hey guys, my server rebooted a few days ago, and while i was looking around for possible reasons (none came up, which's disconcerting in itself) i found this suspicious directory: $ ls -l /tmp/download total 44 drwxr-xr-x 4 root wheel 512 Oct 23 16:28 Archive_Tar-1.3.1 drwxr-xr-x 3 root wheel 512 Oct 23 16:28 Console_Getopt-1.2 drwxr-xr-x 3 root wheel 512 Oct 23 16:28 XML_RPC-1.5.0 -rw-r--r-- 1 root wheel 15433 Jul 12 02:09 package.xml -rw-r--r-- 1 root wheel 22193 Jul 12 02:09 package2.xml the subdirs contain a bunch've .php files, and the xml files are info about version updates of PEAR'S "XML-RPC for PHP". they're owned by root (only i have the passwd) so it wasn't made by a local user, and i assume it wasn't made by portupgrade or something like that? so, i've got no idea how that dir got there, i'm guessing via some web exploit that i still need to look into, and /tmp is mounted 'exec' for some legit processes to function, can't remember which, so it's possible they were able to upload something and run it. chkrootkit which i've only just installed seems clear. anyway, i'm trying to figure out when this happened to have something to go on, and i don't understand the stat command, for example: $ stat /tmp/download/package2.xml 60 49356 -rw-r--r-- 1 root wheel 198776 22193 "Dec 28 04:03:50 2006" "Jul 12 02:09:14 2006" "Oct 23 16:28:28 2006" "Jul 12 02:09:14 2006" 4096 44 0 /tmp/download/package2.xml taking hints from 'stat -x' and 'stat -s' i gather this means: access time = Dec 28 04:03:50 2006 modify time = Jul 12 02:09:14 2006 change time = Oct 23 16:28:28 2006 birth time = Jul 12 02:09:14 2006 now how much of these dates are local or carried over from the source system, since my system was created at 08:00 on 21 Oct 2006 (ie. the Jul dates don't make sense)? (also what's the difference between modify and change time?) essentially is there a way i can tell when the files were put there? this's the directory's info too: $ stat /tmp/download 60 49346 drwxr-xr-x 5 root wheel 196642 512 "Dec 29 00:53:16 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" 4096 4 0 /tmp/download ps. out've interest: this's the only suspicious thing in the logs i could find: Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped) Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped) though from google it seems it could be an innocent apache thing. also around the 23rd or 24th of Oct i started taking md5sums of all the files in the bin and lib directories, and they haven't changed without my knowledge since then. course that doesn't help if the breach was in the 2 odd days before this and after the system was created. also, snort hasn't reported anything overly suspicious, and all packages are kept up to date.
something's up, nothing in ports will write to a /tmp/download directory, so either you or someone with root access did it. I suggest: checking /var/log/auth.log for attempted breachings run sockstat and look for processes with ports open that shouldn't have ports open. conftest cores ususally mean a ./configure was issued and parts of said configure failed, them being so far apart suggests that some work was done to the configure script to fix it. If you didn't install anything from ports at or around those periods of time, then someone was running a configure script to build something on the machine. I wouldn't be overly concerned that if you're dealing with a breach, you're dealing with anyone who is compitent, change your passwords, check auth.log for ssh connections and look at sockstat to see if any programs are running that are listening on ports (that shouldn't be) David On 12/28/06, gareth <bsd@lordcow.org> wrote:> hey guys, my server rebooted a few days ago, and while i was > looking around for possible reasons (none came up, which's > disconcerting in itself) i found this suspicious directory: > > $ ls -l /tmp/download > total 44 > drwxr-xr-x 4 root wheel 512 Oct 23 16:28 Archive_Tar-1.3.1 > drwxr-xr-x 3 root wheel 512 Oct 23 16:28 Console_Getopt-1.2 > drwxr-xr-x 3 root wheel 512 Oct 23 16:28 XML_RPC-1.5.0 > -rw-r--r-- 1 root wheel 15433 Jul 12 02:09 package.xml > -rw-r--r-- 1 root wheel 22193 Jul 12 02:09 package2.xml > > > the subdirs contain a bunch've .php files, and the xml files > are info about version updates of PEAR'S "XML-RPC for PHP". > they're owned by root (only i have the passwd) so it wasn't > made by a local user, and i assume it wasn't made by portupgrade > or something like that? > > so, i've got no idea how that dir got there, i'm guessing via > some web exploit that i still need to look into, and /tmp > is mounted 'exec' for some legit processes to function, can't > remember which, so it's possible they were able to upload > something and run it. chkrootkit which i've only just installed > seems clear. > > anyway, i'm trying to figure out when this happened to have > something to go on, and i don't understand the stat command, > for example: > > $ stat /tmp/download/package2.xml > 60 49356 -rw-r--r-- 1 root wheel 198776 22193 "Dec 28 04:03:50 2006" "Jul 12 02:09:14 2006" "Oct 23 16:28:28 2006" "Jul 12 02:09:14 2006" 4096 44 0 /tmp/download/package2.xml > > taking hints from 'stat -x' and 'stat -s' i gather this means: > > access time = Dec 28 04:03:50 2006 > modify time = Jul 12 02:09:14 2006 > change time = Oct 23 16:28:28 2006 > birth time = Jul 12 02:09:14 2006 > > now how much of these dates are local or carried over from the source system, > since my system was created at 08:00 on 21 Oct 2006 (ie. the Jul dates don't > make sense)? (also what's the difference between modify and change time?) > > essentially is there a way i can tell when the files were put there? > > this's the directory's info too: > > $ stat /tmp/download > 60 49346 drwxr-xr-x 5 root wheel 196642 512 "Dec 29 00:53:16 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" 4096 4 0 /tmp/download > > > > > ps. out've interest: > > this's the only suspicious thing in the logs i could find: > > Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped) > Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped) > > though from google it seems it could be an innocent apache thing. > > also around the 23rd or 24th of Oct i started taking md5sums of all the files in the bin and lib > directories, and they haven't changed without my knowledge since then. course that doesn't help > if the breach was in the 2 odd days before this and after the system was created. also, snort > hasn't reported anything overly suspicious, and all packages are kept up to date. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
gareth wrote:> Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped) > Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped)These are from autoconf testing various capabilities of the system to do with signal handling -- nothing to be worried about.> hey guys, my server rebooted a few days ago, and while i was > looking around for possible reasons (none came up, which's > disconcerting in itself) i found this suspicious directory: > > $ ls -l /tmp/download > total 44 > drwxr-xr-x 4 root wheel 512 Oct 23 16:28 Archive_Tar-1.3.1 > drwxr-xr-x 3 root wheel 512 Oct 23 16:28 Console_Getopt-1.2 > drwxr-xr-x 3 root wheel 512 Oct 23 16:28 XML_RPC-1.5.0 > -rw-r--r-- 1 root wheel 15433 Jul 12 02:09 package.xml > -rw-r--r-- 1 root wheel 22193 Jul 12 02:09 package2.xml > > > the subdirs contain a bunch've .php files, and the xml files > are info about version updates of PEAR'S "XML-RPC for PHP". > they're owned by root (only i have the passwd) so it wasn't > made by a local user, and i assume it wasn't made by portupgrade > or something like that?Are you running a web server as root on this machine? This illustrates why that is such a bad idea... If you aren't running a web server, but only using PHP as a command line tool, then have you been doing any work with such things as IDEs or other large toolsets? They often have the capability to download and install extra bits at a mouseclick. Generally if you have a compromise in a PHP based webserver, you'll see the compromised machine used as a spam-bot or similar. Check the contents of your mail spool. Use tcpdump / wireshark to monitor the traffic to and from the machine to look for suspicious activity. If you've got the permissions right, then the attackers will not be able to write to the hard drive through compromising the webserver, which means that a stop and restart of Apache will thwart their nefarious plans, at least until they can recompromise your server. Generally that's about 5 -- 15 minutes, as all that sort of stuff is pretty automated nowadays. The best defense against all of this sort of stuff is to be fully patched and up to date with all your installed software. PHP is a nightmare security wise -- the whole language tends to steer developers into doing sloppy and insecure things by default. Well known, big projects like phpMyAdmin or Horde will generally code stuff pretty tightly, but the rest often need a severe beating with the clue stick. Even the well-managed projects will have their problems, and in fact one of the measures of a well-managed project is how promptly they deal with security problems and how open they are about revealing such things. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20061229/8dc0bf5a/signature.pgp