Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (hermes.apache.org: local policy)
Message-ID: <420148BA.9050602@hostinthebox.net>
Date: Wed, 02 Feb 2005 14:40:10 -0700
From: dan <info@hostinthebox.net>
Reply-To: info@hostinthebox.net
Organization: hostinthebox.net
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
MIME-Version: 1.0
To: users@httpd.apache.org
References: <20050202210953.GA16381@xy1.org>
 <4201470D.40903@winfreeacademy.com>
In-Reply-To: <4201470D.40903@winfreeacademy.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [users@httpd] Hacked ? /usr/local/apache/bin/httpd -DSSL ?

Laura Vance wrote:
> A system that I administer was hacked last Easter.  It had been hacked 
> twice before that, and I was replacing the software that I thought was 
> the culprit, until I found after the Easter hack that something that I 
> didn't think about was the problem.
> 
> The apache logs showed bad SSL handshake attempts.  It had 30 to 100 in 
> rapid succession.  I realized that it wasn't a flaw in apache that was 
> being hacked, but a flaw in the SSL engine that was being exploited.  I 
> upgraded to OpenSSL version 0.9.7d, and I haven't been hacked since 
> (knock on wood).  I think there's an even newer version of OpenSSL out, 
> but I haven't checked to see if it addresses security holes or features.
> 
> I can't say if this is what happened to you, but it's something to check.
> 
> Also, like everyone else said, look for unusual files in /tmp/ /var/tmp/ 
> and /usr/tmp/  That seems to be where all of the bad stuff sets itself 
> up.  Keep an eye on your system security checks for world writable 
> files, because the hacker files are always world writable.
> 
> Good Luck
> 
> mailarch@xy1.org wrote:
> 
>> Hello,
>>
>> I run an Apache/1.3.29 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.3 
>> mod_ssl/2.8.16 OpenSSL/0.9.7c.
>>
>> Today I have seen with the top command two Perl process by www-data 
>> which occupied all my CPU resources.
>>
>> ps aux | grep pid_number_of_one_of_this_perl_processes gave me that:
>>
>> melanie:/usr/local# ps aux | grep 10813
>> www-data 10813 48.8  0.3  5128 3456 ?        R    20:54  11:18 
>> /usr/local/apache/bin/httpd -DSSL
>> root     12615  0.0  0.0  2056  732 pts/0    R    21:18   0:00 grep 10813
>>
>> But I don't have a /usr/local/apache directory!!!
>>
>> Does somebody has hacked my apache web server?
>>
>> Should I contact the Debian apache package maintainer? Because I use 
>> the Debian stable version.
>>  
>>

Use 'lsof pid_of_your_process_here'.  I find this particularly useful in 
finding out where all the goodies are actually located.

If you're going to do that, compile a static version of lsof and any 
number of tools that you'd like to use.  I did this, with maybe a dozen 
commands, off of another machine, all as static binaries.  It took up 
almost a whole CD, but I knew that the libraries that my utilities 
weren't compromised, either.

You can also attach 'strace' to that process to see all the cool things 
that it's doing.  Particularly useful for joining the chatroom that the 
zombie is idling in, and making comments to the owner.

Also look for dir names such as "..." and "....", stuff like that.

Thanks
-dant

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org