Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The ps output indicates that the user apache is running the executable named 7474 as well as an interactive shell. Both are not normal behaviour for Apache and in fact are highly suggestive that your system has been compromised.
You can try tracking down the location of the 7474 file using 'find / | grep 7474' or alternatively look up the process info in /proc/<PID>/cmdline where PID is the process id number from the ps output (in this case /proc/15535/cmdline). Once you identify the location of the file, look around that directory for any other suspicious files or folders. Check out your logs (especially the Apache logs in /var/log/httpd/) and the system logs in /var/log/messages and /var/log/secure for any abnormal log messages. I would highly recommend downloading and running chkrootkit and/or rootkithunter on the system as well. Post anything that looks remotely relevant
Before doing anything though, make a note of all processes running on the system and any network connections (use netstat -pantu) .
[root@gandalf chkrootkit-0.45]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... /proc/19488/fd: No such file or directory
eth0: not promisc and no PF_PACKET sockets
eth0:1: not promisc and no PF_PACKET sockets
eth0:2: not promisc and no PF_PACKET sockets
eth0:3: not promisc and no PF_PACKET sockets
eth0:4: not promisc and no PF_PACKET sockets
eth0:5: not promisc and no PF_PACKET sockets
eth1: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2365 tty5 /sbin/mingetty tty5
! root 2369 tty6 /sbin/mingetty tty6
! apache 18765 ttyp0 sh -i
! apache 20273 ttyp1 sh -i
chkutmp: nothing deleted
The chkrootkit output shows that it found a bindshell which is usually a backdoor. The fact that it's running on a priveledged port (465) isn't a good sign either.
The netstat output shows a lot of different services running. The primary question is whether you think they should be? Go through the list and try to identify any that look abnormal to you. I don't know what you are using the box for or what applications you're running, so I can't really tell you. However, there are several that look fairly suspicious. For example we see the 7474 program appears again listening on port 7474. The java processes look suspicious as well (both 7474 and httpd have established local connections to port 9008).
Any luck identifying the location of the 7474 executable? Find anything else in the logs?
Once you get a good suspicion that it's been compromised immediately disconnect it from the network and then proceed with any further forensic analysis.
I found the 7474 file in /var/tmp and deleted that, after that i found a shoutcast in the samedir which do not belong there, and in that logfile i found a url/ip/and irc channel after mailing the persons in about 5 minutes everything went ok.
I searched in the logfiles and found phpBB 2.0.6 on one of my clients webspace was the problem and through phpbb they started everything, so i have updated phpbb and no suspicious things anymore!
the port 465 is from plesk en java is also for plesk so that is normal!
But thanks for the command to find the file i couldn't find with locate
Not that surprising. Depending on what you found, my next question was going to be what kind of web content you were hosting. PHPbb has taken a real beating over the last 6 months in terms of security. In fact I've heard from multiple sources that exploits are circulating for the current release, so I'd recommend against running it unless absolutely necessary.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.