possibly hacked - HELP
Manuel Arostegui
manuel at todo-linux.com
Fri Nov 17 08:42:48 UTC 2006
On Thu, November 16, 2006 22:56, olga at urbantimes.net wrote:
>> On Thu, 2006-11-16 at 10:26 -0600, olga at urbantimes.net wrote:
>>
>>> Hi,
>>>
>>>
>>> I wrote about kernel errors which somebody pointed out was because the
>>> server was running out of memory.
>>>
>>> Now I found the following which makes me think that that server may have
>>> been compromized.
>>>
>>> Here's what I get when I issued: netstat -nap
>>>
>>>
>>> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps x
>>> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED 5365/ps x
>>>
>>>
>>> About a hundred instances of that program 'ps x' running.
>>>
>>>
>>> Also here's what ps -ef produced:
>>>
>>>
>>> apache 6323 1 0 10:30 ? 00:00:00 ps x apache 6324 1 0 10:30 ?
>>> 00:00:00 ps x
>>> apache 6326 1 0 10:30 ? 00:00:00 ps x apache 6328 1 0 10:30 ?
>>> 00:00:00 ps x
>>> apache 6330 1 0 10:30 ? 00:00:00 ps x
>>
>> What does ls -l /proc/6323/exe say? That would be a symlink to the
>> executable for that process. Normal ps lives in /bin so the link should point at /bin/ps. If it
>> is connecting out to a remote host, it's likely not the normal ps, just something that's masking
>> itself to make it less likely to get picked up.
>>
>> --
>> David Hollis <dhollis at davehollis.com>
>>
>>
>
> apache 3102 1 0 15:53 ? 00:00:00 httpd apache 3104 1 0 15:53 ?
> 00:00:00 httpd
> apache 3106 1 0 15:53 ? 00:00:00 httpd apache 3108 1 0 15:53 ?
> 00:00:00 httpd
> apache 3110 1 0 15:53 ? 00:00:00 httpd apache 3112 1 0 15:53 ?
> 00:00:00 httpd
> apache 3114 1 0 15:53 ? 00:00:00 httpd apache 3116 1 0 15:53 ?
> 00:00:00 httpd
> apache 3118 1 0 15:53 ? 00:00:00 httpd apache 3120 1 0 15:53 ?
> 00:00:00 httpd
> apache 3122 1 0 15:53 ? 00:00:00 httpd apache 3125 1 0 15:54 ?
> 00:00:00 httpd
> apache 3127 1 0 15:54 ? 00:00:00 httpd apache 3129 1 0 15:54 ?
> 00:00:00 httpd
> apache 3131 1 0 15:54 ? 00:00:00 httpd apache 3133 1 0 15:54 ?
> 00:00:00 httpd
> apache 3135 1 0 15:54 ? 00:00:00 httpd apache 3137 1 0 15:54 ?
> 00:00:00 httpd
> apache 3139 1 0 15:54 ? 00:00:00 httpd apache 3141 1 0 15:54 ?
> 00:00:00 httpd
> apache 3143 1 0 15:54 ? 00:00:00 httpd apache 3145 1 0 15:54 ?
> 00:00:00 httpd
> apache 3639 1 0 15:57 ? 00:00:00 ps x apache 3642 1 0 15:57 ?
> 00:00:00 ps x
> apache 3645 1 0 15:58 ? 00:00:00 ps x apache 3647 1 0 15:58 ?
> 00:00:00 ps x
>
>
>
> I am getting a ton of these...
> Here's what ls -l /proc/3147/exe says
> lrwxrwxrwx 1 apache apache 0 Nov 16 15:56 /proc/3147/exe -> /usr/bin/perl
>
>
> When I do netstat -nap I get:
> tcp 0 0 131.x.x.x:44160 72.14.x.x:80 ESTABLISHED - tcp 0 0
> 131.x.x.x:44161 72.14.x.x:80 ESTABLISHED -
> tcp 0 0 131.x.x.x:44162 72.14.x.x:80 ESTABLISHED -
>
> The ip points to google...
>
>
> And these appeared in the /tmp folder:
>
>
> drwxrwxrwt 8 root root 4096 Nov 16 16:00 . drwxr-xr-x 23 root root
> 4096 Nov 16 14:35 ..
> srwx------ 1 root nobody 0 Nov 16 14:36 .fam_socket drwxrwxrwt 2 xfs xfs
> 4096 Nov 16 14:35 .font-unix
> srw-rw-rw- 1 root root 0 Nov 16 14:36 .gdm_socket -rw-r--r-- 1 apache apache
> 0 Nov 15 15:20 .httpd drwxrwxrwt 2 root root 4096 Nov 16 14:36 .ICE-unix drwx------
> 2 root root 4096 Nov 16 14:59 mc-root
> drwx------ 2 root root 12288 Nov 16 15:16 orbit-root -rw-r--r-- 1 apache apache
> 0 Nov 16 15:58 sess_azx3a4wq3x1f2aad4a34sxx1w2o52a45 -rw-r--r-- 1 apache apache 11669 Nov
> 16 15:43
> sess_rdav631df3a1ddfaa34s1x1wwo521459 -r--r--r-- 1 root root 11 Nov 16 14:36
> .X0-lock
> drwxrwxrwt 2 root root 4096 Nov 16 14:36 .X11-unix
>
> What is going on?
>
Have you looked logs yet?
I mean, apache ones, mod_Security (if you´re running it on that box), and of course secure one.
Looking at that logs will help you a lot to find a trace of how and when the "hacker" broke into
your system, and maybe you´ll be able to know what they left there. I supposed some kind of
trojanized binaris like bin, su....you know...
One more question, are you allowing groups (different from root or common users) to use wget? I´m
too paranoic with system security and i´m used to allow ONLY for root to use wget, telnet,
ftp...you know.
Still waiting for the logs.
Greetings.
Manuel.
More information about the fedora-list
mailing list