Re: Am I compromised
On Fri, Nov 25, 2005 at 09:25:09PM +0530, Ritesh Raj Sarraf wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello World,
>
> I've got a severe problem. It looks like my webserver has been compromised.
>
> I have a webserver running apache2 (Debian Sarge). My webserver's load is
> always remaining around 1.5 and the cpu utilization is 95%.
>
> My webserver is not accepting web connections at the moment.
>
> The top reports show that a perl process is eating up all the cpu cycles
> which is executed by www-data user.
>
> Following is a result of `ps aux`:
>
www-data 28390 27.7 0.7 5760 3808 ? R 06:08
> 23:19 /usr/sbin/httpd
> identd 28391 0.0 0.1 51948 1032 ? S 06:08 0:00 identd
> www-data 32753 0.0 2.7 22240 14348 ? S 07:20
> 0:00 /usr/sbin/apache2 -k start -DSSL
> root 307 0.0 0.3 6224 1956 ? Ss 07:21 0:00 sshd: rrs
> [priv]
> rrs 310 0.0 0.3 6388 2060 ? S 07:21 0:00 sshd:
> rrs@pts/0
> rrs 311 0.0 0.4 3728 2356 pts/0 Ss 07:21 0:00 -bash
> root 348 0.0 0.2 2592 1476 pts/0 S 07:22 0:00 -su
> www-data 368 0.1 2.7 22240 14340 ? S 07:23
> 0:00 /usr/sbin/apache2 -k start -DSSL
> www-data 376 0.0 2.7 22240 14348 ? S 07:24
> 0:00 /usr/sbin/apache2 -k start -DSSL
> www-data 394 0.1 2.7 22428 14412 ? S 07:26
> 0:00 /usr/sbin/apache2 -k start -DSSL
> www-data 420 0.1 2.7 21836 13968 ? S 07:29
> 0:00 /usr/sbin/apache2 -k start -DSSL
> www-data 426 0.0 0.0 0 0 ? Z 07:29 0:00 [perl]
> <defunct>
> www-data 453 0.1 2.7 22420 14396 ? S 07:30
> 0:00 /usr/sbin/apache2 -k start -DSSL
> root 462 0.0 0.1 2052 932 ? S 07:30
> 0:00 /USR/SBIN/CRON
> root 463 0.0 0.2 2696 1200 ? Ss 07:30 0:00 /bin/sh
> - -c /usr/local/bin/update-data.sh > /dev/null
> root 464 0.0 0.2 2696 1248 ? S 07:30
> 0:00 /bin/sh /usr/local/bin/update-data.sh
> root 493 0.0 0.2 3376 1496 ? S 07:30 0:00 wget -q
> - -O /etc/tinydns/root/data.srv-1 http://127.0.0.1/veg
> root 495 0.0 0.1 1512 624 ? Ss 07:30
> 0:00 /usr/sbin/anacron -s
> www-data 546 5.2 2.7 22440 14424 ? S 07:31
> 0:00 /usr/sbin/apache2 -k start -DSSL
> www-data 548 37.5 2.7 22464 14448 ? S 07:32
> 0:00 /usr/sbin/apache2 -k start -DSSL
> www-data 552 0.0 2.7 22240 14348 ? S 07:32
> 0:00 /usr/sbin/apache2 -k start -DSSL
> root 553 0.0 0.1 2496 848 pts/0 R+ 07:32 0:00 ps aux
> ns1:~# cd /etc/cron.d
Okay, well.. I have seen this aswell.. and it looks like a sql code
injection hack.. and it's either filling up your link as it used for
ddos attacks.
>
>
> Interesting part is that it shows that "/usr/sbin/httpd" process is being
> run where as there's no "/usr/sbin/httpd" on my machine.
>
> ns1:/etc/cron.d# file /usr/sbin/httpd
> /usr/sbin/httpd: ERROR: cannot open `/usr/sbin/httpd' (No such file or
> directory)
Take a look at /var/lib/tmp and /tmp . Take a good look at your apache
log files. Remove wget with (apt-get purge wget). Remove any other
service you don't need.
Don't just delete everything you can find in these world writable
locations, but examin them with your logs. Make a report, and inform the
host of the location where the download came from.
As soon as your done with that, kill apache, check your usage of the
bandwith.. and run a - nmap -sS localhost
This might give you some usefull information, and lock up the ports your
server doesn't use by default.. and should use for the service. That
means inside out and outside in traffic (hence the removal of wget).
Afterwards, go and check the websites.. and take a good look at what
software is used, what should be updated, and so on. When you are done
think about rebuilding your server with the following in mind;
A default apache install is nice, it works, but isn't all that
&
tools are nice to use, but what do you need.. install only that.
There are a lot of other stuff you can do.. but ey, it all depends on
what you NEED. I'm not known for beeing paranoid when it comes to
security.. but I just like to split up the services on diffrent boxes
when I get the oppertunity.
--
TC,
,Mark
Reply to: