Steve Kemp wrote:
Say what you will... but we tried everything else that we knew at the time. I actually scanned *every* file on the machine (ie "find / -type f -exec grep -l r0nin {}") for anything containing the various filenames, to no avail. In case it was a problem in the kernel, or Apache, or Perl, or whatever, we regularly used apt to upgrade all of the packages on the system to the latest available, including running the latest kernel.On Fri, Apr 07, 2006 at 02:51:35PM -0700, Joe Emenaker wrote:I could never find anything glaring in the logs. So, I eventually had to write a script that just watched the /tmp and /var/tmp directories every few seconds for files with the distinctive signature. If found, it killed all of the processes created by them and deleted them. It also recorded the time that it happened so I could narrow down how many log entries I had to scrutinize.That is an appalling approach to dealing with the problem, especially if you have an old kernel which could allow privilege escalation.
Well, "r0nin" and "/tmp" never appeared in the logs. As I recall, "wget" did, but, at the time, we had no idea that that was the way they were doing it. At the time, we suspected some broken HTTP file-upload code in someone's script, or in Apache itself.There are several approaches to actually tracking down the source of the problem. The most obvious is to use the mod_security module for Apache to log incoming payloads and ban requests containing strings such as 'wget', 'r0nin', '/tmp', etc.
Yeah, that probably would have helped. It's funny how, *after* you know what the problem is, you clearly know the steps to take to find it. It's interesting that you didn't mention any of these things to the original poster.Another approach would be to install 'snoopy', or similar, to log *every* executed script upon a host and then walk backwards from the initial intrusion to the execution of the script.
But, if I'm going to get labeled as appalling for trying to help the guy out, then, next time, I'll just keep my trap shut and let the dude suffer. In fact, maybe I'll go the whole nine yards and just criticize the other posters who *do* try to help.
- Joe