Re: Am I compromised

[Marek Podmaka <marki@onee.sk>]

Hello Ritesh,

Friday, November 25, 2005, 18:39:16, Ritesh Raj Sarraf wrote:

> 1) Stopped the apache2 service.
> 2) Still found a non-existent /usr/sbin/httpd process running. Killed it. It
> got killed.

  I seen similar attack on my server about a year ago. I was also very
  concerned about security. But after some investigation, I was sure,
  it was nothing than executing some scripts through buggy php scripts
  (awstats, phpbb). Attacker tried few downloaded old explotis, but
  they didn't work. These are my suggestions:

  Don't stop anything. If it's possible (and I think it is possible to
  spend one hour investigating on live server if it had been possibly
  hacked for several hours/days before you noticed) try to get as much
  info as you can. With everything running, run nmap to see if any
  process has opened port for listening. Usually it will be shell or
  IRC bot (I think it was IRC bot in your case as it was using a lot
  of CPU).

  /proc is your friend. It is easy to alter what "ps" says.
  /proc/pid/exe is link to executable. If you are lucky, it will be
  still on your HDD (and not deleted after executing).

  And here is what I did to "attacker" when I have been sure he didn't
  gain anything except running shell on port XX under www-data user.
  Bash tried to write /.bash_history, but obviously it wasn't
  possible. So I created /.bash_history as root with write only
  permissions to everyone. And in one day I was looking at attacker's
  commands :) I also writed small script which did periodic
  netstat|grep :portXX, so I get IP from which he was connecting (some
  Romanian GSM operator).

  One good prevention (when you can't use safe_mode in PHP) is to have
  /tmp mounted noexec and use at least open_basedir in PHP.
  

-- 
  bYE, Marki