From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 10:22:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78D2316A41C for ; Mon, 27 Jun 2005 10:22:09 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from amd64.molecon.ru (amd64.molecon.ru [213.219.245.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01DE943D55 for ; Mon, 27 Jun 2005 10:22:08 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from [194.154.84.59] (helo=[10.20.5.22]) by amd64.molecon.ru with esmtp (Exim 4.51 (FreeBSD)) id 1DmqkU-0007Cv-63 for freebsd-security@freebsd.org; Mon, 27 Jun 2005 14:21:54 +0400 Date: Mon, 27 Jun 2005 14:21:10 +0400 From: Oleg Rusanov X-Mailer: The Bat! (v3.0) Professional Organization: Molecon X-Priority: 3 (Normal) Message-ID: <1344959974.20050627142110@molecon.ru> To: freebsd-security MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-PopBeforeSMTPSenders: freebsd-amd64@molecon.ru, freebsd-opennet@molecon.ru, info@molecon.ru, mysql@molecon.ru, oleg@molecon.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - amd64.molecon.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - molecon.ru X-Source: X-Source-Args: X-Source-Dir: Subject: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Oleg Rusanov List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 10:22:09 -0000 Hello. My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. I found out that someone has started phpshell through a hole in one of phpbb forums. Also has filled in scripts for flud and spam and "vadim script" in "/tmp". I has made it noexec. Recently has found out the same process. May be i have left again /tmp opened, or other hole may be. What is better to do for clean my system? amd64# ps aux -H USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND nobody 60138 99.0 0.2 12796 4844 ?? RL 7:11AM 739:26.28 sh -i (perl5.8.6) amd64# ps -lp 60138 UID PID PPID CPU PRI NI VSZ RSS MWCHAN STAT TT TIME COMMAND 65534 60138 1 291 114 0 12796 4844 - R ?? 762:55.06 sh -i (perl5.8.6) amd64# (i can not find info about parent process 65534) amd64# sockstat| grep 60138 nobody perl5.8.6 60138 3 tcp4 my_ip:55000 161.53.178.240:9999 amd64# amd64# lsof -p 60138 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME perl5.8.6 60138 nobody cwd VDIR 4,13 512 2 / perl5.8.6 60138 nobody rtd VDIR 4,13 512 2 / perl5.8.6 60138 nobody txt VREG 4,18 13144 6312845 /usr/local/bin/perl5.8.6 perl5.8.6 60138 nobody txt VREG 4,13 173264 616 /libexec/ld-elf.so.1 perl5.8.6 60138 nobody txt VREG 4,18 1272229 6524324 /usr/local/lib/perl5/5.8.6/mach/CORE/libperl.so perl5.8.6 60138 nobody txt VREG 4,13 151160 576 /lib/libm.so.3 perl5.8.6 60138 nobody txt VREG 4,13 33024 339 /lib/libcrypt.so.2 perl5.8.6 60138 nobody txt VREG 4,13 52064 583 /lib/libutil.so.4 perl5.8.6 60138 nobody txt VREG 4,13 1055864 585 /lib/libc.so.5 perl5.8.6 60138 nobody txt VREG 4,18 22226 6901089 /usr/local/lib/perl5/5.8.6/mach/auto/IO/IO.so perl5.8.6 60138 nobody txt VREG 4,18 28921 6901280 /usr/local/lib/perl5/5.8.6/mach/auto/Socket/Socket.so perl5.8.6 60138 nobody 0r VCHR 2,2 0t0 7 /dev/null perl5.8.6 60138 nobody 1u PIPE 0x6f537410 0 ->0xffffff006f5372d0 perl5.8.6 60138 nobody 2w VREG 4,18 47856095 6407163 /usr/local/apache/logs/error_log perl5.8.6 60138 nobody 3u IPv4 0xffffff00168142c0 0t0 TCP my_hostname:55000->zagreb.hr.eu.undernet.org:9999 (ESTABLISHED) perl5.8.6 60138 nobody 4u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE perl5.8.6 60138 nobody 15w VREG 4,18 47856095 6407163 /usr/local/apache/logs/error_log perl5.8.6 60138 nobody 18w VREG 4,18 84 6406351 /usr/local/apache/domlogs/my_site.ru-bytes_log ... apache logs... perl5.8.6 60138 nobody 61w VREG 4,18 847357 6407164 /usr/local/apache/logs/ssl_engine_log perl5.8.6 60138 nobody 62w VREG 4,16 147300 8310 /var/log/my_site.ru perl5.8.6 60138 nobody 63w VREG 