my server hacked help urgent!

Z

zweb

Verified User
Joined
Apr 20, 2005
Messages
11
Good day.. i've notice from my apache log that my system have been compromised but not to the root level.. The affect software is suEXEC of apache.

[Mon Nov 14 13:33:31 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Nov 14 13:33:31 2005] [notice] Accept mutex: sysvsem (Default: sysvsem)
--15:29:44-- http://members.lycos.co.uk/africans/pro.txt
=> `pro.txt'
Resolving members.lycos.co.uk... 212.78.204.20
Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 60,161 [text/plain]

0K .......... .......... .......... .......... .......... 85% 41.76 KB/s
50K ........ 100% 49.98 MB/s

15:29:46 (49.07 KB/s) - `pro.txt' saved [60,161/60,161]

kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]


ps aux shows this

apache 6963 0.0 0.0 0 0 ? Z 15:29 0:00 [sh] <defunct>
apache 6973 78.7 0.3 8992 3784 ? R 15:29 261:09 /usr/sbin/apache/logins


netstat -an shows an extra port
tcp 0 0 xxx.xxx.xxx.xxx:59941 72.20.25.181:6667 ESTABLISHED 6973/logins

need help how to remove this problem i've upgraded to apache 1.3.34 but problem still persist.
 
Does not look good, i have checked the script and i think your server is now a zombie host of a network controlled from a irc channel from which the script is triggerd.Its searches for phpBB exploits.

Perhaps install rkhunter or chkrootkit ,but i dont think its safe, if this happens to my server i would re-install the server right away.
 
Last edited:
i've temperory chmod 600 /usr/bin/wget to prevent any other downloading and also deleted the bots that are running. if it's a phpbb exploit perhaps i can ask the client to remove or upgrade the files. As i cant possibly reinstall the system i think i can only minisied the damage done. will chroot kit work for this case?
 
chkrootkit and rkhunter (search for them) will help you see the extent of the problems.

Most rootkits are dangerous enough so you do want to reinstall your server.

That of course is up to you.

Jeff
 
I'm running FC3 i've isolated the problem to be a phpbb ver 2.0.10 viewtopic exploit which a client of mine had installed previously. I've hence fixed the problem :)
 
As a rule hackers who exploit holes in phpbb do not install root kits.

Rootkits are a specific kind of hack; they actually change the kernel to hide the fact that they've made any changes.

Jeff
 
yup.. lucky for me it just a bunch of script kiddies who uses it to irc. Any other codes which are easily implentable into the script would cause more damage to my server itself. I've managed to trace the hacker to his irc channel and needless to say his website where he uploaded the script to run. I'll just leave them alone for now as it would be difficult for me to report them as well over here in singapore.
 
You must log in or register to reply here.
Back
Top