My website was hacked! (fwd)

David Kramer david at thekramers.net
Wed Nov 24 22:34:01 EST 2004 

Someone sent me this in response:

> Here's a semi-obvious thing to check - we had some people get into a box 
> we run  a couple months back and there was all this crap 
> lying around in /var/tmp.  I would check in there...  If the exploit was 
> the webserver, you'll see evidence somewhere they could write files.

This looks to be the case.  There's a file /var/tmp/m 

[root at uni /var/tmp]# l
total 28
drwxrwxrwt    3 root     root         4096 Nov 24 04:54 .
drwxr-xr-x   17 root     root         4096 Mar  1  2004 ..
-rwxrwxrwx    1 wwwrun   www         12335 Oct 28 01:10 m
drwxrwxrwt    2 root     root         4096 Sep 23  2003 vi.recover


[root at uni /var/tmp]# file m
m: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 
2.2.5, dynamically linked (uses shared libs), not stripped

[root at uni /var/tmp]# strings m | tail
/bin/sh
Can't execve shell!
USAGE: %s [PORT=2345]
Sa vedem ...
socket
setsockopt
bind
listen
getsockname
Se deschide pe portul urmator  %d
FUCK: Can't fork child (%d)
Mergeeeeee pidu=%d
bash
Password:
unguras
This server is secure by Unguras alias Papy neam cu zorg si exterxy si 
alti unguri satmareni.
.-=Norok si Sanatate! =-.
.-=Casa ai de toatel =-.
.-= Sa ma pis pe HacKeri =-.
.-=Si pe Rasa lor! =-.


That is obviously put there by the hackers.  It's been moved.

[root at uni /var/tmp]# grep 2345 /etc/services
dbm             2345/tcp        # dbm
dbm             2345/udp        # dbm
I cannot get to my machine via port 2345, so that might be a ruse.

Also, I noticed that the index.html file is owned by wwwrun (as is "m"),
which leads me to believe that this is an apache-level hack, and my server
is not "owned".  Please correct me if I am in denial.

I did a "find / -mtime -2", and there was nothing that I would not have
expected, except /etc/suseconfig/csh.login, which was empty.  That might
be harmless, as Yast touches everything under the sun every time I go to
the bathroom.  But hackers tend to backdate files, so this test is of 
little assurance.

I looked at the output of "last" and saw nothing unusual.


Anything else I should try?

Should I panic more than I am?  Right now I feel strongly this was a 
benign "stupid Apache tricks" thing, and I need to find the hole and close 
it, but no need to nuke the server and start over.

Thanks.

More information about the Discuss mailing list