Hello All,
This is more of a security issue.
Like everyone else, we're constantly threatened by script kiddies that exploit client's broken php scripts or other holes such as /tmp access.
To counter this, we've disabled wget and curl. We've also secured /tmp in every possible way. On top of that, i have a script running that notifies me whenever any unrecognized process runs or a file is added in /tmp which shouldn't be there.
As a solution, this has been working great and we've been able to stop exploits in their tracks completely.
However, I've got this one intrusion that is eating at me and which i cannot identify the origin.
Basically i see a directory created in tmp ".r", I'm thinking "r0nin" install attempts. Obviously they can't go further because of the measures we've taken, but still bugs me that they keep trying.
But i can't tell where it's coming from! This is all i see in the httpd/error_log:
sh: /usr/bin/curl: Permission denied
chmod: cannot access `kaiten': No such file or directory
mv: cannot stat `kaiten': No such file or directory
sh: ./bash: No such file or directory
chmod: cannot access `kaiten': No such file or directory
mv: cannot stat `kaiten': No such file or directory
sh: ./bash: No such file or directory
That is all i get! I tried grepping all sorts of things in the main logs for the domains with keywords from above (kaiten, bash, chmod, etc). Nothing.
I tried grepping each user directory for same keywords to see if any script is residing there that is trying to execute these commands, nothing.
So i replaced curl with my own script which echoes things like "php -i" and whatever arguments were passed to "curl" in the attempted execution. STILL NOTHING!
I CANT FIND IT AND ITS DRIVING ME CRAZY. The php -i is not showing anything interesting other than the execute directory is /tmp/.r (duh)
so any ideas what i can add to my little fake "curl" script so that when the kiddies tries to execute it would tell me WHERE he's trying to execute it from?
Or where else i could look?
Linux version 2.6.12.1 (gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #2 SMP
Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7g PHP/4.3.11 mod_perl/1.29 FrontPage/5.0.2.2510 configured
This is more of a security issue.
Like everyone else, we're constantly threatened by script kiddies that exploit client's broken php scripts or other holes such as /tmp access.
To counter this, we've disabled wget and curl. We've also secured /tmp in every possible way. On top of that, i have a script running that notifies me whenever any unrecognized process runs or a file is added in /tmp which shouldn't be there.
As a solution, this has been working great and we've been able to stop exploits in their tracks completely.
However, I've got this one intrusion that is eating at me and which i cannot identify the origin.
Basically i see a directory created in tmp ".r", I'm thinking "r0nin" install attempts. Obviously they can't go further because of the measures we've taken, but still bugs me that they keep trying.
But i can't tell where it's coming from! This is all i see in the httpd/error_log:
sh: /usr/bin/curl: Permission denied
chmod: cannot access `kaiten': No such file or directory
mv: cannot stat `kaiten': No such file or directory
sh: ./bash: No such file or directory
chmod: cannot access `kaiten': No such file or directory
mv: cannot stat `kaiten': No such file or directory
sh: ./bash: No such file or directory
That is all i get! I tried grepping all sorts of things in the main logs for the domains with keywords from above (kaiten, bash, chmod, etc). Nothing.
I tried grepping each user directory for same keywords to see if any script is residing there that is trying to execute these commands, nothing.
So i replaced curl with my own script which echoes things like "php -i" and whatever arguments were passed to "curl" in the attempted execution. STILL NOTHING!
I CANT FIND IT AND ITS DRIVING ME CRAZY. The php -i is not showing anything interesting other than the execute directory is /tmp/.r (duh)
so any ideas what i can add to my little fake "curl" script so that when the kiddies tries to execute it would tell me WHERE he's trying to execute it from?
Or where else i could look?
Linux version 2.6.12.1 (gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #2 SMP
Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7g PHP/4.3.11 mod_perl/1.29 FrontPage/5.0.2.2510 configured
Last edited: