LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2011, 11:59 PM   #1
Alt-Ox
LQ Newbie
 
Registered: Nov 2007
Posts: 20

Rep: Reputation: 0
Ubuntu 8.04 + Apache 2.28 hacked - need help


Hello guys

I have a brand new server which will be used for webpage hosting but just noticed somebody else was using it.

Found a lot of "scanssh" processes running by "www-data" user and noticed there was some scripts downloaded at /tmp filesystem, like sipscan7.1

Just killed all those processes and checked the system, it seems to be "heath" now, but I want to avoid that from happening again.

Checked logs and there was a lot of login attempt, it seems someone is trying to figure out the user's password.

However, it seems to be an Apache vulnerability since those files were 'created' as "www-data" user.

Does anyone have any clue on how can I proceed with that?
I mean, how can I guarantee this will not happen again?

These are the version I have:

Ubuntu
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.4 LTS"

Apache
Server version: Apache/2.2.8 (Ubuntu)
Server built: Nov 18 2010 21:21:21

Any clue is very very very appreciated.

Thank you.
 
Old 02-15-2011, 12:56 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
It's unlikely that it's a vulnerability in the web server itself but rather in what it serves. In the meanwhile best stop Apache until you find out. So what does it provide? Which package(s) and what version? Did you run your system and daemon logs through 'logwatch'? Because abuse usually is preceded by reconnaissance so reading logs to the point where 404's (return codes I mean) turn into 200's would be a good start. BTW next time before killing those processes it would be best to save process information like '( ps axfwwwe; lsof -Pwln; netstat -anpe; who; lastb; last ) > /var/tmp/log.txt' could help pinpoint things.

[EDIT]
Next to checking your logs feel free to run any checks from the CERT Intruder Detection Checklist to ensure system integrity. And let's deal with post-cleanup stuff like system hardening after you've posted back, OK?
[/EDIT]

Last edited by unSpawn; 02-15-2011 at 11:08 AM. Reason: //More *is* more
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Ylmf OS!: Ubuntu hacked to looks just like Windows XP LXer Syndicated Linux News 0 12-28-2009 11:30 PM
Apache entries - Hacked?? lawadm1 Linux - Security 2 11-27-2005 09:49 PM
How did my linux-apache webserver get hacked? markie Linux - Security 18 10-19-2004 09:07 PM
Apache - seems like I was hacked :-( dima1978 Linux - Security 4 09-20-2004 05:31 PM
Apache 2 on Linux Red Hat 7.3: have I been hacked? Zingaro2002 Linux - Security 4 06-03-2003 12:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration