Hi all,
I was just trying to find out why I was having trouble with nfs when I
spotted a program being run from /tmp and on investigation, it seemed
like someone had managed to get apache to download a c program, compile
and run it.
This program opened port 5000 and the https port (maybe a couple of
other ports - I dont remember). I telnetted to the port and put in the
password (from the source file) and it gave me bash prompt as the
www-data user - not a pleasant experience, as you can imagine.
I switched the machine off, went into single user mode and
unfortunately, lost all traces of this program. I ran debsums to check
that all the files are still ok, which it seems to be and there are no
additional user accounts or anything.
I have a relatively strict firewall, so whoever installed the trojan
should not have got access to it unless the trojan openened an outward
connection which it didnt seem to although I didnt look at the code too
closely.
The program was called bd.c and was created on June the 6, so all the
logs I have are too new to be able to do any real kind of tracking down.
Any help that anyone can provide that might help me track this thing
down further and detect it earlier if it happens again would be much
appreciated.
I have snort, logcheck and fcheck installed none of which detected
anything at all.
Thanks,
Shri
--
------------------------------------------------------------------------
Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745
I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499
Web: www.urbyte.com Email: shri@urbyte.com
Attachment:
signature.asc
Description: This is a digitally signed message part