Hello,
One of our server is under attack.
We have a process called “/usr/local/apache/bin/httpd -DSSL” which is automaticly started.
22959 ? S 0:00 /usr/local/apache/bin/httpd -DSSL
In fact there is no binary /usr/local/apache/bin/httpd.
The /tmp partition is mounted as noexec and nosuid.
in /etc/mtab :
/dev/sda7 /tmp ext3 rw,noexec,nosuid 0 0
The wget binary is not allowed for everybody
ls -al /usr/bin/wget
-rwx------ 1 root root 227168 nov 2 2005 /usr/bin/wget
And the content of the /tmp partition doesn’t show something that could be called !
When we look in /proc/pid/loginuid we can see that it is an unknown user who has launched this program (one after the nfsnobody user)
cat /proc/22959/loginuid
4294967295
and the highest is
nfsnobody:x:4294967294:
The comandline used is
cat /proc/22959/cmdline
/usr/local/apache/bin/httpd -DSSL
livezone
The most important part is the environ in /proc
cat /proc/22959/environ
SHELL=/bin/shUSER=apachePATH=/usr/bin:/bin_=./procPWD=/dev/shm/.access.logSHLVL=3HOME=/var/wwwLOGNAME=apache
When we look in PWD we can see dev/shm/.access.log, which content this
ls -al /dev/shm/.access.log/
total 324
drwxr-xr-x 7 apache apache 420 avr 2 06:44 .
drwxrwxrwt 3 root root 100 mar 21 16:27 …
-rwxr-xr-x 1 apache apache 320 mai 31 2004 config
-rw------- 1 apache apache 1002 mar 10 2004 config.h
-rw-rw-rw- 1 apache apache 57 mar 21 16:28 cron.d
-rwxr-xr-x 1 apache apache 347 mai 31 2004 ****
drwxr-xr-x 2 apache apache 4900 mai 31 2002 help
-rwxr-xr-x 1 apache apache 202544 mar 10 2004 httpd
drwxr-xr-x 2 apache apache 120 jui 26 2004 lang
-rw------- 1 apache apache 136 avr 2 06:44 livezone
-rw-rw-rw- 1 apache apache 21 mar 21 16:28 livezone.dir
-rw------- 1 apache apache 136 avr 1 07:34 livezone.old
drwxr-xr-x 2 apache apache 100 avr 2 16:23 log
drwxr-xr-x 2 apache apache 40 jun 4 2004 motd
-rwxr-xr-x 1 apache apache 14306 nov 13 2003 proc
-rw------- 1 apache apache 6 avr 2 16:23 psybnc.pid
-rw-r–r-- 1 apache apache 33557 mar 10 2004 README
-rwxr-xr-x 1 apache apache 68 jun 4 2004 run
drwxr-xr-x 2 apache apache 40 mar 10 2004 scripts
-rwxr–r-- 1 apache apache 21516 sep 25 2002 xh
-rwxrw-rw- 1 apache apache 200 mar 21 16:28 y2kupdate
So it looks like it is an IRC bot
Ok we can stop this but we don’t find who created this and who launched it
Do you know this attack, do you know how to stop it ?
Indeed /dev/shm is mounted with the noexec and nosuid option
none /dev/shm tmpfs defaults,noexec,nosuid 0 0
Any ideas ?
Thanks
Pascal