Hello,

Today our box has been attacked. I didn't find yet how they has been able to do this (seems to be through php imap module)

Here is the problem :

- I have an apache job that is running
20800 ? S 0:00 /usr/local/apache/bin/httpd -DSSL

/usr/local/apache doesn't exist of course !

- and listenning on a port 2007
tcp 0 0 0.0.0.0:2007 0.0.0.0:* LISTEN 20800/httpd -DSSL

I found in /tmp an *executable* file called usa

It looks like it is this file which start this job, I have deleted it
But I'm not able to stop this job, do you have an idea how I could stop it ?

Did you already see this attack ?

If not I want to advertise you as some friends has also this pbm

Thanks for your help

Pascal

I know you probably already tried this, but what does

kill -9 20800

say? Any errors?

Socheat

Thanks Socheat, indeed I'v done this :)

In fact the job is killed but a new one is created.

My firewall should stop all incoming process on port 2007 and this job doesn't eat memory nor cpu (0 0) but if it restarts it means there is a *listener* job somewhere which test it and restart it if it is stopped and I don't find it :\

grrrr :\

Pascal

here is a STRACE of this process

A hundreds of

select(8, [3 7], [3], NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1172701950
time(NULL) = 1172701950
time(NULL) = 1172701950
select(8, [3 7], [3], NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1172701951
time(NULL) = 1172701951
time(NULL) = 1172701951
select(8, [3 7], [3], NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1172701952
time(NULL) = 1172701952
time(NULL) = 1172701952
select(8, [3 7], [3], NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1172701953
time(NULL) = 1172701953
time(NULL) = 1172701953
select(8, [3 7], [3], NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1172701954
time(NULL) = 1172701954
time(NULL) = 1172701954
select(8, [3 7], [3], NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1172701955
time(NULL) = 1172701955
time(NULL) = 1172701955
select(8, [3 7], [3], NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1172701956
time(NULL) = 1172701956
time(NULL) = 1172701956


and sometimes

select(8, [3 7], [3], NULL, {1, 0}) = 1 (in [7], left {597000454144000, 0})
time(NULL) = 1172701793
recv(7, "PING :Oslo2.NO.EU.undernet.org\r\n", 8191, 0) = 32
write(7, "PONG :Oslo2.NO.EU.undernet.org\r\n", 32) = 32
time(NULL) = 1172701793
time(NULL) = 1172701793
select(8, [3 7], [3 7], NULL, {1, 0}) = 1 (out [7], left {1, 0})
time(NULL) = 1172701793
write(7, "PONG :Oslo2.NO.EU.undernet.org\r\n", 32) = 32
time(NULL) = 1172701793
time(NULL) = 1172701793
select(8, [3 7], [3 7], NULL, {1, 0}) = 1 (out [7], left {1, 0})
time(NULL) = 1172701793
write(7, "NICK Carat\r\n", 12) = 12
time(NULL) = 1172701793
time(NULL) = 1172701793


Pascal

Does
ps afx

show a parent process?

Pascal, this:
ecv(7, "PING :Oslo2.NO.EU.undernet.org\r\n", 8191, 0) = 32
write(7, "PONG :Oslo2.NO.EU.undernet.org\r\n", 32) = 32

makes me think someone's running some kind of IRC client/server/service/bot on your box, as undernet.org is a big-ish IRC network.

As well as this:
write(7, "NICK Carat\r\n", 12) = 12

You have any clients with emails/nicknames/real names like "Carat" ? ;)

Does
ps afx

show a parent process?

No one :rolleyes:

Pascal, this:


makes me think someone's running some kind of IRC client/server/service/bot on your box, as undernet.org is a big-ish IRC network.

As well as this:


You have any clients with emails/nicknames/real names like "Carat" ? ;)

yes Fred, But no I don't think it is a *real* Irc

yes Fred, But no I don't think it is a *real* Irc
A "real" IRC? :confused:


No one :rolleyes:
Perhaps it's being restarted by a cron job.

There may be multiple instances of the irc (or whatever) script trying to start, and as soon as you kill one, another jumps in and takes over the TCP port they're trying to connect to. Sometimes if you just kill enough of them it'll go away (until the script is started again via whatever means it was started in the first place).

Another option to check is, once you have a PID for one of the processes, go to
cd /proc/<pid>
ls -la

sometimes the cwd for the process will be one of the accounts on your server that will give you a hint where the exploit is.

Paul

Hi

I've set the tmp partition with noexec and nosuid and it looks like we don't have this problem anymore

But I found this in the cron log

Mar 3 04:44:01 clust01-carat02 crond[6850]: (apache) CMD (/dev/shm/.access.log/y2kupdate >/dev/null 2>&1)


So I've look in

/var/spool/cron


and I found this

]# ls -l /var/spool/cron/
total 12
-rw------- 1 root apache 57 fév 28 16:58 apache
-rw------- 1 root root 492 fév 27 18:29 iworx
-rw------- 1 root root 152 mar 3 04:43 root


eurff a cron job for Apache ???????

Looked in it I have

* * * * * /dev/shm/.access.log/y2kupdate >/dev/null 2>&1


grrr !!!

Ok I'm pretty sure it isn't an iworx process nor a process we have installed, so I DELETE !!!
Do you have an idea how it is possible to create a cron job like this ?

Pascal

pfff looking at


/etc/fstab


I've seen that the /dev/shm is not set with noexec,nosuid !!!

Arff we'd have forget to set it like this on this box :\

It's pretty much secure to have a shm (shared memory) access with nosuid and noexec available

So we have changed it to

none /dev/shm tmpfs defaults,noexec,nosuid 0 0


Pascal