Randall Shaw wrote:
On Sun, 2005-06-26 at 22:09 -0400, Mailing List Receiver wrote:
Ever since we found and stopped a phishing site that had been planted
on our server to run as the default site under Apache, we have been under
constant attack. Presumably, the perpretrators did not appreciate that
we made their millions of scam emails ineffective.
So, today I just happen to get a feeling that I should check for rootkits.
Sure enough, someone had a listener at port 3049 and lsof showed the owner
as being Apache. More investigation shows the following in /tmp
*snip*
I'd be more inclined to guess that there actually is a hole in a web app
you are running - you are a hosting service, correct?
A lot of hacks are done through insecure hosting software - maybe cpanel
or something like that.
We had a spammer hack in through apache on a redhat box a month ago. He got
in through a clients installed/used phpBB board (of course). The spammer
installed shv5 and proceeded to send out millions of emails, of which our
courier server promptly rejected doing so, so no harm was REALLY done.
Took a while to get rid of the files, as we had to backtrack through the
install process of shv5. We canned all our clients use of phpBB and the
machine has been clean since.
Just our experiences, maybe of some help to you.
-Randall Shaw
I actually had this happen to me twice. The first time the machine was
poorly updated , and a rootkit was installed. That was in FC2. The
second time, in FC3, I noticed alot of traffic when I did a `netstat
-n`, after some investigation I found worm like scripts owned by apache
in /tmp attempting to spread to other machines. I didn't find the
orignaly entry point of the first attack at the time as the machien
became totoally unusable due to the root kit. The second time selinux
saved me from any serious damage. However I was then able to trace back
things to an old phpBB install which I was hosting for a friend. This
site was present during the first attack, so I've since assumed it was
also the point of entry.
