possibly hacked

Manuel Arostegui Ramirez manuel at todo-linux.com
Sun Nov 19 08:47:31 UTC 2006 

El Jueves, 16 de Noviembre de 2006 22:56, olga at urbantimes.net escribió:
> > On Thu, 2006-11-16 at 10:26 -0600, olga at urbantimes.net wrote:
> >> Hi,
> >>
> >>  I wrote about kernel errors which somebody pointed out was because the
> >> server was running out of memory.
> >>
> >> Now I found the following which makes me think that that server may have
> >> been compromized.
> >>
> >> Here's what I get when I issued: netstat -nap
> >>
> >> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED
> >> 5226/ps x
> >> tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED
> >> 5365/ps x
> >>
> >> About a hundred instances of that program 'ps x' running.
> >>
> >> Also here's what ps -ef produced:
> >>
> >> apache    6323     1  0 10:30 ?        00:00:00 ps x
> >> apache    6324     1  0 10:30 ?        00:00:00 ps x
> >> apache    6326     1  0 10:30 ?        00:00:00 ps x
> >> apache    6328     1  0 10:30 ?        00:00:00 ps x
> >> apache    6330     1  0 10:30 ?        00:00:00 ps x
> >
> > What does ls -l /proc/6323/exe say?  That would be a symlink to the
> > executable for that process.  Normal ps lives in /bin so the link should
> > point at /bin/ps.  If it is connecting out to a remote host, it's likely
> > not the normal ps, just something that's masking itself to make it less
> > likely to get picked up.
> >
> > --
> > David Hollis <dhollis at davehollis.com>
>
> apache    3102     1  0 15:53 ?        00:00:00 httpd
> apache    3104     1  0 15:53 ?        00:00:00 httpd
> apache    3106     1  0 15:53 ?        00:00:00 httpd
> apache    3108     1  0 15:53 ?        00:00:00 httpd
> apache    3110     1  0 15:53 ?        00:00:00 httpd
> apache    3112     1  0 15:53 ?        00:00:00 httpd
> apache    3114     1  0 15:53 ?        00:00:00 httpd
> apache    3116     1  0 15:53 ?        00:00:00 httpd
> apache    3118     1  0 15:53 ?        00:00:00 httpd
> apache    3120     1  0 15:53 ?        00:00:00 httpd
> apache    3122     1  0 15:53 ?        00:00:00 httpd
> apache    3125     1  0 15:54 ?        00:00:00 httpd
> apache    3127     1  0 15:54 ?        00:00:00 httpd
> apache    3129     1  0 15:54 ?        00:00:00 httpd
> apache    3131     1  0 15:54 ?        00:00:00 httpd
> apache    3133     1  0 15:54 ?        00:00:00 httpd
> apache    3135     1  0 15:54 ?        00:00:00 httpd
> apache    3137     1  0 15:54 ?        00:00:00 httpd
> apache    3139     1  0 15:54 ?        00:00:00 httpd
> apache    3141     1  0 15:54 ?        00:00:00 httpd
> apache    3143     1  0 15:54 ?        00:00:00 httpd
> apache    3145     1  0 15:54 ?        00:00:00 httpd
> apache    3639     1  0 15:57 ?        00:00:00 ps x
> apache    3642     1  0 15:57 ?        00:00:00 ps x
> apache    3645     1  0 15:58 ?        00:00:00 ps x
> apache    3647     1  0 15:58 ?        00:00:00 ps x
>
>
> I am getting a ton of these...
> Here's what ls -l /proc/3147/exe  says
> lrwxrwxrwx    1 apache   apache          0 Nov 16 15:56 /proc/3147/exe ->
> /usr/bin/perl
>
> When I do netstat -nap I get:
> tcp        0      0 131.x.x.x:44160       72.14.x.x:80 ESTABLISHED -
> tcp        0      0 131.x.x.x:44161       72.14.x.x:80 ESTABLISHED -
> tcp        0      0 131.x.x.x:44162       72.14.x.x:80 ESTABLISHED -
>
> The ip points to google...
>
> And these appeared in the /tmp folder:
>
> drwxrwxrwt    8 root     root         4096 Nov 16 16:00 .
> drwxr-xr-x   23 root     root         4096 Nov 16 14:35 ..
> srwx------    1 root     nobody          0 Nov 16 14:36 .fam_socket
> drwxrwxrwt    2 xfs      xfs          4096 Nov 16 14:35 .font-unix
> srw-rw-rw-    1 root     root            0 Nov 16 14:36 .gdm_socket
> -rw-r--r--    1 apache   apache          0 Nov 15 15:20 .httpd
> drwxrwxrwt    2 root     root         4096 Nov 16 14:36 .ICE-unix
> drwx------    2 root     root         4096 Nov 16 14:59 mc-root
> drwx------    2 root     root        12288 Nov 16 15:16 orbit-root
> -rw-r--r--    1 apache   apache          0 Nov 16 15:58
> sess_azx3a4wq3x1f2aad4a34sxx1w2o52a45
> -rw-r--r--    1 apache   apache      11669 Nov 16 15:43
> sess_rdav631df3a1ddfaa34s1x1wwo521459
> -r--r--r--    1 root     root           11 Nov 16 14:36 .X0-lock
> drwxrwxrwt    2 root     root         4096 Nov 16 14:36 .X11-unix
>
> What is going on?
>

Finally...did they break into your system? Did you find something strange on 
the logs? I wonder what happened, give us some information this thread is 
quite interesting and will help other folks in a near future ;-)
One way or another, if they got shell access (even remote text shell, you 
know...) you should think about reinstalling your system, as far as i know, 
if the left a rootkit you must not trust your system anymore.

By the way, let me give you and advice, installing Babel Enterprise could be a 
nice idea, ( http://babel.sourceforge.net/en/ ), yeah yeah, it's GPL ;-)

Babel is an enterprise-grade auditing system to manage a consistency on 
security policy between different systems in a non-homogeneus architecture. 
Babel allows to manage very different operating systems, like AIX, Solaris, 
Windows 2000, Windows XP, Linux, *BSD or HPUX.

Babel allows administrator team to monitor the hardening level of their 
systems and keep constantly monitored, using periodic policy polling, and of 
course, a WEB Based, graphical reporting, and of course, a centralized 
management for all systems

There's a demo online, try it.

Hope this helps.
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

More information about the users mailing list