Re: possible server compromitation
Sergio Cuéllar Valdés píše v Po 21. 08. 2006 v 09:51 -0500:
> On 8/21/06, David Siroky <ml@dasir.net> wrote:
> > Hi!
> >
> > I have an urgent situation. On one of my servers disapeared all apache
> > "error.log" and "access.log" files and other files containing "logo" or
> > "login". I found some unknown processes.
> >
> > # ps -el
> > ...
> > 1 S 5000 1008 1 0 75 0 - 572 - ? 00:00:16 iroffer
> > 0 S 5000 7574 1 0 76 0 - 1390 - ? 00:02:28 sifler.pl
>
> Ooops, you should disconnect your box from the network, and then
> check that files.
>
> Do you have some LAMP application running in your server ?
>
> Check the meesages files.
>
>
I have LAMP (PHP).
After an investigation I found that there was only a iroffer bot
(http://iroffer.org/), process faker and somebody used tools from
http://fullzonelista.altervista.org/ to make my server a warez server.
chkrootkit and rkhunter don't report any rootkits and those processes
were so obvious that I assume I found all the "bad" files.
The attack came through an apache2 so the attackers were able to
manipulate only web files (they had only http server priviledges).
Attackers deleted all access.log and error.log files (which I had among
the web files) so I can't trace the security hole.
I know that there is a security issue in mod_rewrite but I don't use it.
Maybe PHP is unsafe. It is a mystery to me. Now I "doubled" the apache
logging so next time they will not be able to delete all "entry"
evidence (I hope they will attack again :-).
David
Reply to: