freshly hacked

SouthOfHeaven · Tux's lil' helper Joined: 05 Apr 2003 Posts: 128

just this morning i noticed my net activity at a solid 70% then found this

ps -edf | grep httpd
apache 31085 1 0 04:25 ? 00:00:00 ./.httpd
apache 31622 1 0 09:14 ? 00:00:45 ./httpd -b .update.conf

seems lke its something called iroffer thats been thrown in, found it in /tmp/.update had a few things uploaded as i checked the files in the directory, obviously seems like a scriptkiddies job, have to take down this box and rebuild now, no telling in how much info might of been downloaded. Any ideas on what else i can look at ?

xlulux · n00b Joined: 20 Aug 2004 Posts: 63

how dyou think they got in? i like forensic analising but this kinda sucks man im sorry

gurke · Apprentice Joined: 10 Jul 2003 Posts: 256

wow, they might have caused a lot of traffic. if they got shell access, you might check history files. also check logs (your httpd, etc.).
_________________
lesen gefährdet die dummheit.

xming · Guru Joined: 02 Jul 2002 Posts: 402

seeing that the httpd is running as user apache (and I suppose your apache or apache2 is running as user apache too), I think they used some know exploits of php packages (maybe phpBB?).

I hope they only got that far and I hope you are running the latest kernel without local root vunerabilities.

xming
_________________
http://wojia.be

gentoo_lan · Posted: Sat Feb 12, 2005 11:30 pm Post subject:

You need to use a chrootkit and see the extent of the damage. If your root password has been exploited you will have to format your hard drive and start all over.
_________________
Registered Linux user# 375038.

transient · l33t Joined: 13 Jan 2005 Posts: 759 Location: New Zealand

Take the opportunity to see, if possible, how they did it too. This will allow you to setup your system more securely next time.
The fact theres stuff dumped in /tmp screams of scriptkiddy, as the vast majority of exploits rely on an executable /tmp dir to work their magic.
Yet more info that its scriptkiddies... iroffer is a fileserver for IRC. Most likely your box was intended to become either a warez dump for pr0n, movies etc... or you may also have an IRC server running on your box.
If iroffer hasnt been run yet, then its likely they dont have the root password, as it requires root access to bind to its port.
However, that 70% or so traffic leads me to believe that it has been run, and mabye was running a while ago.
If youre interested, you could probably have some great fun with this, by letting it run and watching all the traffic through something like ethereal, and quite probably watch some interesting conversations

Could you post what services you are running? Ie, httpd versions, ssh server if any etc...

SouthOfHeaven · Tux's lil' helper Joined: 05 Apr 2003 Posts: 128

Sorry i didnt reply quicker but text mode Browsers arent that much fun

.

I reformated the system and started over again, backup all the logs and other things incriminating. Funny thing is that this iroffer provides user and password to the irc network it latches on to and i was able to keep that info, havent gotten around to look at the logs. I am thinking it was done throgh an exploit in CPG Nuke, as far as i know php it uses /tmp to upload so thats how im guessing it got into /tmp other then that only one inactive user in /home was compromised since i forgot to remove read permissions for other in their home dir, and unfortunately i had a symlink in there to my big few hundred gig personal drive there. The one thing i cannot understand is how it was able to execute the file it uploaded. That is what made me realize its time to rebuild. All signs point to scripkiddiot tho, will be looking forward to parsing the logs. I mean luckily there is a db with all the users logged in and their coresponding ips and time of log in then match that with apache logs see which client ip tried to access the certain upload feature of the board and voila we have an ip , contact ISP and authorities declare losses etc and let the fun begin.

Any other info is greatly appreciated from you guys. Still my main dilema has got to be how the uploaded file was executed, unless in fact it was an exploit in PHP not in the actual CPGNuke CMS.

transient · l33t Joined: 13 Jan 2005 Posts: 759 Location: New Zealand

Unfortunately, you wont be able to make anything stick if youve formatted the computer. Even with backups of the logs etc.. its easy to claim that those backups are forged.

SubAtomic · Posted: Wed Feb 16, 2005 3:11 am Post subject:

linux_girl · Apprentice Joined: 12 Sep 2003 Posts: 283

my 2cents check security update of all your open services then dig into evry log to find someting like : "hey some one deleted something from the log"

CodAv · Posted: Wed May 24, 2006 4:53 am Post subject:

Some tips for increasing security on a PHP powered web server:

Activate safe_mode restriction in php.ini
Set safe_mode_exec_dir to an empty directory, writeable only by root
Set an open_basedir for each Apache VHost. You can do this via the php_admin_value directive.
Mount /tmp with noexec, nodev and nosuid flags. In most cases, a simple tmpfs ramdisk with a maximum size of 100 MB should be enough. Just insert this line into /etc/fstab, and do a "mount /tmp" afterwards:

Code:

tmpfs /tmp tmpfs nodev,noexec,nosuid,size=100M,mode=1777 0 0

If a scriptkiddie still manages to drop a file in /tmp, there is no way to execute it.
Make yourself familiar with SSL private/public key authentication, and disable tunneled clear text passwords in your sshd configuration. This eliminates the risk weak passwords pose to your system.
Add a cronjob which runs chkrootkit on a daily basis and mails any findings to you.
Stay up to date and use glsa-check regularily

_________________
Debian is available in three different versions: rusty, stale and broken.

alex6z · Tux's lil' helper Joined: 20 Jul 2005 Posts: 111

Really, you don't have to rebuild your box! Most likely all that happened what there was some exploit to apache/PHP or the like and they gained access to your apache user account. It's no big deal all you have to do it kill all process with apache as their user and do a search for all files owned by apache and maybe delete them. Then you can go about updating whetever it was that was exploitable. Check your system log or apache log do see what process crashed if you can.
_________________
Check out the T-shirts at http://www.thinkgeek.com

troymc · Guru Joined: 22 Mar 2006 Posts: 552

alex6z · Tux's lil' helper Joined: 20 Jul 2005 Posts: 111

troymc wrote:

Sorry, there is no simple solution to being hacked. The ONLY way to re-instate trust in this system is to wipe it & rebuild from scratch and mark all backups as tainted. And to take the steps now to secure it, that you didn't take before.

If they can execute any code on your system, they could have just as easily executed some kind of privilege escalation tool. Just because you only see stuff running as apache, don't assume that's all there is.

I am assuming that a user in your system can't gain access to the root account. There hasn't been a local root exploit in the kernel for quite a while, and they don't have access to X11 to try to exploit it because they are not local users(in most cases). It is quite rare that a local user can become root from within the system compared to some phpBB exploit.
This said, that it's harder to exploit your way to root once in the system than it is from the outside, people should be more worried having root services running and not so worried about things like ntpd and apache that use a safe user account.
.
It seems that becasue someone has executed code under a non privileged account you think it is necessary to rebuild the whole system. According to this logic anyone that is running any service should rebuild their box because there might have been some remote root exploit! Should all users running sshd rebuild their box because it *might* have been exploited even though there are no known working exploits? Should anyone that has a box where someone gained access to a non priveleged UID rebuild their box even though there are no known working exploits in the linux kernel and they probably don't have any dangerous SETUID programs?
_________________
Check out the T-shirts at http://www.thinkgeek.com

troymc · Guru Joined: 22 Mar 2006 Posts: 552

alex6z · Tux's lil' helper Joined: 20 Jul 2005 Posts: 111

All I'm saying is that it is unlikely that the person that got into the apache account was able to get access to the root user. There are 4 ways to do this: 1) Exploit Linux or a module 2) Exploit a setuid binary 3) Exploit a UID 0 service that is normally firewalled from the outside. 4) Take advantage of a misconfiguration like insecure filesystem access permissions.

It seems to me that having something like ftpd, sshd or telnetd running (accessable from the outside) is more likely to be a method of gaining root permissions than having a program running under a normal user account on the system.

I'm thinking about taking my 133MHz box and making it into a public shell server (with good firewall protection to prevent irc spamming etc. on my router) and letting people login and see if they can hack into the root account

.
_________________
Check out the T-shirts at http://www.thinkgeek.com

orange_juice · Posted: Fri Aug 18, 2006 1:20 pm Post subject:

maineus · n00b Joined: 18 Aug 2006 Posts: 1

Try an antispyware program.
_________________
The Temple of Love - The World Peace Religion
http://www.thetempleoflove.com

vibrokatana · Guru Joined: 09 Feb 2006 Posts: 328 Location: o0o0oo

I believe there was a hint awhile ago to remove execution from the tmp directory, seems to stop alot of the upload exploits
_________________
My Systems - "I suggest the whole thing be coded in whitespace. Henceforth the code will be obscure and functional at the same time."