|
Home > Archive > Apache Server configuration support > February 2006 > apache hijacked! - Help needed urgently!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
apache hijacked! - Help needed urgently!
|
|
|
| We have been noticing some strange errors on two of our servers recently, such as failure to mount floppy disks, failure to eject the cdrom
drive. at least these are the ones that caught our attention. Nobody has physical access to the server, and nobody that has root access has
tried to do either of the above. Somewhere along the line i found modprobe in one of the error messages.
I made a wrapper for the modprobe command (in the attachement)
Randomly, (maybe once every other day) I actually get email from this script. (also in the attachment)
I am extremely concerned about this because it appears that modprobe is being run by the web server (as root none-the less)
I cannot think of anything that would rationalize apache running modprobe.
Any ideas on what my have caused this? (PS. The timing is not consistant, and I don't see anything in cron that would do this)
and in a worst case scenario - If this is a real break-in, what can I do to catch the user in the act.
Replacement modprobe script
#!/bin/sh
EMAIL=myaddress@domain.tld
echo "Running modprobe.real $1 $2 $3 $4 $5 $6" | mail -s "MODPROBE ATTEMPT" $EMAIL
set | mail -s modprobe_output EMAIL
ps -ef | grep $PPID | mail -s "Parent Proc - $PPID" $EMAIL
/sbin/modprobe.real $1 $2 $3 $4 $5 $6
------------------------------------------------------------------------------
Email - MODPROBE
Running modprobe.real -s -k -- net-pf-10
------------------------------------------------------------------------------
Email - modprobe_output
BASH=/bin/sh
BASH_VERSINFO=([0]="2" [1]="05b" [2]="0" [3]="1" [4]="release" [5]="i386-redhat-linux-gnu")
BASH_VERSION='2.05b.0(1)-release'
DIRSTACK=()
EUID=0
GROUPS=()
HOME=/
HOSTNAME=my-real-hostname
HOSTTYPE=i386
IFS='
'
MACHTYPE=i386-redhat-linux-gnu
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PIPESTATUS=([0]="0" [1]="0")
POSIXLY_CORRECT=y
PPID=32642
PS4='+ '
PWD=/
SHELL=/bin/bash
SHELLOPTS=braceexpand:hashall:interactiv
e-comments:posix
SHLVL=1
TERM=linux
UID=0
_=
------------------------------------------------------------------------------
Email - Parent Proc 32642
apache 32642 31215 0 07:22 ? 00:00:00 /usr/sbin/httpd
root 32648 32642 0 07:27 ? 00:00:00 /bin/sh /sbin/modprobe -s -k -- net-pf-10
root 32658 32648 0 07:27 ? 00:00:00 grep 32642
root 32659 32648 0 07:27 ? 00:00:00 mail -s Parent Proc - 32642 myaddress@domain.tld
| |
| mikedawg@gmail.com 2006-01-31, 7:27 pm |
| What user are you running httpd as? Also, do you have suEXEC compiled
into httpd?
| |
| mikedawg@gmail.com 2006-01-31, 7:27 pm |
| What makes you think that Apache is issuing the modprobe command?
| |
| Colin McKinnon 2006-02-04, 2:48 am |
| DC wrote:
>
> I made a wrapper for the modprobe command (in the attachement)
>
<snip>
> Email - MODPROBE
>
> Running modprobe.real -s -k -- net-pf-10
>
Does it happen when you try to ping6 localhost (try as root)? I've not got
my head around IPV6 yet - but the config on my SuSE boxes resolves
localhost as ::1
Might be an idea to grab a netstat a full ps list and a who in your rattrap
script.
HTH
C.
|
|
|
|
|