4,18 0 6406441 /usr (/dev/ad4s1f) perl5.8.6 60138 nobody 109w VREG 4,18 0 6406441 /usr (/dev/ad4s1f) amd64# amd64# fstat -p 60138 USER CMD PID FD MOUNT INUM MODE SZ|DV R/W nobody perl5.8.6 60138 root / 2 drwxr-xr-x 512 r nobody perl5.8.6 60138 wd / 2 drwxr-xr-x 512 r nobody perl5.8.6 60138 text /usr 6312845 -rwxr-xr-x 13144 r nobody perl5.8.6 60138 0 /dev 7 crw-rw-rw- null r nobody perl5.8.6 60138 1* pipe ffffff006f537410 <-> ffffff006f5372d0 0 rw nobody perl5.8.6 60138 2 /usr 6407163 -rw-r--r-- 47853541 w nobody perl5.8.6 60138 3* internet stream tcp ffffff00168142c0 nobody perl5.8.6 60138 4* internet stream tcp nobody perl5.8.6 60138 15 /usr 6407163 -rw-r--r-- 47853541 w nobody perl5.8.6 60138 18 /usr 6406351 -rw-r--r-- 84 w nobody perl5.8.6 60138 19 /usr 6406445 -rw-r--r-- 177196 w nobody perl5.8.6 60138 20 /usr 6406367 -rw-r--r-- 273155 w nobody perl5.8.6 60138 21 /usr 6406346 -rw-r--r-- 68 w nobody perl5.8.6 60138 22 /usr 6406340 -rw-r--r-- 219769 w nobody perl5.8.6 60138 23 /usr 6406152 -rw-r--r-- 61985 w nobody perl5.8.6 60138 24 /usr 6406295 -rw-r--r-- 98621 w nobody perl5.8.6 60138 25 /usr 6406287 -rw-r--r-- 2558162 w nobody perl5.8.6 60138 26 /usr 6406284 -rw-r--r-- 32168 w nobody perl5.8.6 60138 27 /usr 6406292 -rw-r--r-- 265964 w nobody perl5.8.6 60138 28 /usr 6406213 -rw-r--r-- 1607 w nobody perl5.8.6 60138 29 /usr 6407351 -rw-r--r-- 347197 w nobody perl5.8.6 60138 30 /usr 6407377 -rw-r--r-- 140832 w nobody perl5.8.6 60138 31 /usr 6407290 -rw-r--r-- 935975 w nobody perl5.8.6 60138 32 /usr 6406393 -rw-r--r-- 5634 w nobody perl5.8.6 60138 33 /usr 6407328 -rw-r--r-- 51239 w nobody perl5.8.6 60138 34 /usr 6406252 -rw-r--r-- 12198 w nobody perl5.8.6 60138 35 /usr 6407325 -rw-r--r-- 13538 w nobody perl5.8.6 60138 36 /usr 6407319 -rw-r--r-- 23151 w nobody perl5.8.6 60138 37 /usr 6407322 -rw-r--r-- 16184 w nobody perl5.8.6 60138 38 /usr 6407341 -rw-r--r-- 146759 w nobody perl5.8.6 60138 39 /usr 6407329 -rw-r--r-- 36336 w nobody perl5.8.6 60138 40 /usr 6406423 -rw-r--r-- 43747 w nobody perl5.8.6 60138 41 /usr 6407330 -rw-r--r-- 95287 w nobody perl5.8.6 60138 42 /usr 6406425 -rw-r--r-- 28586 w nobody perl5.8.6 60138 43 /usr 6406223 -rw-r--r-- 210 w nobody perl5.8.6 60138 44 /usr 6407166 -rw-r--r-- 613177 w nobody perl5.8.6 60138 45 /usr 6406160 -rw-r--r-- 0 w nobody perl5.8.6 60138 46 /usr 6406166 -rw-r--r-- 123158 w nobody perl5.8.6 60138 47 /usr 6407974 -rw-r--r-- 272 w nobody perl5.8.6 60138 48 /usr 6407952 -rw-r--r-- 196 w nobody perl5.8.6 60138 49 /usr 6407915 -rw-r--r-- 49313 w nobody perl5.8.6 60138 50 /usr 6407942 -rw-r--r-- 170924 w nobody perl5.8.6 60138 51 /usr 6407933 -rw-r--r-- 1496129 w nobody perl5.8.6 60138 52 /usr 6407931 -rw-r--r-- 202140 w nobody perl5.8.6 60138 53 /usr 6407924 -rw-r--r-- 342351 w nobody perl5.8.6 60138 54 /usr 6407913 -rw-r--r-- 23547 w nobody perl5.8.6 60138 55 /usr 6407288 -rw-r--r-- 18729 w nobody perl5.8.6 60138 56 /usr 6407289 -rw-r--r-- 377903 w nobody perl5.8.6 60138 57 /usr 6407166 -rw-r--r-- 613177 w nobody perl5.8.6 60138 58 /usr 6407175 -rw-r--r-- 4526 w nobody perl5.8.6 60138 59 /usr 6407171 -rw-r--r-- 373516 w nobody perl5.8.6 60138 60 /usr 6407181 -rw-r--r-- 49888 w nobody perl5.8.6 60138 61 /usr 6407164 -rw-r--r-- 847357 w nobody perl5.8.6 60138 62 /var 8310 -rw-r--r-- 147300 w nobody perl5.8.6 60138 63 /usr 6406441 -rw------- 0 w nobody perl5.8.6 60138 109 /usr 6406441 -rw------- 0 w amd64# then i kill -9 60138 process, its restart with other number - 86717, and i rebooted for kill him. amd64# lsof -i -n | grep 86717 perl5.8.6 86717 nobody 3u IPv4 0xffffff004b465000 0t0 TCP my_ip:53650->161.53.178.240:9999 (ESTABLISHED) perl5.8.6 86717 nobody 4u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE amd64# How can i found hole on my server? -- Regards, Oleg mailto:freebsd-security@molecon.ru