ch...@darkadsl.ca wrote: > > I run a virtual hosting server and one of my clients got hacked (weak > password in CMS). > > I was able to capture the php script that the hacker uploaded, as well as > some c and perl daemons (one looks to be basically like telnet -- should be > fairly harmless due to the restrictive hardware firewall, plus the one I > saw relies on a bash shell which I don't have). Also another one looks like > a generic network bouncer -- something like netcat. However what I can't > figure out is how it is causing interference with Apache (and possibly > networking in general). > > The processes I've seen from this are running as www so I don't see > anything to suggest I've been rooted, but how else can it listen something > on port 80? It seems to be doing *something* to break Apache in an attempt > to hijack it.
It is possible that the intruder replaced your httpd daemon with a custom program. Check the timestamps of your normal Apache binary to ensure that it hasn't been tampered with. A common technique I've come across in the past is for an intruder to use obscure and hard-to-spot directory names such as: ... .../ etc, particularly in the /tmp and /var/tmp locations. Also, you should verify the status of ALL binaries that are loaded at startup, to ensure they are all sane. It's quite possible that your web server is simply a patched binary, that may not even be a web server at all. If the timestamp of httpd is different, it may be as simple as restoring the binary from a backup. Also, check your "last" command for logins, check privileged users .history files and check users home directories for any files/directories that appear out of place. /usr/ports/security/tripwire may help you in the future. Good luck! Steve
Description: S/MIME Cryptographic Signature