You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Tom Ray [Lists]" <li...@blazestudios.com> on 2006/09/06 06:31:31 UTC
[users@httpd] I believe I've been compromised.
I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday
I'm seeing a ton of files created in spots they should be. All created
by wwwrun (the webserver). I'm finding PHP scripts that are blatantly
commented with hacker code, _vti_ directories in sites and this server
doesn't have FP running on it. Cron jobs owned by wwwrun created and I
can see my maching connected to a strange IP on port 22 which is telling
me that my machine has opened a ssh connection with their server.
I'm seeing files that execute PHP Shell 1.7 which allows them to execute
commands via a form.
Has anyone ever run into this kind of problem? I've never really been
hacked like this before and I keep thinking I have it cleaned up but it
doesn't appear that way. One script had this in it: Powered By
#KARTUBEBEN CrEW @ DALnet
I know this maybe be a bit OT but any thoughts or suggestions would be
greatly helpful and appreciated.
Thanks!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] I believe I've been compromised.
Posted by "Tom Ray [Lists]" <li...@blazestudios.com>.
Thanks! I spent most of my weekend getting it cleaned up, I found about
5 or so bad files in about a half dozen sites, all created by wwwrun and
only in directories that where set to 777 by the clients. Just for
everyone's sake I'm going to post them here.
These I found floating on their own in not all but most of the 777
directories:
ch99.php
mail.php (actually was the ch99.php script)
about.php (same thing)
faq.php (same thing)
Pretty nice since I ended up looking at EVERY copy of about.php,
mail.php, and faq,php on the server. It was real fun since I have a lot
of clients using ZenCart which has all those files.
What I found in every one of the half dozen sites:
_vti_inf.jpg (This was a directory)
_vti_inf.php (inside the directory)
file.php (inside the directory)
ch99.php appeared to be some IRC bot drop. file.php was a form that
allowed file uploading and command lines to be issued. _vti_inf.php was
a mass email form allowing attachments. Once all those files where
cleaned up and I restarted the server yesterday, everything has been
AOK. All unwanted connections to port 22 on foreign IPs have stopped, no
more connections to 6667 or anything out of the ordinary. Plus I was
seeing weird commands being issued when I did a 'ps -ef' until last I
did this last night.
I do have one question though, I see this when I do a netstat -n can
someone tell me what this means?
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 ::1:34458
::1:80 TIME_WAIT
tcp 0 0 ::1:34459
::1:80 TIME_WAIT
Thanks for the advice and suggestions.
Jeff Pollard wrote:
> One time one of our servers running Fedora was exploited through a
> security hole in the PHP Horde framework. Through the hole, they used
> WGET to download a stand alone FTP server, which they then installed
> and put on an IRC bot to start serving files. All this happened in
> our /tmp directory, since it was one of the few that the web user
> (apache) had access to.
>
> In order to clear it, we firewalled our box to not let any traffic in
> or out, then cleaned up the /tmp directory and searched for any files
> created in the last 24 hours and cleaned all suspicious ones. Then we
> patched the hole in Horde and loosened the firewall. That fixed it
> and we were hacker free.
>
> Not to say that your solution will be that easy, but if you have a
> somewhat competent admin, you can probably fix the server without
> nuking it.
>
>
> Sean Conner wrote:
>> It was thus said that the Great Tom Ray [Lists] once stated:
>>
>>> I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday
>>> I'm seeing a ton of files created in spots they should be. All created
>>> by wwwrun (the webserver). I'm finding PHP scripts that are blatantly
>>> commented with hacker code, _vti_ directories in sites and this server
>>> doesn't have FP running on it. Cron jobs owned by wwwrun created and I
>>> can see my maching connected to a strange IP on port 22 which is telling
>>> me that my machine has opened a ssh connection with their server.
>>>
>>> I'm seeing files that execute PHP Shell 1.7 which allows them to execute
>>> commands via a form.
>>>
>>> Has anyone ever run into this kind of problem? I've never really been
>>> hacked like this before and I keep thinking I have it cleaned up but it
>>> doesn't appear that way. One script had this in it: Powered By
>>> #KARTUBEBEN CrEW @ DALnet
>>>
>>> I know this maybe be a bit OT but any thoughts or suggestions would be
>>> greatly helpful and appreciated.
>>>
>>
>> Unless you know what you are doing or what to look for, the best advice is
>> to nuke and pave (reformat the harddrives, reinstall the operating system,
>> reload the websites).
