Has my server been hacked?

[Don Erickson]

On Mon, 14 Nov 2005, Matt Graham wrote:

> I don't see the lupii file in /tmp.  I see the following:
>
> There is no netstat output with lupii.

Okay, so you're (probably) a victim of the awstats hole, but not the worm 
that exploits it.

> It's been a while since I've done an apt-get upgrade.  Those always seem
> to make my system unbootable for some reason, so I guess I put them off
> too long.

Subscribe to debian-security at lists.debian.org.  Then just upgrade the 
packages you're running that have security holes.

I'd be real interested in what returns if you do a
# zgrep awstats.pl\? /var/log/apache/access.log.?.gz|less

That'd show who was testing for the exploit in the last 10 weeks, and 
probably the exploit itself.  I'm still assuming that the awstats hole is 
the method of entry, as you were vulnerable and the above "grep" run on 
three separate web servers show 25 to 37 exploit attempts each.

I'd also be curious if what you get by running a

# ps -u www-data

which would show any processes running that are owned by the www-data 
user.  If you've got anything other than a web servers and gcache, kill 
the process and save the file for forensics.

> My plan is to backup important stuff, format the system
> partition (my /home is on a different drive altogether), reinstall debian
> stable and do regular (weekly?) apt-get updates.

You might try mondoarchive as a last ditch bare-metal recovery backup 
system.  It hisorically has had a few issues running on debian, but worked 
for me the one time my normal backups were corrupted and I _really_ 
needed it.


Regards,

-Don