From owner-freebsd-security@FreeBSD.ORG  Mon Jun 27 10:22:09 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 78D2316A41C
	for <freebsd-security@freebsd.org>;
	Mon, 27 Jun 2005 10:22:09 +0000 (GMT)
	(envelope-from freebsd-security@molecon.ru)
Received: from amd64.molecon.ru (amd64.molecon.ru [213.219.245.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 01DE943D55
	for <freebsd-security@freebsd.org>;
	Mon, 27 Jun 2005 10:22:08 +0000 (GMT)
	(envelope-from freebsd-security@molecon.ru)
Received: from [194.154.84.59] (helo=[10.20.5.22])
	by amd64.molecon.ru with esmtp (Exim 4.51 (FreeBSD))
	id 1DmqkU-0007Cv-63
	for freebsd-security@freebsd.org; Mon, 27 Jun 2005 14:21:54 +0400
Date: Mon, 27 Jun 2005 14:21:10 +0400
From: Oleg Rusanov <freebsd-security@molecon.ru>
X-Mailer: The Bat! (v3.0) Professional
Organization: Molecon
X-Priority: 3 (Normal)
Message-ID: <1344959974.20050627142110@molecon.ru>
To: freebsd-security <freebsd-security@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-PopBeforeSMTPSenders: freebsd-amd64@molecon.ru, freebsd-opennet@molecon.ru,
	info@molecon.ru, mysql@molecon.ru, oleg@molecon.ru
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - amd64.molecon.ru
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6]
X-AntiAbuse: Sender Address Domain - molecon.ru
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Subject: "sh -i" My server was hacked. How can i found hole on my server?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Oleg Rusanov <freebsd-security@molecon.ru>
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2005 10:22:09 -0000

Hello.

My server was hacked. The CPU has been loaded on 99 % by "sh -i" process.
 I found out that someone has started phpshell through a hole in one of phpbb forums.
  Also has filled in scripts for flud and spam and "vadim script" in
  "/tmp". I has made it noexec. Recently has found out the same process.
   May be i have left again /tmp opened, or other hole may be.
     What is better to do for clean my system?

amd64# ps aux -H
USER       PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
nobody   60138 99.0  0.2 12796  4844  ??  RL    7:11AM 739:26.28 sh -i (perl5.8.6)

amd64# ps -lp 60138
  UID   PID  PPID CPU PRI NI   VSZ   RSS MWCHAN STAT  TT       TIME COMMAND
65534 60138     1 291 114  0 12796  4844 -      R     ??  762:55.06 sh -i (perl5.8.6)
amd64#

(i can not find info about parent process 65534)

amd64# sockstat| grep 60138
nobody   perl5.8.6  60138 3  tcp4   my_ip:55000 161.53.178.240:9999
amd64#

