[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Am I Compromised -- Some interesting findings



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derek "The Monkey" Wueppelmann on Friday 25 Nov 2005 23:10 wrote:

> On Fri, 2005-25-11 at 22:12 +0530, Ritesh Raj Sarraf wrote:
>> In my first mail, the logs showed a lot of "sh" defunct processes
>> executed from within apache. Is this an attempt to gain the shell through
>> the web server ?
>> 
>> Please suggest me what more should I look for and how to tackle this
>> attack.
> 
> Do you have mod_php installed? Are you running any php based
> applications? Some of them have potential vulnerabilities if certain
> functions are being used, I don't recall off hand which ones.
>

Yes, I do have mod_php installed and I do run php applications (squirrelmail
and a couple more). But mod_perl was the culprit. Precisely awstats was the
culprit. There was a DSA against awstats a couple weeks back and I did a
prompt upgrade but since awstats was installed non-standard way, I still
remained vulnerable.

My colleague who had physical access to the machine had installed copies of
awstats in the VirtualHosts. So even though the master copy of awstats got
updated, the copied versions were still vulnerable.

And the system logs (posted on debian-isp) as I investigated revealed that
awstats was used to break-in into the server.
 
> From your first post i would have thought that you had a perl script
> that was running in an infinite loop. However I don't know why you
> should have a /usr/sbin/httpd application on you system let alone why it
> would be running it. Debian I don't believe ever calls any web process
> httpd. So I would check with dpkg what package that file belongs to.
>

That is what got confused my at first. Since there's no /usr/sbin/httpd
binary in a Debian based apache installation I was wondering how this was
being shown. And interestingly there was no /usr/sbin/httpd file present
also.
 
> If I were you I would probably disconnect that server from the internet
> until you sort out what is going on, what is causing the problems and if
> any of your files have been compromised. The longer you leave your
> system up and running with symptoms of being compromised the longer you
> leave yourself exposed to actually being compromised or getting your
> system further into a state of non-recovery.
>

That's the biggest challenge right now. I don't have physical access to the
system and I don't think my client will be able to bear my travelling
expenses.

> You can probably try installing and running chkrootkit along with tiger.
> These might help determine how and if your system is actually
> compromised.
> 

chkrootkit came of no help. It reported that the system was absolutely fine.
I haven't tried tiger yet.

> I hope that this helps.
>

Thanks for replying.

Regards,

rrs
- -- 
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDh0884Rhi6gTxMLwRAs1yAJ9/+Y+yQB0zHx45XURokjitzmr2+QCfcJ8A
jyTaWOZEVpnlVM6ERMOYY2A=
=V+8a
-----END PGP SIGNATURE-----



Reply to: