Has my server been hacked? apt-get upgrade fears...

[Don Erickson]

On Mon, 14 Nov 2005, Matt Graham wrote:

> Yikes.  Check out what apt-get says when I tell it to upgrade.
>
> That's a big list.  Should I be afraid for my system if I say yes?  Or do
> I trust apt to do it's thing?  Should my system be in any type of runlevel
> when I do this?  Can I do this from an ssh session?

Are you running "stable", aka sarge?  If so, then go ahead and upgrade if 
you want, it should be okay.  Changing runlevels isn't necessary.  You can 
do it from ssh.

But, we don't know that your system has been purged of bad stuff.  We 
_think_ that there are processes running as the www-data user, but I 
didn't see your output from the ps -u www-data command.  It seems logical 
that your box wasn't rooted, but I'm just guessing from behind an opaque 
curtain.  There was a local root exploit in the 2.4 and 2.6 kernels about 
a year ago, and if your installation is 9 months old or older, you might 
well have been rooted.

I just looked it up, versions kernels < 2.4.30 and < 2.6.10 are 
vulnerable.  If you're running a kernel older than these, reinstall.

Either way, removing awstats removed the access hole, but didn't 
necessarily remove anything else that might have been uploaded to your 
machine.  Bad guys have been using your box, and you don't know what all 
they might have done.  We are assuming at this point that everything that 
they did was done as www-data, your apache owner.

Do a
# find / -user www-data > /tmp/www-data_owned_files.txt

then look through it for funny stuff.  But, if your kernel is older than 
the versions listed above, reinstall anyway.


That's just my opinion.

-Don