On Mon, Aug 21, 2006 at 12:03:08PM +0200, David Siroky wrote: > Hi! > > I have an urgent situation. On one of my servers disapeared all apache > "error.log" and "access.log" files and other files containing "logo" or > "login". I found some unknown processes. > > # ps -el > ... > 1 S 5000 1008 1 0 75 0 - 572 - ? 00:00:16 iroffer > 0 S 5000 7574 1 0 76 0 - 1390 - ? 00:02:28 sifler.pl > ... > > # ps -elf > ... > 1 S siteman 1008 1 0 75 0 - 572 - Aug20 ? 00:00:16 /usr/sbin/apache2 -b php > ... > 0 S siteman 7574 1 0 76 0 - 1390 - 00:50 ? 00:02:28 /usr/local/apache/bin/httpd > ... > > # netstat -tp > ... > tcp 0 0 myserver:51087 89.163.188.1.stati:ircd ESTABLISHED7574/httpd > ... > tcp 0 0 myserver:48680 216.75.30.87:ircd ESTABLISHED1008/apache2 > ... > > In /usr/local there is no directory "apache" and no regular (my) http > server is running now. User "siteman" (UID 5000) is a user I assigned to > the regular apache2 and proftpd server. My system is Debian testing. So > far I didn't found any trace where the possible intruded found a way > into my server. > > Thank you for any advice. > You cannot trust any binaries on a compromoised system, espcially ps as it is one of the ones any decent root kit would replace in order to hide its presence. That said, you can boot from Knoppix or another live CD and check the md5sums of all the files in your packages (I believe debsums would be helpful for this). If you even think that the machine may be compromised then: - immediately shut down the machine - boot from the live CD, attach an external drive - image the compromised drive - do all forensic work on the image - if possible, figure out the attack vector - wipe the original drive and reinstall - make sure you have closed off the attack vector - if the hole is in a Debian package, file a critical bug against it Regards, -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
Attachment:
signature.asc
Description: Digital signature