Hacker problem...Takes down apache?
chris at darkadsl.ca
chris at darkadsl.ca
Tue Jul 7 23:06:10 UTC 2009
I run a virtual hosting server and one of my clients got hacked (weak
password in CMS).
I was able to capture the php script that the hacker uploaded, as well as
some c and perl daemons (one looks to be basically like telnet -- should be
fairly harmless due to the restrictive hardware firewall, plus the one I
saw relies on a bash shell which I don't have). Also another one looks like
a generic network bouncer -- something like netcat. However what I can't
figure out is how it is causing interference with Apache (and possibly
networking in general).
The processes I've seen from this are running as www so I don't see
anything to suggest I've been rooted, but how else can it listen something
on port 80? It seems to be doing *something* to break Apache in an attempt
to hijack it.
INITIAL SYMPTOMS
* Apache does not come back up from it's nightly log rotation (it
segfaults occasionally when it gets a signal "seg fault or similar nasty
error detected in the parent process" but I
have a script to auto restart
so it's not normally a problem). However top/ps/etc. show it as running.
SERVER# /usr/local/etc/rc.d/apache22 stop
apache22 not running? (check /var/run/httpd.pid).
SERVER# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
(48)Address already in use: make_sock: could not bind to address [::]:80
(48)Address already in use: make_sock: could not bind to address
0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
After killing all httpd PIDs I am able to start it, and it runs according
to top/ps/etc, but it still does not work.
SYMPTOMS
* When connecting to port 80 on the web server with a web browser a "page
can not be displayed" error. A "lynx 127.0.0.1" give error "Alert!: Unable
to access document." However sockstat still shows httpd listening on port
80.
* When doing a packet sniff "ngrep host and not port 22" I see what
appears to be spammy pages
being served up in response to http queries (tho
they don't seem to make them to any browser). Even more interestingly, I
see http queries for domains/pages I host, but am not accessing from my IP
(standard traffic) even tho the ngrep command should restrict to my IP.
Also what looks like mysql replication environment variables (this server
does not use mysql replication).
* Somehow there is a perl process listening on port 80......How can an
unprivliged process bind to a low port?
www httpd 75975 4 tcp4 *:* *:*
www httpd 75975 5 tcp46 *:443 *:*
www httpd 75975 6 tcp4 *:* *:*
www httpd 75974 3 tcp46 *:80 *:*
www httpd 75974 4 tcp4 *:* *:*
www httpd 75974 5 tcp46 *:443 *:*
www httpd 75974 6 tcp4 *:* *:*
www httpd 75973 3 tcp46 *:80 *:*
www httpd 75973 4 tcp4 *:* *:*
www perl5.8.8 33537 4 tcp4 *:80 *:*
www perl5.8.8 33537 6 tcp4 *:443 *:*
www perl5.8.8 33537 1431tcp4 *:11457 *:*
www perl5.8.8 33537 1432tcp4 :80 58.61.38.19:1569
More information about the freebsd-questions
mailing list