Has my server been hacked?
Don Erickson
derick at zeni.net
Mon Nov 14 10:46:12 CST 2005
On Mon, 14 Nov 2005, Matt Graham wrote:
> I don't see the lupii file in /tmp. I see the following:
>
> There is no netstat output with lupii.
Okay, so you're (probably) a victim of the awstats hole, but not the worm
that exploits it.
> It's been a while since I've done an apt-get upgrade. Those always seem
> to make my system unbootable for some reason, so I guess I put them off
> too long.
Subscribe to debian-security at lists.debian.org. Then just upgrade the
packages you're running that have security holes.
I'd be real interested in what returns if you do a
# zgrep awstats.pl\? /var/log/apache/access.log.?.gz|less
That'd show who was testing for the exploit in the last 10 weeks, and
probably the exploit itself. I'm still assuming that the awstats hole is
the method of entry, as you were vulnerable and the above "grep" run on
three separate web servers show 25 to 37 exploit attempts each.
I'd also be curious if what you get by running a
# ps -u www-data
which would show any processes running that are owned by the www-data
user. If you've got anything other than a web servers and gcache, kill
the process and save the file for forensics.
> My plan is to backup important stuff, format the system
> partition (my /home is on a different drive altogether), reinstall debian
> stable and do regular (weekly?) apt-get updates.
You might try mondoarchive as a last ditch bare-metal recovery backup
system. It hisorically has had a few issues running on debian, but worked
for me the one time my normal backups were corrupted and I _really_
needed it.
Regards,
-Don
More information about the Kclug
mailing list