 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Someone sent me this in response: > Here's a semi-obvious thing to check - we had some people get into a box > we run a couple months back and there was all this crap > lying around in /var/tmp. I would check in there... If the exploit was > the webserver, you'll see evidence somewhere they could write files. This looks to be the case. There's a file /var/tmp/m [root at uni /var/tmp]# l total 28 drwxrwxrwt 3 root root 4096 Nov 24 04:54 . drwxr-xr-x 17 root root 4096 Mar 1 2004 .. -rwxrwxrwx 1 wwwrun www 12335 Oct 28 01:10 m drwxrwxrwt 2 root root 4096 Sep 23 2003 vi.recover [root at uni /var/tmp]# file m m: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped [root at uni /var/tmp]# strings m | tail /bin/sh Can't execve shell! USAGE: %s [PORT=2345] Sa vedem ... socket setsockopt bind listen getsockname Se deschide pe portul urmator %d FUCK: Can't fork child (%d) Mergeeeeee pidu=%d bash Password: unguras This server is secure by Unguras alias Papy neam cu zorg si exterxy si alti unguri satmareni. .-=Norok si Sanatate! =-. .-=Casa ai de toatel =-. .-= Sa ma pis pe HacKeri =-. .-=Si pe Rasa lor! =-. That is obviously put there by the hackers. It's been moved. [root at uni /var/tmp]# grep 2345 /etc/services dbm 2345/tcp # dbm dbm 2345/udp # dbm I cannot get to my machine via port 2345, so that might be a ruse. Also, I noticed that the index.html file is owned by wwwrun (as is "m"), which leads me to believe that this is an apache-level hack, and my server is not "owned". Please correct me if I am in denial. I did a "find / -mtime -2", and there was nothing that I would not have expected, except /etc/suseconfig/csh.login, which was empty. That might be harmless, as Yast touches everything under the sun every time I go to the bathroom. But hackers tend to backdate files, so this test is of little assurance. I looked at the output of "last" and saw nothing unusual. Anything else I should try? Should I panic more than I am? Right now I feel strongly this was a benign "stupid Apache tricks" thing, and I need to find the hole and close it, but no need to nuke the server and start over. Thanks.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