amd64# lsof -p 60138
COMMAND     PID   USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
perl5.8.6 60138 nobody  cwd   VDIR               4,13      512       2 /
perl5.8.6 60138 nobody  rtd   VDIR               4,13      512       2 /
perl5.8.6 60138 nobody  txt   VREG               4,18    13144 6312845 /usr/local/bin/perl5.8.6
perl5.8.6 60138 nobody  txt   VREG               4,13   173264     616 /libexec/ld-elf.so.1
perl5.8.6 60138 nobody  txt   VREG               4,18  1272229 6524324 /usr/local/lib/perl5/5.8.6/mach/CORE/libperl.so
perl5.8.6 60138 nobody  txt   VREG               4,13   151160     576 /lib/libm.so.3
perl5.8.6 60138 nobody  txt   VREG               4,13    33024     339 /lib/libcrypt.so.2
perl5.8.6 60138 nobody  txt   VREG               4,13    52064     583 /lib/libutil.so.4
perl5.8.6 60138 nobody  txt   VREG               4,13  1055864     585 /lib/libc.so.5
perl5.8.6 60138 nobody  txt   VREG               4,18    22226 6901089 /usr/local/lib/perl5/5.8.6/mach/auto/IO/IO.so
perl5.8.6 60138 nobody  txt   VREG               4,18    28921 6901280 /usr/local/lib/perl5/5.8.6/mach/auto/Socket/Socket.so
perl5.8.6 60138 nobody    0r  VCHR                2,2      0t0       7 /dev/null
perl5.8.6 60138 nobody    1u  PIPE         0x6f537410        0         ->0xffffff006f5372d0
perl5.8.6 60138 nobody    2w  VREG               4,18 47856095 6407163 /usr/local/apache/logs/error_log
perl5.8.6 60138 nobody    3u  IPv4 0xffffff00168142c0      0t0     TCP my_hostname:55000->zagreb.hr.eu.undernet.org:9999 (ESTABLISHED)
perl5.8.6 60138 nobody    4u  IPv4                         0t0     TCP no PCB, CANTSENDMORE, CANTRCVMORE
perl5.8.6 60138 nobody   15w  VREG               4,18 47856095 6407163 /usr/local/apache/logs/error_log
perl5.8.6 60138 nobody   18w  VREG               4,18       84 6406351 /usr/local/apache/domlogs/my_site.ru-bytes_log
...
        apache logs...

perl5.8.6 60138 nobody   61w  VREG               4,18   847357 6407164 /usr/local/apache/logs/ssl_engine_log
perl5.8.6 60138 nobody   62w  VREG               4,16   147300    8310 /var/log/my_site.ru
perl5.8.6 60138 nobody   63w  VREG               4,18        0 6406441 /usr (/dev/ad4s1f)
perl5.8.6 60138 nobody  109w  VREG               4,18        0 6406441 /usr (/dev/ad4s1f)
amd64#


amd64# fstat -p 60138
USER     CMD          PID   FD MOUNT      INUM MODE         SZ|DV R/W
nobody   perl5.8.6  60138 root /             2 drwxr-xr-x     512  r
nobody   perl5.8.6  60138   wd /             2 drwxr-xr-x     512  r
nobody   perl5.8.6  60138 text /usr     6312845 -rwxr-xr-x   13144  r
nobody   perl5.8.6  60138    0 /dev          7 crw-rw-rw-    null  r
nobody   perl5.8.6  60138    1* pipe ffffff006f537410 <-> ffffff006f5372d0      0 rw
nobody   perl5.8.6  60138    2 /usr     6407163 -rw-r--r--  47853541  w
nobody   perl5.8.6  60138    3* internet stream tcp ffffff00168142c0
nobody   perl5.8.6  60138    4* internet stream tcp
nobody   perl5.8.6  60138   15 /usr     6407163 -rw-r--r--  47853541  w
nobody   perl5.8.6  60138   18 /usr     6406351 -rw-r--r--      84  w
nobody   perl5.8.6  60138   19 /usr     6406445 -rw-r--r--  177196  w
nobody   perl5.8.6  60138   20 /usr     6406367 -rw-r--r--  273155  w
nobody   perl5.8.6  60138   21 /usr     6406346 -rw-r--r--      68  w
nobody   perl5.8.6  60138   22 /usr     6406340 -rw-r--r--  219769  w
nobody   perl5.8.6  60138   23 /usr     6406152 -rw-r--r--   61985  w
nobody   perl5.8.6  60138   24 /usr     6406295 -rw-r--r--   98621  w
nobody   perl5.8.6  60138   25 /usr     6406287 -rw-r--r--  2558162  w
nobody   perl5.8.6  60138   26 /usr     6406284 -rw-r--r--   32168  w
nobody   perl5.8.6  60138   27 /usr     6406292 -rw-r--r--  265964  w
nobody   perl5.8.6  60138   28 /usr     6406213 -rw-r--r--    1607  w
nobody   perl5.8.6  60138   29 /usr     6407351 -rw-r--r--  347197  w
nobody   perl5.8.6  60138   30 /usr     6407377 -rw-r--r--  140832  w
nobody   perl5.8.6  60138   31 /usr     6407290 -rw-r--r--  935975  w
nobody   perl5.8.6  60138   32 /usr     6406393 -rw-r--r--    5634  w
nobody   perl5.8.6  60138   33 /usr     6407328 -rw-r--r--   51239  w
nobody   perl5.8.6  60138   34 /usr     6406252 -rw-r--r--   12198  w
nobody   perl5.8.6  60138   35 /usr     6407325 -rw-r--r--   13538  w
nobody   perl5.8.6  60138   36 /usr     6407319 -rw-r--r--   23151  w
nobody   perl5.8.6  60138   37 /usr     6407322 -rw-r--r--   16184  w
nobody   perl5.8.6  60138   38 /usr     6407341 -rw-r--r--  146759  w
nobody   perl5.8.6  60138   39 /usr     6407329 -rw-r--r--   36336  w
nobody   perl5.8.6  60138   40 /usr     6406423 -rw-r--r--   43747  w
nobody   perl5.8.6  60138   41 /usr     6407330 -rw-r--r--   95287  w
nobody   perl5.8.6  60138   42 /usr     6406425 -rw-r--r--   28586  w
nobody   perl5.8.6  60138   43 /usr     6406223 -rw-r--r--     210  w
nobody   perl5.8.6  60138   44 /usr     6407166 -rw-r--r--  613177  w
nobody   perl5.8.6  60138   45 /usr     6406160 -rw-r--r--       0  w
nobody   perl5.8.6  60138   46 /usr     6406166 -rw-r--r--  123158  w
nobody   perl5.8.6  60138   47 /usr     6407974 -rw-r--r--     272  w
nobody   perl5.8.6  60138   48 /usr     6407952 -rw-r--r--     196  w
nobody   perl5.8.6  60138   49 /usr     6407915 -rw-r--r--   49313  w
nobody   perl5.8.6  60138   50 /usr     6407942 -rw-r--r--  170924  w
nobody   perl5.8.6  60138   51 /usr     6407933 -rw-r--r--  1496129  w
nobody   perl5.8.6  60138   52 /usr     6407931 -rw-r--r--  202140  w
nobody   perl5.8.6  60138   53 /usr     6407924 -rw-r--r--  342351  w
nobody   perl5.8.6  60138   54 /usr     6407913 -rw-r--r--   23547  w
nobody   perl5.8.6  60138   55 /usr     6407288 -rw-r--r--   18729  w
nobody   perl5.8.6  60138   56 /usr     6407289 -rw-r--r--  377903  w
nobody   perl5.8.6  60138   57 /usr     6407166 -rw-r--r--  613177  w
nobody   perl5.8.6  60138   58 /usr     6407175 -rw-r--r--    4526  w
nobody   perl5.8.6  60138   59 /usr     6407171 -rw-r--r--  373516  w
nobody   perl5.8.6  60138   60 /usr     6407181 -rw-r--r--   49888  w
nobody   perl5.8.6  60138   61 /usr     6407164 -rw-r--r--  847357  w
nobody   perl5.8.6  60138   62 /var       8310 -rw-r--r--  147300  w
nobody   perl5.8.6  60138   63 /usr     6406441 -rw-------       0  w
nobody   perl5.8.6  60138  109 /usr     6406441 -rw-------       0  w
amd64#


then i kill -9 60138 process, its restart with other number - 86717, and i rebooted for kill him.

amd64# lsof -i -n | grep 86717
perl5.8.6 86717   nobody    3u  IPv4 0xffffff004b465000      0t0  TCP my_ip:53650->161.53.178.240:9999 (ESTABLISHED)
perl5.8.6 86717   nobody    4u  IPv4                         0t0  TCP no PCB, CANTSENDMORE, CANTRCVMORE
amd64#

How can i found hole on my server?




-- 
Regards,
 Oleg                          mailto:freebsd-security@molecon.ru