[clug] Re: linux Digest, Vol 31, Issue 25

Sat Jul 23 14:29:38 GMT 2005

On Fri, Jul 22, 2005 at 11:28:50AM +1000, Chris wrote:
> Sorry for this late response.

> By saying crash, I meant that the server was under severe load and didn't
> response to my commands, or with reasonable lags.

> Just as the way you pointed out, there were indeed, lots of http requests,
> and this keeps happening until now. As far as I have gathered, the system
> was somehow instructed to download some Perl files and put them in the
> /tmp folder. Then communicate to a specific server, I presume that is what
> the Perl files were asking it to do. I have hundreds of those Perl files,
> with the same name, but different extensions, something like 001, 002 ...

> >From the info I had from 'netstat',
> tcp    0      1 postal.anu.edu.au:36072 luzerklub.hu:5454       SYN_SENT
> tcp    0      1 postal.anu.edu.au:36078 udp.fl00d.de:ircd       SYN_SENT

> And some other lines assemble this pattern, repeated over and overed, each
> time with a different postal port.

> So far, I have deleted all irc server, bots, cgiirc, and all the other
> related packages that I can think of. Also, had firehol firewall up and
> running. I ran clamscan on the entire system and found one virus, which I
> have already gotten rid of.

> And the server is still getting connection from the aforementioned
> addresses (e.g.,luzerklub.hu). Any ideas what else I need to do to
> complete drop all those annoying connections?

Those're connections going out _to_ the servers. You'll prolly find the stuff
in /tmp is owned by the webserver process. I saw this happen recently, and it
appears to be an apache worm. I tracked down the relevant IRC channel, and it
was full of Guestnnnnn logins. Two other IRC servers which were trying to be
contacted were not accepting connections, and that's what you're seeing in the
netstat. (IE connections to IRC servers where the whole machine has been
disconnected, or at least the relevant port's traffic is being dropped)

There also appeared to be a couple of directories full of very old root
exploits, and I came across it about five minutes into a class-B ssh server
dictionary scan. I _noticed_ it because my apache logs were full of segfaults,
and I went to track it down and discovered a whole bunch of processes 'brute'
running as www-data. I believe this was a very recent break-in, as I frequently
(every week or two) go through the process table looking for things I can kill
(eg. when users report slow responses from websites)

I do not _believe_ I've been rooted, but the server is queued for a complete
rebuild anyway, so I'll be md5suming it against a clean sarge machine at that
time, which'll confirm if it was just broken into, or very very completely
rooted.

-- 
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
8th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson at Anu.edu.au

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

License: http://creativecommons.org/licenses/by/2.1/au/
-----------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20050724/7ba296d9/attachment.bin