Re: Am I compromised

To: debian-isp@lists.debian.org
Subject: Re: Am I compromised
From: Ritesh Raj Sarraf <rrs@researchut.com>
Date: Sat, 03 Dec 2005 20:17:33 +0530
Message-id: <[🔎] dmsb7e$air$1@sea.gmane.org>
References: <dm7c5e$i9j$1@sea.gmane.org> <39445.68.93.109.108.1132936990.squirrel@stargazer.dailydata.net> <dm7i8g$6ap$1@sea.gmane.org> <1599927651.20051127212314@onee.sk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marek Podmaka on Monday 28 Nov 2005 01:53 wrote:

> Hello Ritesh,
> 
> Friday, November 25, 2005, 18:39:16, Ritesh Raj Sarraf wrote:
> 
>> 1) Stopped the apache2 service.
>> 2) Still found a non-existent /usr/sbin/httpd process running. Killed it.
>> It got killed.
> 
>   I seen similar attack on my server about a year ago. I was also very
>   concerned about security. But after some investigation, I was sure,
>   it was nothing than executing some scripts through buggy php scripts
>   (awstats, phpbb). Attacker tried few downloaded old explotis, but
>   they didn't work. These are my suggestions:
> 
>   Don't stop anything. If it's possible (and I think it is possible to
>   spend one hour investigating on live server if it had been possibly
>   hacked for several hours/days before you noticed) try to get as much
>   info as you can. With everything running, run nmap to see if any
>   process has opened port for listening. Usually it will be shell or
>   IRC bot (I think it was IRC bot in your case as it was using a lot
>   of CPU).
> 
>   /proc is your friend. It is easy to alter what "ps" says.
>   /proc/pid/exe is link to executable. If you are lucky, it will be
>   still on your HDD (and not deleted after executing).
> 
>   And here is what I did to "attacker" when I have been sure he didn't
>   gain anything except running shell on port XX under www-data user.
>   Bash tried to write /.bash_history, but obviously it wasn't
>   possible. So I created /.bash_history as root with write only
>   permissions to everyone. And in one day I was looking at attacker's
>   commands :) I also writed small script which did periodic
>   netstat|grep :portXX, so I get IP from which he was connecting (some
>   Romanian GSM operator).
> 
>   One good prevention (when you can't use safe_mode in PHP) is to have
>   /tmp mounted noexec and use at least open_basedir in PHP.
>   
> 

I agree with what you mentioned. I root account wasn't compromised. It was
an IRC bot which ate most of the CPU cycles and made the server sluggy.

For now I've disabled php/perl on the server and it's working fine.

I have one question which I think people here can give better ideas on:
The server is a webserver running multiple Virtual Hosts. I can't/shouldn't
restrict my users (Virtual Host owners) from uploading any script/program
to their webroot directory. Now if one of my user is using a vulnerable
script, say awstats, it effects the whole server.

What is the best practise to handle such situations ?

Regards,

rrs
- -- 
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDkbAL4Rhi6gTxMLwRAhXPAJ9BS4YqIQkqh20SiopKQTeGjj+A/QCfatdl
z7GREwX48MpC0ErKR2oVu2g=
=hkBW
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Am I compromised
  - From: amacater@galactic.demon.co.uk (Andrew M.A. Cater)

Prev by Date: Ancora una volta Umiliati e Offesi
Next by Date: Re: Xen in a production environment
Previous by thread: Ancora una volta Umiliati e Offesi
Next by thread: Re: Am I compromised
Index(es):
- Date
- Thread