Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-28-2005, 06:53 PM
|
#1
|
|
Member
Registered: Jun 2005
Distribution: Centos
Posts: 215
Rep: 
|
Trying to indentify exploit.
Was getting these random crashes on our server but never was able to see things before they happened, so I kept my eye on top and then it showed up a process using 99% CPU run by apache called exe.
I did an lsof on the PID and it showed me this:
exe 28760 apache cwd DIR 9,2 4096 2 /
exe 28760 apache rtd DIR 9,2 4096 2 /
exe 28760 apache txt REG 9,2 17828 7914085 /tmp/upxBQEJWR4A2CV (deleted)
exe 28760 apache mem REG 9,2 106400 3686484 /lib/ld-2.3.2.so
exe 28760 apache mem REG 9,2 1539996 7782401 /lib/tls/libc-2.3.2.so
exe 28760 apache 0r CHR 1,3 132585 /dev/null
exe 28760 apache 1r CHR 1,3 132585 /dev/null
exe 28760 apache 2r CHR 1,3 132585 /dev/null
exe 28760 apache 3u IPv4 22411320 TCP myserver.com:46726->sv4.rapha.ac:3434 (ESTABLISHED)
THen the list continues with all my domains access_log files being open and ending with:
exe 28760 apache 1232w REG 9,2 0 2293915 /var/log/httpd/ssl_access_log
exe 28760 apache 1233w REG 9,2 0 2293916 /var/log/httpd/ssl_request_log
exe 28760 apache 1234u REG 9,2 0 7913686 /tmp/ZCUD7YqeMz (deleted)
exe 28760 apache 1235u sock 0,0 22410237 can't identify protocol
exe 28760 apache 1236u unix 0xecfeea40 22410238 socket
this sv4.rapha.ac is a japanese thing and I don't have japanese clients on my server really, but the subnet in iptables but I would like to know what it was and how it got onto my server?
Thanks
|
|
|
|
|
12-28-2005, 08:11 PM
|
#2
|
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
If you have it still running, dumping the /proc/PID information for it might be useful as well. If you can get ahold of the binary, a disassembly may reveal more.
|
|
|
|
|
12-28-2005, 08:41 PM
|
#3
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
I would like to know what it was and how it got onto my server
Next to undeleting and examining the file, find out what software people can interface with, check anything PHP or Perl related first, check your access/error logs.
|
|
|
|
|
12-28-2005, 09:50 PM
|
#4
|
|
Member
Registered: Jun 2005
Distribution: Centos
Posts: 215
Original Poster
Rep:
|
I can't actually find the file, there is no file called exe that's for sure. Tracing the process did not seem to give me an actual file that was running.
|
|
|
|
|
12-30-2005, 09:39 AM
|
#5
|
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,201
|
Judging from man lsof, I am not entirely persuaded that the string "exe" actually indicates the name of an intruder.
What other evidence do you have that an intrusion actually occurred here? Just to be sure, you know . . .
|
|
|
|
|
12-31-2005, 12:28 PM
|
#6
|
|
Member
Registered: Jul 2003
Location: Florence, Ky
Distribution: CentOS 3.3-4, OpenBSD 3.3, Fedora Core 4, Ubuntu, Novell Open Enterprise Server
Posts: 213
Rep:
|
You might want to check to see if you have a rootkit installed ASAP!
www.chkrootkit.org/ |
|
|
|
All times are GMT -5. The time now is 01:16 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
