danilo lujambio wrote:
in one of our servers with Sarge we are suffering an attack wich put a perl script and two executables in /tmp with owner www-data. We couldn't find any data in messages , syslog, apache.log which help us. We have a shorewall with very few ports open (ssh , ftp and web) .We had this very thing happen to us for a while. Fortunately, it didn't look like they were infecting any of our files.... they were just sending out a bunch of spanish spam to Brazil through us.Can someone help us in how to looking for the source of the attack ?
Every time they got in, they'd create some files in /tmp... (one called "r0nin", I think). One would be the mailer script and the others would be the lists of addresses, the content to send, etc. We'd kill the processes and delete the files, and they'd show up again the next morning. So, we created null files, read-only, owned by root, of all of the names the guy was using.... and he just used different names. Later, he also started using dotted directories.... so make sure that you do "ls -la" on your /tmp. He also would sometimes go use /var/tmp, so check that, too.
I could never find anything glaring in the logs. So, I eventually had to write a script that just watched the /tmp and /var/tmp directories every few seconds for files with the distinctive signature. If found, it killed all of the processes created by them and deleted them. It also recorded the time that it happened so I could narrow down how many log entries I had to scrutinize.
It finally turned out to be a command-injection thing in PHP. In retrospect, we were asking for it. We had turned "register_globals" on so that it didn't break some old PHP scripts that our customers had. Eventually, we found a customer's script that was poorly written and allowed the intruder to execute whatever they wanted as www-data.
- Joe