache    4369  0.0  0.0  2456  660 ?        S    Jan16   0:11 /usr/sbin/apache                                                                                                                                                                                                                        ? ArDaN

I kill that process, and a coupld of seconds later, its running again...

vbfischer · 01-17-2006, 12:19 PM

and the funny thing is, the file "/usr/sbin/apache" doesn't exist...

sundialsvcs · 01-17-2006, 12:22 PM

Take .. that .. system .. off .. the .. network .. Now!

vbfischer · 01-17-2006, 12:24 PM

I'd love to... Its a dedicated server.

Can you please explain what it means? What might have gone wrong?

Thanks.

gilead · 01-17-2006, 01:12 PM

Search Google for phpnuke vulnerabilities - there are plenty of hits. You probably need to upgrade/patch your php stuff.

It sounds like something foreign is already running on your system. I'd be taking the machine off the network, going through logs, looking for unusual files and checking that system binaries haven't been changed (do you run tripwire or something like it?). Dedicated server or not, you need to ensure the data you're hosting isn't put at further risk.

vbfischer · 01-17-2006, 01:17 PM

Thanks Steve,

I don't have tripwire installed. I think I'm going to get a new server and shut the old one down. I just don't want to make the same mistakes the next time and be in the same boat.

gilead · 01-17-2006, 01:22 PM

There's an article at http://phpnuke.org/modules.php?name=...-php-nuke.html that might be helpful. The first page is a bit vague, but after that it describes the common vulnerabilities in pretty good detail. There's also some stuff at http://www.nukecops.com/article46.html.

vbfischer · 01-17-2006, 01:32 PM

Thanks again Steve,

Those sites are helpful. I'll take a look at them.

gilead · 01-17-2006, 01:46 PM

No problem - good luck

pk21 · 01-17-2006, 10:51 PM

did you check your apache access log?
It will probably contain the script that is being abused if you search for email addresses in that log. Just search for @

erimar77 · 01-17-2006, 10:59 PM

more than likely, one of the php sites got hacked into. i would check those sites to see if there is any visible tampering.

vbfischer · 01-18-2006, 04:50 AM

Well, I was able to kill that suspicious process by creating a new user for apache, and deleting the apache user, then killing the process. None of the PHP sites have any visible tampering that I can tell. But as you said, I'm pretty sure it was one of the PHP sites that did indeed get hacked.

vbfischer · 01-18-2006, 07:39 AM

I was rumaging around my server, and found the following files in the tmp folder:

dc - a binary file
dc.txt - a text file which appears to be a perl script, providing a back door into my system.

Header had this information:
#IRAN HACKERS SABOTAGE Connect Back Shell
#code by:LorD
#We Are :LorD-C0d3r-NT
#Email:LorD@ihsteam.com
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--

and a folder called "den" which contained a bum of files, on looking like it was a list of email addresses that failed, and ok.

gilead · 01-18-2006, 01:02 PM

They've got their own web site at ihsteam.net. I won't post the whole URL since it's easy enough to find. It looks like they have exploits available for download - not my kind of place really.