El Jueves, 16 de Noviembre de 2006 22:56, olga@xxxxxxxxxxxxxx escribió: > > On Thu, 2006-11-16 at 10:26 -0600, olga@xxxxxxxxxxxxxx wrote: > >> Hi, > >> > >> I wrote about kernel errors which somebody pointed out was because the > >> server was running out of memory. > >> > >> Now I found the following which makes me think that that server may have > >> been compromized. > >> > >> Here's what I get when I issued: netstat -nap > >> > >> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED > >> 5226/ps x > >> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED > >> 5365/ps x > >> > >> About a hundred instances of that program 'ps x' running. > >> > >> Also here's what ps -ef produced: > >> > >> apache 6323 1 0 10:30 ? 00:00:00 ps x > >> apache 6324 1 0 10:30 ? 00:00:00 ps x > >> apache 6326 1 0 10:30 ? 00:00:00 ps x > >> apache 6328 1 0 10:30 ? 00:00:00 ps x > >> apache 6330 1 0 10:30 ? 00:00:00 ps x > > > > What does ls -l /proc/6323/exe say? That would be a symlink to the > > executable for that process. Normal ps lives in /bin so the link should > > point at /bin/ps. If it is connecting out to a remote host, it's likely > > not the normal ps, just something that's masking itself to make it less > > likely to get picked up. > > > > -- > > David Hollis <dhollis@xxxxxxxxxxxxxx> > > apache 3102 1 0 15:53 ? 00:00:00 httpd > apache 3104 1 0 15:53 ? 00:00:00 httpd > apache 3106 1 0 15:53 ? 00:00:00 httpd > apache 3108 1 0 15:53 ? 00:00:00 httpd > apache 3110 1 0 15:53 ? 00:00:00 httpd > apache 3112 1 0 15:53 ? 00:00:00 httpd > apache 3114 1 0 15:53 ? 00:00:00 httpd > apache 3116 1 0 15:53 ? 00:00:00 httpd > apache 3118 1 0 15:53 ? 00:00:00 httpd > apache 3120 1 0 15:53 ? 00:00:00 httpd > apache 3122 1 0 15:53 ? 00:00:00 httpd > apache 3125 1 0 15:54 ? 00:00:00 httpd > apache 3127 1 0 15:54 ? 00:00:00 httpd > apache 3129 1 0 15:54 ? 00:00:00 httpd > apache 3131 1 0 15:54 ? 00:00:00 httpd > apache 3133 1 0 15:54 ? 00:00:00 httpd > apache 3135 1 0 15:54 ? 00:00:00 httpd > apache 3137 1 0 15:54 ? 00:00:00 httpd > apache 3139 1 0 15:54 ? 00:00:00 httpd > apache 3141 1 0 15:54 ? 00:00:00 httpd > apache 3143 1 0 15:54 ? 00:00:00 httpd > apache 3145 1 0 15:54 ? 00:00:00 httpd > apache 3639 1 0 15:57 ? 00:00:00 ps x > apache 3642 1 0 15:57 ? 00:00:00 ps x > apache 3645 1 0 15:58 ? 00:00:00 ps x > apache 3647 1 0 15:58 ? 00:00:00 ps x > > > I am getting a ton of these... > Here's what ls -l /proc/3147/exe says > lrwxrwxrwx 1 apache apache 0 Nov 16 15:56 /proc/3147/exe -> > /usr/bin/perl > > When I do netstat -nap I get: > tcp 0 0 131.x.x.x:44160 72.14.x.x:80 ESTABLISHED - > tcp 0 0 131.x.x.x:44161 72.14.x.x:80 ESTABLISHED - > tcp 0 0 131.x.x.x:44162 72.14.x.x:80 ESTABLISHED - > > The ip points to google... > > And these appeared in the /tmp folder: > > drwxrwxrwt 8 root root 4096 Nov 16 16:00 . > drwxr-xr-x 23 root root 4096 Nov 16 14:35 .. > srwx------ 1 root nobody 0 Nov 16 14:36 .fam_socket > drwxrwxrwt 2 xfs xfs 4096 Nov 16 14:35 .font-unix > srw-rw-rw- 1 root root 0 Nov 16 14:36 .gdm_socket > -rw-r--r-- 1 apache apache 0 Nov 15 15:20 .httpd > drwxrwxrwt 2 root root 4096 Nov 16 14:36 .ICE-unix > drwx------ 2 root root 4096 Nov 16 14:59 mc-root > drwx------ 2 root root 12288 Nov 16 15:16 orbit-root > -rw-r--r-- 1 apache apache 0 Nov 16 15:58 > sess_azx3a4wq3x1f2aad4a34sxx1w2o52a45 > -rw-r--r-- 1 apache apache 11669 Nov 16 15:43 > sess_rdav631df3a1ddfaa34s1x1wwo521459 > -r--r--r-- 1 root root 11 Nov 16 14:36 .X0-lock > drwxrwxrwt 2 root root 4096 Nov 16 14:36 .X11-unix > > What is going on? > Finally...did they break into your system? Did you find something strange on the logs? I wonder what happened, give us some information this thread is quite interesting and will help other folks in a near future ;-) One way or another, if they got shell access (even remote text shell, you know...) you should think about reinstalling your system, as far as i know, if the left a rootkit you must not trust your system anymore. By the way, let me give you and advice, installing Babel Enterprise could be a nice idea, ( http://babel.sourceforge.net/en/ ), yeah yeah, it's GPL ;-) Babel is an enterprise-grade auditing system to manage a consistency on security policy between different systems in a non-homogeneus architecture. Babel allows to manage very different operating systems, like AIX, Solaris, Windows 2000, Windows XP, Linux, *BSD or HPUX. Babel allows administrator team to monitor the hardening level of their systems and keep constantly monitored, using periodic policy polling, and of course, a WEB Based, graphical reporting, and of course, a centralized management for all systems There's a demo online, try it. Hope this helps. -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues.