My server was hacked27 Sep 2005
Yesterday evening while struggeling to keep up with work I noticed my internet connection was acting strangly. I checked my server (which have a fairly small amount of visitors) to see who the visitor was and noticed that I had a strange connection:
shire:/var/www# netstat -tanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 1770/inetd tcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN 3694/httpd -DSSL tcp 0 0 0.0.0.0:9 0.0.0.0:* LISTEN 1770/inetd tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1822/mysqld tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1985/smbd tcp 0 0 0.0.0.0:13 0.0.0.0:* LISTEN 1770/inetd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1606/portmap tcp 0 0 0.0.0.0:55443 0.0.0.0:* LISTEN 3727/httpd -DSSL tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1969/master tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1985/smbd tcp 0 0 127.0.0.1:669 0.0.0.0:* LISTEN 1765/famd tcp 0 0 10.0.255.1:34904 22.214.171.124:6667 ESTABLISHED13538/pscan2 tcp 0 0 10.0.255.1:139 10.0.0.5:1034 ESTABLISHED31714/smbd tcp6 0 0 :::993 :::* LISTEN 1757/couriertcpd tcp6 0 0 :::143 :::* LISTEN 1739/couriertcpd tcp6 0 0 :::22 :::* LISTEN 2044/sshd tcp6 0 0 :::25 :::* LISTEN 1969/master
httpd -DSSL is running and
pscan2. The above is missing a suspecious
bash process that I found located in
/tmp. I killed the process before I got the great idea that I wanted to blog about it. In
/tmp/.heva I found all the files used for this hack (I hope) including the compressed file
cbk.tar.gz, which I guess was used to transport it all into my server.
ps aux to see which processes where running and identified that the suspecious processes was started by www-data (the webserver user on Debian).
I assume that the intruder came in through either a security hole in one of the php-applications on my webserver or because Apache wasn’t updated with the latest security patches from Debian.
I found a cron script installed by
www-data by running:
shire:/tmp# su - www-data -c 'crontab -l' * * * * * /tmp/.heva/.cbk/y2kupdate >/dev/null 2>&1
I deleted it by running:
shire:/tmp# su - www-data -c 'crontab -r'
My server was hacked by Jacob Emcken is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.