[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: we were attacked

Steve Kemp wrote:
On Fri, Apr 07, 2006 at 02:51:35PM -0700, Joe Emenaker wrote:
I could never find anything glaring in the logs. So, I eventually had to write a script that just watched the /tmp and /var/tmp directories every few seconds for files with the distinctive signature. If found, it killed all of the processes created by them and deleted them. It also recorded the time that it happened so I could narrow down how many log entries I had to scrutinize.

  That is an appalling approach to dealing with the problem, especially
 if you have an old kernel which could allow privilege escalation.
Say what you will... but we tried everything else that we knew at the time. I actually scanned *every* file on the machine (ie "find / -type f -exec grep -l r0nin {}") for anything containing the various filenames, to no avail. In case it was a problem in the kernel, or Apache, or Perl, or whatever, we regularly used apt to upgrade all of the packages on the system to the latest available, including running the latest kernel.
  There are several approaches to actually tracking down the source
 of the problem.  The most obvious is to use the mod_security
 module for Apache to log incoming payloads and ban requests containing
 strings such as 'wget', 'r0nin', '/tmp', etc.
Well, "r0nin" and "/tmp" never appeared in the logs. As I recall, "wget" did, but, at the time, we had no idea that that was the way they were doing it. At the time, we suspected some broken HTTP file-upload code in someone's script, or in Apache itself.
  Another approach would be to install 'snoopy', or similar, to log
 *every* executed script upon a host and then walk backwards from the
 initial intrusion to the execution of the script.
Yeah, that probably would have helped. It's funny how, *after* you know what the problem is, you clearly know the steps to take to find it. It's interesting that you didn't mention any of these things to the original poster.

But, if I'm going to get labeled as appalling for trying to help the guy out, then, next time, I'll just keep my trap shut and let the dude suffer. In fact, maybe I'll go the whole nine yards and just criticize the other posters who *do* try to help.

- Joe

Reply to: