possibly hacked
Manuel Arostegui Ramirez
manuel at todo-linux.com
Sun Nov 19 08:47:31 UTC 2006
El Jueves, 16 de Noviembre de 2006 22:56, olga at urbantimes.net escribió:
> > On Thu, 2006-11-16 at 10:26 -0600, olga at urbantimes.net wrote:
> >> Hi,
> >>
> >> I wrote about kernel errors which somebody pointed out was because the
> >> server was running out of memory.
> >>
> >> Now I found the following which makes me think that that server may have
> >> been compromized.
> >>
> >> Here's what I get when I issued: netstat -nap
> >>
> >> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED
> >> 5226/ps x
> >> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED
> >> 5365/ps x
> >>
> >> About a hundred instances of that program 'ps x' running.
> >>
> >> Also here's what ps -ef produced:
> >>
> >> apache 6323 1 0 10:30 ? 00:00:00 ps x
> >> apache 6324 1 0 10:30 ? 00:00:00 ps x
> >> apache 6326 1 0 10:30 ? 00:00:00 ps x
> >> apache 6328 1 0 10:30 ? 00:00:00 ps x
> >> apache 6330 1 0 10:30 ? 00:00:00 ps x
> >
> > What does ls -l /proc/6323/exe say? That would be a symlink to the
> > executable for that process. Normal ps lives in /bin so the link should
> > point at /bin/ps. If it is connecting out to a remote host, it's likely
> > not the normal ps, just something that's masking itself to make it less
> > likely to get picked up.
> >
> > --
> > David Hollis <dhollis at davehollis.com>
>
> apache 3102 1 0 15:53 ? 00:00:00 httpd
> apache 3104 1 0 15:53 ? 00:00:00 httpd
> apache 3106 1 0 15:53 ? 00:00:00 httpd
> apache 3108 1 0 15:53 ? 00:00:00 httpd
> apache 3110 1 0 15:53 ? 00:00:00 httpd
> apache 3112 1 0 15:53 ? 00:00:00 httpd
> apache 3114 1 0 15:53 ? 00:00:00 httpd
> apache 3116 1 0 15:53 ? 00:00:00 httpd
> apache 3118 1 0 15:53 ? 00:00:00 httpd
> apache 3120 1 0 15:53 ? 00:00:00 httpd
> apache 3122 1 0 15:53 ? 00:00:00 httpd
> apache 3125 1 0 15:54 ? 00:00:00 httpd
> apache 3127 1 0 15:54 ? 00:00:00 httpd
> apache 3129 1 0 15:54 ? 00:00:00 httpd
> apache 3131 1 0 15:54 ? 00:00:00 httpd
> apache 3133 1 0 15:54 ? 00:00:00 httpd
> apache 3135 1 0 15:54 ? 00:00:00 httpd
> apache 3137 1 0 15:54 ? 00:00:00 httpd
> apache 3139 1 0 15:54 ? 00:00:00 httpd
> apache 3141 1 0 15:54 ? 00:00:00 httpd
> apache 3143 1 0 15:54 ? 00:00:00 httpd
> apache 3145 1 0 15:54 ? 00:00:00 httpd
> apache 3639 1 0 15:57 ? 00:00:00 ps x
> apache 3642 1 0 15:57 ? 00:00:00 ps x
> apache 3645 1 0 15:58 ? 00:00:00 ps x
> apache 3647 1 0 15:58 ? 00:00:00 ps x
>
>
> I am getting a ton of these...
> Here's what ls -l /proc/3147/exe says
> lrwxrwxrwx 1 apache apache 0 Nov 16 15:56 /proc/3147/exe ->
> /usr/bin/perl
>
> When I do netstat -nap I get:
> tcp 0 0 131.x.x.x:44160 72.14.x.x:80 ESTABLISHED -
> tcp 0 0 131.x.x.x:44161 72.14.x.x:80 ESTABLISHED -
> tcp 0 0 131.x.x.x:44162 72.14.x.x:80 ESTABLISHED -
>
> The ip points to google...
>
> And these appeared in the /tmp folder:
>
> drwxrwxrwt 8 root root 4096 Nov 16 16:00 .
> drwxr-xr-x 23 root root 4096 Nov 16 14:35 ..
> srwx------ 1 root nobody 0 Nov 16 14:36 .fam_socket
> drwxrwxrwt 2 xfs xfs 4096 Nov 16 14:35 .font-unix
> srw-rw-rw- 1 root root 0 Nov 16 14:36 .gdm_socket
> -rw-r--r-- 1 apache apache 0 Nov 15 15:20 .httpd
> drwxrwxrwt 2 root root 4096 Nov 16 14:36 .ICE-unix
> drwx------ 2 root root 4096 Nov 16 14:59 mc-root
> drwx------ 2 root root 12288 Nov 16 15:16 orbit-root
> -rw-r--r-- 1 apache apache 0 Nov 16 15:58
> sess_azx3a4wq3x1f2aad4a34sxx1w2o52a45
> -rw-r--r-- 1 apache apache 11669 Nov 16 15:43
> sess_rdav631df3a1ddfaa34s1x1wwo521459
> -r--r--r-- 1 root root 11 Nov 16 14:36 .X0-lock
> drwxrwxrwt 2 root root 4096 Nov 16 14:36 .X11-unix
>
> What is going on?
>
Finally...did they break into your system? Did you find something strange on
the logs? I wonder what happened, give us some information this thread is
quite interesting and will help other folks in a near future ;-)
One way or another, if they got shell access (even remote text shell, you
know...) you should think about reinstalling your system, as far as i know,
if the left a rootkit you must not trust your system anymore.
By the way, let me give you and advice, installing Babel Enterprise could be a
nice idea, ( http://babel.sourceforge.net/en/ ), yeah yeah, it's GPL ;-)
Babel is an enterprise-grade auditing system to manage a consistency on
security policy between different systems in a non-homogeneus architecture.
Babel allows to manage very different operating systems, like AIX, Solaris,
Windows 2000, Windows XP, Linux, *BSD or HPUX.
Babel allows administrator team to monitor the hardening level of their
systems and keep constantly monitored, using periodic policy polling, and of
course, a WEB Based, graphical reporting, and of course, a centralized
management for all systems
There's a demo online, try it.
Hope this helps.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the users
mailing list