in one of our servers with Sarge we are suffering an attack wich put a perl script and two executables in /tmp with owner www-data. We couldn't find any data in messages , syslog, apache.log which help us. We have a shorewall with very few ports open (ssh , ftp and web) .Had an attack just like this once (scripts in /tmp, owned by www-data). Ours was the result of a php vulnerability because we had register_globals turned on.Can someone help us in how to looking for the source of the attack ?
What I would do is check the creation time of all of the files, take the earliest and look through all of your web logs for any php stuff around that time. You might find a request that has a bunch of suspicious-looking stuff in the query string.
Another thing we did was we left the files in tmp, but owned them by root and chmod'd them to 400... same for any directories. All this did was get them to have to pick another filename for their scripts and data files... but it kept them "on the line" for that much longer and got them to leave that much more trace of their activity.
Also, don't forget to also check /var/tmp if your /tmp isn't symlinked to it.
Also, be prepared for some hard-core sysadmins on this list to tell you that you should immediately take the entire system off the net until you can find the hole and plug it.... and if you can't find it without keeping it on the net, then inform your customers that they need to find a new host and inform your boss that your company will be closing its doors. :|
- Joe
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature