September 3rd, 2003, 05:44 AM
spc1 and apache?
Today, I noticed that a process ./spc1 was running on my linux (debian) machine. I only noticed it because it was preventing apache from restarting. Looking in the error log I found evidence of what I assume is an exploit succeeding in getting apache to download code to my machine, and presumably starting it:
[Tue Sep 2 06:27:56 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
mkdir: cannot create directory `/var/tmp/.xpl': File exists
Resolving their.site.hostname... done.
Connecting to their.site.hostname[xxx.15.82.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,589 [text/plain]
0K .......... ......... 100% 14.37 KB/s
08:54:34 (14.37 KB/s) - `spc1.2' saved [19589/19589]
I can't find any reference to this exploit on the web however, so am not sure what it was and what it might have done in addition to running, and presumably propagating itself.
Does anyone know what this would have been and what it was likely to have been up to?
September 3rd, 2003, 11:06 AM
It could be anything if the file was renamed. Do you have the file itself?
Have you checked history logs? the tmp dir for other hidden files? passwd/shadow for new users?
September 3rd, 2003, 11:59 AM
Looking on google for var/tmp/.xpl reveals:
Allthough these are difficult to read it would seem that you may have visited a site that executed some malicious code. - I would imagine you have some malware or a root kit on your system.
Remove the offending file and look in logs for other evidence.
Check init scripts for other problems
Portscan yourself for anything open that shouldn't be there
Use netstat & look for other things that shouldn't be there.
Oh, and complain to the ISP of the IP where the file was downloaded from.
That bit about visiting a site was waffle - The exploit was in yabbse
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
September 3rd, 2003, 12:56 PM
I removed the offending files and killed the process as soon as I saw them. I can't see any evidence of activity, no changes to /etc/passwd or /etc/shadow, nothing in the logs that looks weird. I am hoping this indicates that the attempt to get further was unsuccessful...
I'll run nessus on that machine overnight and see if it finds anything.
Must say, it's pretty frustrating trying to find info about this exploit!
September 4th, 2003, 12:01 AM
I've now upgraded YabbSE - that was how they got in to my machine too. Hopefully v1.54 won't prove to be problematic. :-/
More questions...how would I find out if someone has installed a root kit on my server?
I am behind a firewall that only has the barest minimum necessary ports open (ssh, mail,web).
Is there some place I can see what a "normal" netstat would look like?
On debian, a simple
apt-get install chkrootkit
installs the chkrootkit package, which "examines certain elements of the target system and determines whether they have been tam*pered with".
happily, it gave me a clean bill of health, so that's a positive I guess :-)
September 4th, 2003, 01:17 AM
Normal Netstat? you mean like a baseline? I'd suggest doing a baseline on a regular basis so you can build your own "normal netstat". It will probably help. You might also keep an eye on processes and users to see if anything unusual happens. I'm guessing here but it sounds like you caught the guy in the act before any real serious damage was done. Perhaps a honeypot would be worthwhile if you have an old machine around. Something that would keep the guy busy while you watch him fool around and such.
Just an idea off the top of my head.