>>
>> In any case, you'll want to disable PHP and all logins until you have
>> audited all the sites, PHP scripts and users of the box. Make sure all
>> passwords are changed. Only then would I re-enable PHP.
>>
>> Also, check the startup scripts and shut down any service you don't need!
>> Not only do they suck up memory (and/or swap space) but if they offer any
>> network services, that's just another way to be hacked. If you are unsure
>> of what a startup script does, use Google.
>>
>> -spc (But really, if the accounts were compromised, there isn't much
>> you can do ... )
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] I believe I've been compromised.
Posted by Jeff Pollard <je...@gmail.com>.
One time one of our servers running Fedora was exploited through a
security hole in the PHP Horde framework. Through the hole, they used
WGET to download a stand alone FTP server, which they then installed and
put on an IRC bot to start serving files. All this happened in our /tmp
directory, since it was one of the few that the web user (apache) had
access to.
In order to clear it, we firewalled our box to not let any traffic in or
out, then cleaned up the /tmp directory and searched for any files
created in the last 24 hours and cleaned all suspicious ones. Then we
patched the hole in Horde and loosened the firewall. That fixed it and
we were hacker free.
Not to say that your solution will be that easy, but if you have a
somewhat competent admin, you can probably fix the server without nuking it.
Sean Conner wrote:
> It was thus said that the Great Tom Ray [Lists] once stated:
>
>> I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday
>> I'm seeing a ton of files created in spots they should be. All created
>> by wwwrun (the webserver). I'm finding PHP scripts that are blatantly
>> commented with hacker code, _vti_ directories in sites and this server
>> doesn't have FP running on it. Cron jobs owned by wwwrun created and I
>> can see my maching connected to a strange IP on port 22 which is telling
>> me that my machine has opened a ssh connection with their server.
>>
>> I'm seeing files that execute PHP Shell 1.7 which allows them to execute
>> commands via a form.
>>
>> Has anyone ever run into this kind of problem? I've never really been
>> hacked like this before and I keep thinking I have it cleaned up but it
>> doesn't appear that way. One script had this in it: Powered By
>> #KARTUBEBEN CrEW @ DALnet
>>
>> I know this maybe be a bit OT but any thoughts or suggestions would be
>> greatly helpful and appreciated.
>>
>
> Unless you know what you are doing or what to look for, the best advice is
> to nuke and pave (reformat the harddrives, reinstall the operating system,
> reload the websites).
>
> In any case, you'll want to disable PHP and all logins until you have
> audited all the sites, PHP scripts and users of the box. Make sure all
> passwords are changed. Only then would I re-enable PHP.
>
> Also, check the startup scripts and shut down any service you don't need!
> Not only do they suck up memory (and/or swap space) but if they offer any
> network services, that's just another way to be hacked. If you are unsure
> of what a startup script does, use Google.
>
> -spc (But really, if the accounts were compromised, there isn't much
> you can do ... )
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
Re: [users@httpd] I believe I've been compromised.
Posted by Sean Conner <sp...@conman.org>.
It was thus said that the Great Tom Ray [Lists] once stated:
> I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday
> I'm seeing a ton of files created in spots they should be. All created
> by wwwrun (the webserver). I'm finding PHP scripts that are blatantly
> commented with hacker code, _vti_ directories in sites and this server
> doesn't have FP running on it. Cron jobs owned by wwwrun created and I
> can see my maching connected to a strange IP on port 22 which is telling
> me that my machine has opened a ssh connection with their server.
>
> I'm seeing files that execute PHP Shell 1.7 which allows them to execute
> commands via a form.
>
> Has anyone ever run into this kind of problem? I've never really been
> hacked like this before and I keep thinking I have it cleaned up but it
> doesn't appear that way. One script had this in it: Powered By
> #KARTUBEBEN CrEW @ DALnet
>
> I know this maybe be a bit OT but any thoughts or suggestions would be
> greatly helpful and appreciated.
Unless you know what you are doing or what to look for, the best advice is
to nuke and pave (reformat the harddrives, reinstall the operating system,
reload the websites).
In any case, you'll want to disable PHP and all logins until you have
audited all the sites, PHP scripts and users of the box. Make sure all
passwords are changed. Only then would I re-enable PHP.
Also, check the startup scripts and shut down any service you don't need!
Not only do they suck up memory (and/or swap space) but if they offer any
network services, that's just another way to be hacked. If you are unsure
of what a startup script does, use Google.
-spc (But really, if the accounts were compromised, there isn't much
you can do ... )
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org