apache hijacked! - Help needed urgently!

UNIX Resources » Linux » Linux Forum » Linux Security » Page.1 » apache hijacked! - Help needed urgently!

The content of this page is collected from Linux Forum, All copyrights and other associated rights are reserved by the original authors of the articles.

China Linux Forum(finished)

Linux Forum(finished)

FreeBSD China(finished)

LinuxForum General Chat

Linux Advocacy

Introductions

Development Release

Linux Security

Linux Software

Linux Hardware Problems

Linux Video Problems

Linux Sound Problems

Linux Networking Support

Linux Printing Support

Linux Human Interface Devices Support

Linux Data Storage Support

Linux Applications Support

Linux Installation Support

Linux Laptops Support

Linux Motherboard, Chipsets, CPU, Memory

Miscellaneous

Mandrake Linux Support

Redhat / Fedora Linux Support

Slackware Linux Support

Linux Database Servers

Linux Email Servers

Linux FTP Servers

Linux Squid Proxy Server

Linux Webmin / Usermin Help

Qmail Toaster Help

Linux Games

Windows Game Emulation

Linux Discussions

General Linux Discussions

Red Hat Linux Discussions

More Red Hat Linux Discussions

Mandrake Linux Discussions

Slackware Linux Discussions

SuSE Linux Discussions

Debian Discussions

Samba Help

Linux Security

Linux Networking

Gentoo Help

Operating System Rant Forum

Hardware Rants

apache hijacked! - Help needed urgently!

[Original] [Print] [Top]

We have been noticing some strange errors on two of our servers recently, such as failure to mount floppy disks, failure to eject the cdrom
drive. at least these are the ones that caught our attention. Nobody has physical access to the server, and nobody that has root access has
tried to do either of the above. Somewhere along the line i found modprobe in one of the error messages.

I made a wrapper for the modprobe command (in the attachement)

Randomly, (maybe once every other day) I actually get email from this script. (also in the attachment)

I am extremely concerned about this because it appears that modprobe is being run by the web server (as root none-the less)
I cannot think of anything that would rationalize apache running modprobe.

Any ideas on what my have caused this? (PS. The timing is not consistant, and I don't see anything in cron that would do this)

and in a worst case scenario - If this is a real break-in, what can I do to catch the user in the act.
Replacement modprobe script

#!/bin/sh
EMAIL=myaddress@domain.tld
echo "Running modprobe.real $1 $2 $3 $4 $5 $6" | mail -s "MODPROBE ATTEMPT" $EMAIL
set | mail -s modprobe_output EMAIL
ps -ef | grep $PPID | mail -s "Parent Proc - $PPID" $EMAIL

/sbin/modprobe.real $1 $2 $3 $4 $5 $6

------------------------------------------------------------------------------
Email - MODPROBE

Running modprobe.real -s -k -- net-pf-10

------------------------------------------------------------------------------
Email - modprobe_output

BASH=/bin/sh
BASH_VERSINFO=([0]="2" [1]="05b" [2]="0" [3]="1" [4]="release" [5]="i386-redhat-linux-gnu")
BASH_VERSION='2.05b.0(1)-release'
DIRSTACK=()
EUID=0
GROUPS=()
HOME=/
HOSTNAME=my-real-hostname
HOSTTYPE=i386
IFS='
'
MACHTYPE=i386-redhat-linux-gnu
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PIPESTATUS=([0]="0" [1]="0")
POSIXLY_CORRECT=y
PPID=32642
PS4='+ '
PWD=/
SHELL=/bin/bash
SHELLOPTS=braceexpand:hashall:interactive-comments:posix
SHLVL=1
TERM=linux
UID=0
_=

------------------------------------------------------------------------------
Email - Parent Proc 32642

apache 32642 31215 0 07:22 ? 00:00:00 /usr/sbin/httpd
root 32648 32642 0 07:27 ? 00:00:00 /bin/sh /sbin/modprobe -s -k -- net-pf-10
root 32658 32648 0 07:27 ? 00:00:00 grep 32642
root 32659 32648 0 07:27 ? 00:00:00 mail -s Parent Proc - 32642 myaddress@domain.tld

[Original] [Print] [Top]

Subject: apache hijacked! - Help needed urgently! Author: mikedawg@gmail.com Posted: 2006-01-31 11:20:36 Length: 104 byte(s)
[Original] [Print] [Top]
What user are you running httpd as? Also, do you have suEXEC compiled into httpd?
[Original] [Print] [Top]

Subject: apache hijacked! - Help needed urgently! Author: mikedawg@gmail.com Posted: 2006-01-31 11:25:03 Length: 77 byte(s)
[Original] [Print] [Top]
What makes you think that Apache is issuing the modprobe command?
[Original] [Print] [Top]

Subject: apache hijacked! - Help needed urgently! Author: DC Posted: 2006-01-31 17:26:13 Length: 513 byte(s)
[Original] [Print] [Top]
On 31 Jan 2006 08:25:03 -0800, "mikedawg@gmail.com" [mikedawg@gmail.com] wrote: QUOTE What makes you think that Apache is issuing the modprobe command? I grepped for the process ID. The parent processid for modprob was /bin/sh. The parent process ID for /bin/sh was httpd.
[Original] [Print] [Top]

« Previous thread
Back-up media?

Linux Security
Page. 1

Next thread »
Apache hijacked!? - Help needed Urgently !!! - output.txt (0/1)

Web	unixresources.net

This page created on 2007-08-01 13:09:53, cost 0.027687072753906 ms.