Ubuntu 8.04 + Apache 2.28 hacked - need help
 

Hello guys

I have a brand new server which will be used for webpage hosting but just noticed somebody else was using it.

Found a lot of "scanssh" processes running by "www-data" user and noticed there was some scripts downloaded at /tmp filesystem, like sipscan7.1

Just killed all those processes and checked the system, it seems to be "heath" now, but I want to avoid that from happening again.

Checked logs and there was a lot of login attempt, it seems someone is trying to figure out the user's password.

However, it seems to be an Apache vulnerability since those files were 'created' as "www-data" user.

Does anyone have any clue on how can I proceed with that?
I mean, how can I guarantee this will not happen again?

These are the version I have:

Ubuntu
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"

Apache
Server version: Apache/2.2.8 (Ubuntu)
Server built: Nov 18 2010 21:21:21

Any clue is very very very appreciated.

Thank you.

It's unlikely that it's a vulnerability in the web server itself but rather in what it serves. In the meanwhile best stop Apache until you find out. So what does it provide? Which package(s) and what version? Did you run your system and daemon logs through 'logwatch'? Because abuse usually is preceded by reconnaissance so reading logs to the point where 404's (return codes I mean) turn into 200's would be a good start. BTW next time before killing those processes it would be best to save process information like '( ps axfwwwe; lsof -Pwln; netstat -anpe; who; lastb; last ) > /var/tmp/log.txt' could help pinpoint things.

[EDIT]
Next to checking your logs feel free to run any checks from the CERT Intruder Detection Checklist to ensure system integrity. And let's deal with post-cleanup stuff like system hardening after you've posted back, OK?
[/EDIT]