Attack under NFS

system · April 2, 2007, 7:36am

Hello,

One of our server is under attack.

We have a process called “/usr/local/apache/bin/httpd -DSSL” which is automaticly started.

22959 ? S 0:00 /usr/local/apache/bin/httpd -DSSL

In fact there is no binary /usr/local/apache/bin/httpd.

The /tmp partition is mounted as noexec and nosuid.

in /etc/mtab :
/dev/sda7 /tmp ext3 rw,noexec,nosuid 0 0

The wget binary is not allowed for everybody

ls -al /usr/bin/wget

-rwx------ 1 root root 227168 nov 2 2005 /usr/bin/wget

And the content of the /tmp partition doesn’t show something that could be called !

When we look in /proc/pid/loginuid we can see that it is an unknown user who has launched this program (one after the nfsnobody user)

cat /proc/22959/loginuid

4294967295

and the highest is
nfsnobody:x:4294967294:

The comandline used is

cat /proc/22959/cmdline

/usr/local/apache/bin/httpd -DSSL
livezone

The most important part is the environ in /proc

cat /proc/22959/environ

SHELL=/bin/shUSER=apachePATH=/usr/bin:/bin_=./procPWD=/dev/shm/.access.logSHLVL=3HOME=/var/wwwLOGNAME=apache

When we look in PWD we can see dev/shm/.access.log, which content this

ls -al /dev/shm/.access.log/

total 324
drwxr-xr-x 7 apache apache 420 avr 2 06:44 .
drwxrwxrwt 3 root root 100 mar 21 16:27 …
-rwxr-xr-x 1 apache apache 320 mai 31 2004 config
-rw------- 1 apache apache 1002 mar 10 2004 config.h
-rw-rw-rw- 1 apache apache 57 mar 21 16:28 cron.d
-rwxr-xr-x 1 apache apache 347 mai 31 2004 ****
drwxr-xr-x 2 apache apache 4900 mai 31 2002 help
-rwxr-xr-x 1 apache apache 202544 mar 10 2004 httpd
drwxr-xr-x 2 apache apache 120 jui 26 2004 lang
-rw------- 1 apache apache 136 avr 2 06:44 livezone
-rw-rw-rw- 1 apache apache 21 mar 21 16:28 livezone.dir
-rw------- 1 apache apache 136 avr 1 07:34 livezone.old
drwxr-xr-x 2 apache apache 100 avr 2 16:23 log
drwxr-xr-x 2 apache apache 40 jun 4 2004 motd
-rwxr-xr-x 1 apache apache 14306 nov 13 2003 proc
-rw------- 1 apache apache 6 avr 2 16:23 psybnc.pid
-rw-r–r-- 1 apache apache 33557 mar 10 2004 README
-rwxr-xr-x 1 apache apache 68 jun 4 2004 run
drwxr-xr-x 2 apache apache 40 mar 10 2004 scripts
-rwxr–r-- 1 apache apache 21516 sep 25 2002 xh
-rwxrw-rw- 1 apache apache 200 mar 21 16:28 y2kupdate

So it looks like it is an IRC bot

Ok we can stop this but we don’t find who created this and who launched it

Do you know this attack, do you know how to stop it ?

Indeed /dev/shm is mounted with the noexec and nosuid option

none /dev/shm tmpfs defaults,noexec,nosuid 0 0

Any ideas ?

Thanks

Pascal

system · April 2, 2007, 7:39am

We found that the program has been uploaded in /dev/shm

ls -al /dev/shm/

-rw-rw-rw- 1 apache apache 816640 mar 21 16:27 ryo.tar
-rwxr-xr-x 1 apache apache 11487 mar 21 16:25 usa

The usa is the binary which luanch the apache process

Is there a way to more secure /dev/shm ?

Pascal