Has my server been hacked?
Don Erickson
derick at zeni.net
Sun Nov 13 15:40:28 CST 2005
On Sun, 13 Nov 2005, Jason Dewayne Clinton wrote:
> On Sunday 13 November 2005 09:58 am, Matt Graham wrote:
>> I guess that since I even suspect that it's comproimised, I should
>> reinstall.
>
> Yea, your sentiments are correct. Unfortunately, you can't really say
> with certainty that your box is clean once it has been rooted.
Yeah, he should probably reinstall, but what evidence do we have that the
box has been rooted? I think that it's more likely that the www-data user
that runs apache is compromised.
Since the flow of evidence has stopped, I dug around a bit and here's what
I think may be happening:
Matt is running a debian box on a local IP, so there's a router
port-forwarding www, ssh, ftp and whatnot. This means that _if_ his box
was compromised by the linux worm that I referred to in an earlier post,
the backdoor it installs on port 7111 or 7222 isn't available to the
internet at large.
The worm opens a file called /tmp/lupii. If this file is there, then the
worm has got you but the ownership of this file will tell you which user
has benn compromised. If Matt runs netstat -lp | grep lupii, then this
will tell him if this worm has installed a listening daemon that, because
of his specific setup, can essentially only listen to the wall.
The very fact that this backdoor is installed and running from /tmp tells
you that this is (almost certainly) not a root exploit. Anybody can write
to /tmp on most every box out there, but if you're root there are lots
better places to hide things.
Since he's running debian, if reinstalls and upgrades awstats and PHP, he
should then be immune from this exploit.
Regards,
-Don
More information about the Kclug
mailing list