From owner-freebsd-questions@FreeBSD.ORG Tue Jul 7 23:06:10 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 147DA1065689 for ; Tue, 7 Jul 2009 23:06:10 +0000 (UTC) (envelope-from chris@darkadsl.ca) Received: from barium.smartt.com (mailout3.smartt.com [69.67.187.28]) by mx1.freebsd.org (Postfix) with ESMTP id ECEEE8FC12 for ; Tue, 7 Jul 2009 23:06:09 +0000 (UTC) (envelope-from chris@darkadsl.ca) Received: from webmail.smartt.com (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by barium.smartt.com (Postfix) with ESMTPSA id 6A0F410E584 for ; Tue, 7 Jul 2009 15:50:07 -0700 (PDT) MIME-Version: 1.0 Date: Tue, 07 Jul 2009 15:50:06 -0700 From: "chris@darkadsl.ca" To: Received: from 69.31.174.220 [69.31.174.220] with HTTP/1.1 (POST); Tue, 07 Jul 2009 15:50:06 -0700 Message-ID: <40db8bb280d58ed7874492a66de0fa86@localhost> X-Sender: chris@darkadsl.ca User-Agent: RoundCube Webmail/0.2.1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Hacker problem...Takes down apache? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2009 23:06:10 -0000 I run a virtual hosting server and one of my clients got hacked (weak password in CMS). I was able to capture the php script that the hacker uploaded, as well as some c and perl daemons (one looks to be basically like telnet -- should be fairly harmless due to the restrictive hardware firewall, plus the one I saw relies on a bash shell which I don't have). Also another one looks like a generic network bouncer -- something like netcat. However what I can't figure out is how it is causing interference with Apache (and possibly networking in general). The processes I've seen from this are running as www so I don't see anything to suggest I've been rooted, but how else can it listen something on port 80? It seems to be doing *something* to break Apache in an attempt to hijack it. INITIAL SYMPTOMS * Apache does not come back up from it's nightly log rotation (it segfaults occasionally when it gets a signal "seg fault or similar nasty error detected in the parent process" but I have a script to auto restart so it's not normally a problem). However top/ps/etc. show it as running. SERVER# /usr/local/etc/rc.d/apache22 stop apache22 not running? (check /var/run/httpd.pid). SERVER# /usr/local/etc/rc.d/apache22 start Performing sanity check on apache22 configuration: Syntax OK Starting apache22. (48)Address already in use: make_sock: could not bind to address [::]:80 (48)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs After killing all httpd PIDs I am able to start it, and it runs according to top/ps/etc, but it still does not work. SYMPTOMS * When connecting to port 80 on the web server with a web browser a "page can not be displayed" error. A "lynx 127.0.0.1" give error "Alert!: Unable to access document." However sockstat still shows httpd listening on port 80. * When doing a packet sniff "ngrep host and not port 22" I see what appears to be spammy pages being served up in response to http queries (tho they don't seem to make them to any browser). Even more interestingly, I see http queries for domains/pages I host, but am not accessing from my IP (standard traffic) even tho the ngrep command should restrict to my IP. Also what looks like mysql replication environment variables (this server does not use mysql replication). * Somehow there is a perl process listening on port 80......How can an unprivliged process bind to a low port? www httpd 75975 4 tcp4 *:* *:* www httpd 75975 5 tcp46 *:443 *:* www httpd 75975 6 tcp4 *:* *:* www httpd 75974 3 tcp46 *:80 *:* www httpd 75974 4 tcp4 *:* *:* www httpd 75974 5 tcp46 *:443 *:* www httpd 75974 6 tcp4 *:* *:* www httpd 75973 3 tcp46 *:80 *:* www httpd 75973 4 tcp4 *:* *:* www perl5.8.8 33537 4 tcp4 *:80 *:* www perl5.8.8 33537 6 tcp4 *:443 *:* www perl5.8.8 33537 1431tcp4 *:11457 *:* www perl5.8.8 33537 1432tcp4 :80 58.61.38.19:1569