Re: we were attacked
danilo lujambio wrote:
in one of our servers with Sarge we are suffering an attack wich put a
perl script and two executables in /tmp with owner www-data.
We couldn't find any data in messages , syslog, apache.log which help
us. We have a shorewall with very few ports open (ssh , ftp and web) .
We had this very thing happen to us for a while. Fortunately, it didn't
look like they were infecting any of our files.... they were just
sending out a bunch of spanish spam to Brazil through us.
Can someone help us in how to looking for the source of the attack ?
Every time they got in, they'd create some files in /tmp... (one called
"r0nin", I think). One would be the mailer script and the others would
be the lists of addresses, the content to send, etc. We'd kill the
processes and delete the files, and they'd show up again the next
morning. So, we created null files, read-only, owned by root, of all of
the names the guy was using.... and he just used different names. Later,
he also started using dotted directories.... so make sure that you do
"ls -la" on your /tmp. He also would sometimes go use /var/tmp, so check
I could never find anything glaring in the logs. So, I eventually had to
write a script that just watched the /tmp and /var/tmp directories every
few seconds for files with the distinctive signature. If found, it
killed all of the processes created by them and deleted them. It also
recorded the time that it happened so I could narrow down how many log
entries I had to scrutinize.
It finally turned out to be a command-injection thing in PHP. In
retrospect, we were asking for it. We had turned "register_globals" on
so that it didn't break some old PHP scripts that our customers had.
Eventually, we found a customer's script that was poorly written and
allowed the intruder to execute whatever they wanted as www-data.