Server hacked?

Hal Burgiss hal at burgiss.net
Wed Jan 2 03:37:00 UTC 2008 

On Wed, Jan 02, 2008 at 12:35:23AM -0000, Joris Dobbelsteen wrote:
> It seems it limited to the www-data user. Of course the fd/3 file gives
> a very good hint that it is indeed apache. The apc comes from PHP. Of
> course its odd that the webpage runs perl, since all processes are
> supposed to be PHP.

Possibly its scanner.pl listed below. Probably a port scanner written
in perl for systems that don't come ready equipped with nmap, etc.

> Some oddities are these on a site running Joomla are:
> ===
> htdocs/.wonk/motd/USER1.MOTD.old::arcor.de.eu.dal.net 372 _mugo1`dealz
> :-     You can always reach this server by typing /server arcor.dal.net
> 6667

USER1.MOTD.old is the irc bouncer logs. Worth looking at to see how
active this attack was. It might have been purely scripted and the
attacker maybe never did much with it. But then again ... 

> Binary file htdocs/.wonk/vi matches
> htdocs/dimenso:my $porta="6667";
> htdocs/dimenso.1:my $porta="6667";

The man page for dimenso? 

> htdocs/scanner.pl:my $porta="6667";

A port scanner for scanning other systems.
 
> It also has wonk.tar.gz from 2007-03-18.

I agree that the most important thing is to find how they got in. Even
if you do a clean install, tighten up everything, but put the same php
applications back, you might still be just as vulnerable. 

Another thing to do is to look at the timestamps for things you have
found that you know don't belong. Then look around the rest of the
filesystem for things with the same, or close, timestamps. There may
be other back doors installed scattered around. There may be cron jobs
hidden to restart things that die or are MIA. [kjournald] is something
bogus that was built from source. Where are the pieces to that? If you
have logs that far back, go through those for the date/time and see
what was uploaded and *where*. This was probably done all through
Apache, so the logs should have the evidence (if they exist still).
The logs will probably give you a good idea of exactly how they got
in. And you might get lucky and see what else was accessed (if there
was any sensitive data on the system like in mysql data files, etc).
They almost surely took /etc/passwd, which doesn't give them passwords
but does give them user names, making brute force attacks much simpler
and much more effective. 
 
-- 
Hal

More information about the ubuntu-users mailing list