Re: Am I compromised
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marek Podmaka on Monday 28 Nov 2005 01:53 wrote:
> Hello Ritesh,
>
> Friday, November 25, 2005, 18:39:16, Ritesh Raj Sarraf wrote:
>
>> 1) Stopped the apache2 service.
>> 2) Still found a non-existent /usr/sbin/httpd process running. Killed it.
>> It got killed.
>
> I seen similar attack on my server about a year ago. I was also very
> concerned about security. But after some investigation, I was sure,
> it was nothing than executing some scripts through buggy php scripts
> (awstats, phpbb). Attacker tried few downloaded old explotis, but
> they didn't work. These are my suggestions:
>
> Don't stop anything. If it's possible (and I think it is possible to
> spend one hour investigating on live server if it had been possibly
> hacked for several hours/days before you noticed) try to get as much
> info as you can. With everything running, run nmap to see if any
> process has opened port for listening. Usually it will be shell or
> IRC bot (I think it was IRC bot in your case as it was using a lot
> of CPU).
>
> /proc is your friend. It is easy to alter what "ps" says.
> /proc/pid/exe is link to executable. If you are lucky, it will be
> still on your HDD (and not deleted after executing).
>
> And here is what I did to "attacker" when I have been sure he didn't
> gain anything except running shell on port XX under www-data user.
> Bash tried to write /.bash_history, but obviously it wasn't
> possible. So I created /.bash_history as root with write only
> permissions to everyone. And in one day I was looking at attacker's
> commands :) I also writed small script which did periodic
> netstat|grep :portXX, so I get IP from which he was connecting (some
> Romanian GSM operator).
>
> One good prevention (when you can't use safe_mode in PHP) is to have
> /tmp mounted noexec and use at least open_basedir in PHP.
>
>
I agree with what you mentioned. I root account wasn't compromised. It was
an IRC bot which ate most of the CPU cycles and made the server sluggy.
For now I've disabled php/perl on the server and it's working fine.
I have one question which I think people here can give better ideas on:
The server is a webserver running multiple Virtual Hosts. I can't/shouldn't
restrict my users (Virtual Host owners) from uploading any script/program
to their webroot directory. Now if one of my user is using a vulnerable
script, say awstats, it effects the whole server.
What is the best practise to handle such situations ?
Regards,
rrs
- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDkbAL4Rhi6gTxMLwRAhXPAJ9BS4YqIQkqh20SiopKQTeGjj+A/QCfatdl
z7GREwX48MpC0ErKR2oVu2g=
=hkBW
-----END PGP SIGNATURE-----
Reply to: