Re: [gentoo-user] Re: Rootkit?
On Thu 06 Oct 2011 10:40:35 PM IST, Nilesh Govindarajan wrote: On Thu 06 Oct 2011 10:32:14 PM IST, Michael Mol wrote: On Oct 6, 2011 12:57 PM, Nilesh Govindarajan cont...@nileshgr.com mailto:cont...@nileshgr.com wrote: On Thu 06 Oct 2011 09:06:06 PM IST, Alberto Luaces wrote: Nilesh Govindarajan writes: One of the servers I manage has a strange problem. Every 24h, someone starts a process shows up as perl in the list, but launching command is /usr/sbin/httpd. It shows just one process, but when I run something like this: ps -C perl -o cmd,pid I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or /usr/bin/perl. The even more interesting thing is, /usr/sbin/httpd does not exist. I suspect a rootkit, but chkrootkit rkhunter reported nothing. Also, I found a mysterious file: /tmp/ips.txt with following content: xxx.xxx.xxx.xxx 127.0.0.1 addr:xxx.xxx.xxx.xxx addr: addr:127.0.0.1 addr: Somebody is aware of a malware/rootkit which creates such files? I had some of that recently. The attacker used a instance of phpmyadmin to inject into its URL a wget command to download a perl script from another site. Look for `wget' into apache logs. @all Apache was never installed I don't see any reason to install it because nginx satisfies my needs. I grepped for the string wget in all logs and php files, found some, but they were for libssh2 in wordpress code. @Michael, I thought of doing that, but before I discovered the file, I'd already killed the processes. Will check later when the process is relaunched sometime later. You might crank up service log levels in anticipation, too, and prod your firewall to log unusual-but-allowed connections, too. I just found something: http://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/ Data on just one of the wordpress installations seems to be deleted, which seems to me as an effect of this. We're removing timthumb and will watch. Thanks for the tip :-) After about 72 hours of watch, it seems timthumb was the culprit. No attack/overload since 72h. -- Nilesh Govindarajan http://nileshgr.com
[gentoo-user] Re: Rootkit?
Nilesh Govindarajan writes: One of the servers I manage has a strange problem. Every 24h, someone starts a process shows up as perl in the list, but launching command is /usr/sbin/httpd. It shows just one process, but when I run something like this: ps -C perl -o cmd,pid I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or /usr/bin/perl. The even more interesting thing is, /usr/sbin/httpd does not exist. I suspect a rootkit, but chkrootkit rkhunter reported nothing. Also, I found a mysterious file: /tmp/ips.txt with following content: xxx.xxx.xxx.xxx 127.0.0.1 addr:xxx.xxx.xxx.xxx addr: addr:127.0.0.1 addr: Somebody is aware of a malware/rootkit which creates such files? I had some of that recently. The attacker used a instance of phpmyadmin to inject into its URL a wget command to download a perl script from another site. Look for `wget' into apache logs. -- Alberto
Re: [gentoo-user] Re: Rootkit?
On Thu 06 Oct 2011 09:06:06 PM IST, Alberto Luaces wrote: Nilesh Govindarajan writes: One of the servers I manage has a strange problem. Every 24h, someone starts a process shows up as perl in the list, but launching command is /usr/sbin/httpd. It shows just one process, but when I run something like this: ps -C perl -o cmd,pid I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or /usr/bin/perl. The even more interesting thing is, /usr/sbin/httpd does not exist. I suspect a rootkit, but chkrootkit rkhunter reported nothing. Also, I found a mysterious file: /tmp/ips.txt with following content: xxx.xxx.xxx.xxx 127.0.0.1 addr:xxx.xxx.xxx.xxx addr: addr:127.0.0.1 addr: Somebody is aware of a malware/rootkit which creates such files? I had some of that recently. The attacker used a instance of phpmyadmin to inject into its URL a wget command to download a perl script from another site. Look for `wget' into apache logs. @all Apache was never installed I don't see any reason to install it because nginx satisfies my needs. I grepped for the string wget in all logs and php files, found some, but they were for libssh2 in wordpress code. @Michael, I thought of doing that, but before I discovered the file, I'd already killed the processes. Will check later when the process is relaunched sometime later. -- Nilesh Govindarajan http://nileshgr.com
Re: [gentoo-user] Re: Rootkit?
On Oct 6, 2011 12:57 PM, Nilesh Govindarajan cont...@nileshgr.com wrote: On Thu 06 Oct 2011 09:06:06 PM IST, Alberto Luaces wrote: Nilesh Govindarajan writes: One of the servers I manage has a strange problem. Every 24h, someone starts a process shows up as perl in the list, but launching command is /usr/sbin/httpd. It shows just one process, but when I run something like this: ps -C perl -o cmd,pid I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or /usr/bin/perl. The even more interesting thing is, /usr/sbin/httpd does not exist. I suspect a rootkit, but chkrootkit rkhunter reported nothing. Also, I found a mysterious file: /tmp/ips.txt with following content: xxx.xxx.xxx.xxx 127.0.0.1 addr:xxx.xxx.xxx.xxx addr: addr:127.0.0.1 addr: Somebody is aware of a malware/rootkit which creates such files? I had some of that recently. The attacker used a instance of phpmyadmin to inject into its URL a wget command to download a perl script from another site. Look for `wget' into apache logs. @all Apache was never installed I don't see any reason to install it because nginx satisfies my needs. I grepped for the string wget in all logs and php files, found some, but they were for libssh2 in wordpress code. @Michael, I thought of doing that, but before I discovered the file, I'd already killed the processes. Will check later when the process is relaunched sometime later. You might crank up service log levels in anticipation, too, and prod your firewall to log unusual-but-allowed connections, too.
Re: [gentoo-user] Re: Rootkit?
On Thu 06 Oct 2011 10:32:14 PM IST, Michael Mol wrote: On Oct 6, 2011 12:57 PM, Nilesh Govindarajan cont...@nileshgr.com mailto:cont...@nileshgr.com wrote: On Thu 06 Oct 2011 09:06:06 PM IST, Alberto Luaces wrote: Nilesh Govindarajan writes: One of the servers I manage has a strange problem. Every 24h, someone starts a process shows up as perl in the list, but launching command is /usr/sbin/httpd. It shows just one process, but when I run something like this: ps -C perl -o cmd,pid I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or /usr/bin/perl. The even more interesting thing is, /usr/sbin/httpd does not exist. I suspect a rootkit, but chkrootkit rkhunter reported nothing. Also, I found a mysterious file: /tmp/ips.txt with following content: xxx.xxx.xxx.xxx 127.0.0.1 addr:xxx.xxx.xxx.xxx addr: addr:127.0.0.1 addr: Somebody is aware of a malware/rootkit which creates such files? I had some of that recently. The attacker used a instance of phpmyadmin to inject into its URL a wget command to download a perl script from another site. Look for `wget' into apache logs. @all Apache was never installed I don't see any reason to install it because nginx satisfies my needs. I grepped for the string wget in all logs and php files, found some, but they were for libssh2 in wordpress code. @Michael, I thought of doing that, but before I discovered the file, I'd already killed the processes. Will check later when the process is relaunched sometime later. You might crank up service log levels in anticipation, too, and prod your firewall to log unusual-but-allowed connections, too. I just found something: http://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/ Data on just one of the wordpress installations seems to be deleted, which seems to me as an effect of this. We're removing timthumb and will watch. Thanks for the tip :-) -- Nilesh Govindarajan http://nileshgr.com
[gentoo-user] Re: Rootkit Hunter release 1.3.2
(Portage is a little dated at 1.2.9) http://sourceforge.net/projects/rkhunter/ Thanks for the info but this doesn't belong here. The proper thing to do would be to open a bug on http://bugs.gentoo.org and request a version bump. Like this one: http://bugs.gentoo.org/show_bug.cgi?id=194832 signature.asc Description: OpenPGP digital signature
[gentoo-user] Re: Rootkit Hunter release 1.3.2
Florian Philipp wrote: On Sat, 2008-04-26 at 14:38 -0400, 7v5w7go9ub0o wrote: (Portage is a little dated at 1.2.9) http://sourceforge.net/projects/rkhunter/ Thanks for the info but this doesn't belong here. The proper thing to do would be to open a bug on http://bugs.gentoo.org and request a version bump. Thanks for replying I've tried bugs (under admin, iirc), and always get notes telling me that my version info. post doesn't belong there, and deleting my submission. If there is a category for version bumps, I haven't figure it out. I wasn't going to say anything (I love Gentoo and don't want to be a complainer), but rtkthunter and chkrootkit are arguably important packages for newbies like me. (fwiw, I imagine that others, like me, have a few packages - especially those linked to online activity, or security issues (e.g. maradns, runit, rtkthunter, chkrootkit, vidalia, etc.) that are simply maintained from source, hoping that portage someday catch up :-( ) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: Rootkit Hunter release 1.3.2
On Sat, 2008-04-26 at 18:46 -0400, 7v5w7go9ub0o wrote: Florian Philipp wrote: On Sat, 2008-04-26 at 14:38 -0400, 7v5w7go9ub0o wrote: (Portage is a little dated at 1.2.9) http://sourceforge.net/projects/rkhunter/ Thanks for the info but this doesn't belong here. The proper thing to do would be to open a bug on http://bugs.gentoo.org and request a version bump. Thanks for replying I've tried bugs (under admin, iirc), and always get notes telling me that my version info. post doesn't belong there, and deleting my submission. If there is a category for version bumps, I haven't figure it out. As I understand it, Admin is meant for administrative purposes of the Gentoo-project as a whole. I'd post it in Gentoo Linux. Most of the time, Gentoo Linux is the right place for version bumps. Since this is also security-related, you could argue for Gentoo Security but this is meant for Security holes and stuff like that. Of course, it would have been better if the bug wrangler had moved your bug to the right place or at least told you where to file it. If you think you've been treated wrong, feel free to file a bug in User Relations but I'd rather not. Jakub and the other bug wrangler might seem rude from time to time but they are doing quiet a hard job very well when trying to keep pace with the input of bugs. That's why I wouldn't take such things personally. signature.asc Description: This is a digitally signed message part
[gentoo-user] Re: Rootkit Hunter release 1.3.2
Florian Philipp wrote: On Sat, 2008-04-26 at 18:46 -0400, 7v5w7go9ub0o wrote: Florian Philipp wrote: On Sat, 2008-04-26 at 14:38 -0400, 7v5w7go9ub0o wrote: (Portage is a little dated at 1.2.9) http://sourceforge.net/projects/rkhunter/ Thanks for the info but this doesn't belong here. The proper thing to do would be to open a bug on http://bugs.gentoo.org and request a version bump. Thanks for replying I've tried bugs (under admin, iirc), and always get notes telling me that my version info. post doesn't belong there, and deleting my submission. If there is a category for version bumps, I haven't figure it out. As I understand it, Admin is meant for administrative purposes of the Gentoo-project as a whole. I'd post it in Gentoo Linux. Most of the time, Gentoo Linux is the right place for version bumps. Since this is also security-related, you could argue for Gentoo Security but this is meant for Security holes and stuff like that. Of course, it would have been better if the bug wrangler had moved your bug to the right place or at least told you where to file it. If you think you've been treated wrong, feel free to file a bug in User Relations but I'd rather not. Jakub and the other bug wrangler might seem rude from time to time but they are doing quiet a hard job very well when trying to keep pace with the input of bugs. That's why I wouldn't take such things personally. Nope. I'm sure they're busy, and took the message at face value. 'Twould be nice if someone added a little note to the categories indicating that Gentoo Linux is the place to put version bumps; it might get more of us newbies involved and owning part of the effort. I'll post some version-bump notices that I've been holding back on, and see if they take. (If they don't, I'll come back here and ping you :-) ) Thanks. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: Rootkit Hunter release 1.3.2
quoth the 7v5w7go9ub0o: Nope. I'm sure they're busy, and took the message at face value. 'Twould be nice if someone added a little note to the categories indicating that Gentoo Linux is the place to put version bumps; it might get more of us newbies involved and owning part of the effort. They did, its the 'Gentoo Bug Reporting Guide': http://www.gentoo.org/doc/en/bugzilla-howto.xml Also, I'm fairly sure that next to 'Gentoo Linux' (In bugzilla) it says 'If you are not sure where to put it, put it here...' or somesuch. I'll post some version-bump notices that I've been holding back on, and see if they take. (If they don't, I'll come back here and ping you :-) ) Thanks. -d -- darren kirby :: Part of the problem since 1976 :: http://badcomputer.org ...the number of UNIX installations has grown to 10, with more expected... - Dennis Ritchie and Ken Thompson, June 1972 -- gentoo-user@lists.gentoo.org mailing list