[Tfug] Server Compromise

[Jon]

Chris Hill wrote:
> The open ports are
>
> jabber (forget)
> sshd (22)
> ftp (21)
> http (80)
> subversion (3690)
>
> Apache/2.0.55 (Ubuntu) mod_python/3.1.4 Python/2.4.3 PHP/5.1.2 Server
>
> That's it.
> Of those ftp and jabber are most def not an issue.
> sshd is a potential risk.
> http is a potential risk.
>
> It is an internal machine with trac and subversion projects. It has a 
> couple other little things happening. Nothing really public facing. 
> There is a mail server, but those ports aren't even open, but it can 
> send mail out (subversion log messages and trac ticket emails).
>
> I can't tell you that i've heard of a kernel security level.
>
> Overall I know that somewhere something bad happened that comes back to 
> bad sysadmin. Very possible its an issue with a compromised user 
> account, potentially from a user's account being hijacked/keylogged 
> (happened in the past). Secondly i think it may be an issue with a 3rd 
> party web app (WordPress, PhpMyAdmin) that was exploited.
>
> We now have only http and subversion publicly accessible. This should 
> tell us if its a web exploit or ssh.
> C
>
>   
The symptoms you have look very similar to a PHP/PERL script exploit. 
Look at the time stamps on the files dumped in /tmp. Compare them with 
the time stamps of the files in /var/www. I wouldn't be surprised if the 
ones in /var/www are older. This would lead me to believe that they 
exploited a PHP/PERL script which drops it in /tmp and executed - the 
default temp directory for both PHP and PERL. Whatever the script was 
that got executed gave them access to the /var/www directory which I 
suspect is owned by the apache user/group. Since that user more then 
likely has read/write access to /var/www so does running script.

Summary: Scrutinize the hell out of your PHP/PERL scripts. Search the 
'net for problems with the versions of the apps you're running. If they 
are custom written disable them until you can thoroughly review them.

--
Jon