Oops.. Found some "root kits"

Discussion in 'Server Operation' started by edge, Jul 3, 2008.

  1. edge

    edge Active Member Moderator

    I'm was just looking at one of my servers, and found this in one of a users website.
    PHP:
    -rw------- 1 www-data   www-data       6382 2008-04-27 23:47 2.4xlocal2.6x.zip
    -rwxrwxrwx 1 www-data   www-data       7929 2008-04-27 23:00 2.6.10
    -rwxrwxrwx 1 www-data   www-data       8027 2008-04-27 23:53 2.6.13
    -rwxrwxrwx 1 www-data   www-data       7929 2008-06-29 02:01 2.6.9
    -rw------- 1 www-data   www-data       2681 2008-04-27 23:50 2.6.9-42.0.3.ELsmp2006.zip
    -rw------- 1 www-data   www-data       4720 2008-06-29 02:09 AlkobrA.zip
    -rwxrwxrwx 1 web15_info web15         70786 2006-08-12 12:29 dagboek.jpg
    -rwxrwxrwx 1 www-data   www-data       6914 2006-09-30 01:34 elfdump
    -rw------- 1 www-data   www-data       4164 2008-04-27 23:40 elfdump.c
    -rw------- 1 www-data   www-data       3245 2008-06-29 02:05 elfdump.zip
    -rwxrwxrwx 1 www-data   www-data      11047 2007-03-19 13:45 h00lyshit
    -rw-rw-r-- 1 web15_info web15           169 2006-08-12 12:29 index.htm
    -rwxrwxrwx 1 www-data   www-data       9160 2008-04-27 23:05 krad2_2.6.8
    -rwxrwxrwx 1 www-data   www-data       9160 2008-04-27 23:06 krad2_2.6.8-5
    -rwxrwxrwx 1 www-data   www-data      16588 2008-04-27 23:04 krad_2.6.8
    -rwxrwxrwx 1 www-data   www-data      16706 2008-04-27 23:52 linux2.6.11
    -rwxrwxrwx 1 www-data   www-data       5986 2008-04-27 23:08 Linux_2.6.9
    -rw------- 1 www-data   www-data      45275 2008-06-29 05:58 mysql.php
    -rwxrwxrwx 1 www-data   www-data      14305 2008-04-08 07:31 pwned
    -rwxrwxrwx 1 www-data   www-data      17119 2008-04-27 23:37 raptor_2.6.16
    -rwxr-xr-x 1 www-data   www-data     262144 2008-04-27 23:47 TTdummyfile
    -rwxr-xr-x 1 www-data   www-data      16384 2008-04-27 23:47 TTeatfile
    -rwxr-xr-x 1 www-data   www-data 1452802048 2008-04-27 23:47 TTeatfiles
    -rwxr-xr-x 1 www-data   floppy         8192 2008-04-27 23:47 TTsharefile
    The user was using an "unsafe" mod on his forum :/
    For now I've shutdown the server, and will look at it later this week to see if any real damage is done.
     
    edge, Jul 3, 2008
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    Have you scanned the server with chkrootkit and rkhunter?
     
    falko, Jul 4, 2008
    #2
  3. edge

    edge Active Member Moderator

    Yep, and all okay.
    All files were owned by www-data or web15_info, and they could not execute the stuff.
    The only file I was really worried about was the mysql.php one, but it could only access the MySQL from web15.

    Some of the uploaded exploits were from 2006 and 2007 as you can see (2008 was till now also not a bad year), and till now they did not manage to do any real big harm (as far as I can tell)

    I guess the main system is hack proof :)
     
    edge, Jul 4, 2008
    #3
  4. Hans

    Hans Moderator Moderator

    That's really not nice what happend! I feel sorry for you.
    I also see that the Debian Apache global user www-data is playing arround everywhere. Maybe it is a nice idea to use ISPConfig+php5cgi with suPHP where possible. If something like this happens the cause is more easy to locate. A second advantage of suPHP is if such a thing happens, php scripts can not harm your server globaly. Only in the web itself.
     
    Hans, Jul 4, 2008
    #4

Share This Page