From owner-freebsd-questions@FreeBSD.ORG Sun Jan 31 21:41:24 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D88C91065670 for ; Sun, 31 Jan 2010 21:41:24 +0000 (UTC) (envelope-from up@3.am) Received: from mail.pil.net (ns3.pil.net [209.17.170.205]) by mx1.freebsd.org (Postfix) with SMTP id B99918FC1A for ; Sun, 31 Jan 2010 21:41:24 +0000 (UTC) Received: (qmail 80070 invoked from network); 31 Jan 2010 16:41:23 -0500 Received: from unknown (HELO localhost) (127.0.0.1) by 0 with SMTP; 31 Jan 2010 16:41:23 -0500 Date: Sun, 31 Jan 2010 16:41:23 -0500 (EST) From: James Smallacombe X-X-Sender: up@mail.pil.net To: freebsd-questions@freebsd.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: Server compromised Zen-Cart "record company" Exploit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jan 2010 21:41:24 -0000 Whoever speculated that my server may have been compromised was on to something (see bottom). The good news is, it does appear to be contained to the "www" unpriveleged user (with no shell). The bad news is, they can still cause a lot of trouble. I found the compromised customer site and chmod 0 their cart (had php binaries called "core(some number).php that gave the hacker a nice browser screen to cause all kinds of trouble) Not sure if this is related to the UDP floods, but if not, it's a heck of a coincidence. At times, CPU went through the roof for the www user, mostly running some sort of perl scripts (nothing in the suexec-log). I would kill apache, but couldn't restart it as it would show port 80 in use. I would have to manually kill processes like these: www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 /sbin/klogd -c 1 -x -x (perl) www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 I could not find ANY file named klogd on the system, let alone in /sbin. Clues as to how to dig myself out of this are appreciated.... I found this in /tmp/bx1.txt: --More--(5%)#!/usr/bin/php | ======================================================================== | | | \$system> php $argv[0] | | Notes: ex: http://victim.com/site (no slash) | | | ======================================================================== ";exit(1); ----------- snipped ------ It is dated from two nights ago, after these issues started, but it's nonetheless larming. Security Focus is aware of the issue and refers you to Zen for the fix. Only problem is, this is an old version of Zen cart, and the James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================