Results 1 to 6 of 6

Thread: spc1 and apache?

  1. #1
    Junior Member
    Join Date
    Sep 2003
    Posts
    3

    Question spc1 and apache?

    Today, I noticed that a process ./spc1 was running on my linux (debian) machine. I only noticed it because it was preventing apache from restarting. Looking in the error log I found evidence of what I assume is an exploit succeeding in getting apache to download code to my machine, and presumably starting it:

    [Tue Sep 2 06:27:56 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
    mkdir: cannot create directory `/var/tmp/.xpl': File exists
    --08:54:32-- http://their.site.hostname/spc1
    => `spc1.2'
    Resolving their.site.hostname... done.
    Connecting to their.site.hostname[xxx.15.82.20]:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 19,589 [text/plain]

    0K .......... ......... 100% 14.37 KB/s

    08:54:34 (14.37 KB/s) - `spc1.2' saved [19589/19589]

    I can't find any reference to this exploit on the web however, so am not sure what it was and what it might have done in addition to running, and presumably propagating itself.

    Does anyone know what this would have been and what it was likely to have been up to?

    Guy

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    It could be anything if the file was renamed. Do you have the file itself?

    Have you checked history logs? the tmp dir for other hidden files? passwd/shadow for new users?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Looking on google for var/tmp/.xpl reveals:

    http://list.cobalt.com/pipermail/cob...ch/007784.html
    http://www.mail-archive.com/cobalt-s.../msg05798.html

    Allthough these are difficult to read it would seem that you may have visited a site that executed some malicious code. - I would imagine you have some malware or a root kit on your system.

    Disconnect networking

    Remove the offending file and look in logs for other evidence.
    Check init scripts for other problems
    Portscan yourself for anything open that shouldn't be there
    Use netstat & look for other things that shouldn't be there.

    Oh, and complain to the ISP of the IP where the file was downloaded from.

    Steve

    <edit>
    That bit about visiting a site was waffle - The exploit was in yabbse
    </edit>
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  4. #4
    Junior Member
    Join Date
    Sep 2003
    Posts
    3
    Thanks guys

    I removed the offending files and killed the process as soon as I saw them. I can't see any evidence of activity, no changes to /etc/passwd or /etc/shadow, nothing in the logs that looks weird. I am hoping this indicates that the attempt to get further was unsuccessful...

    I'll run nessus on that machine overnight and see if it finds anything.

    Guy

    Must say, it's pretty frustrating trying to find info about this exploit!

  5. #5
    Junior Member
    Join Date
    Sep 2003
    Posts
    3
    I've now upgraded YabbSE - that was how they got in to my machine too. Hopefully v1.54 won't prove to be problematic. :-/

    More questions...how would I find out if someone has installed a root kit on my server?

    I am behind a firewall that only has the barest minimum necessary ports open (ssh, mail,web).

    Is there some place I can see what a "normal" netstat would look like?

    On debian, a simple

    apt-get install chkrootkit

    installs the chkrootkit package, which "examines certain elements of the target system and determines whether they have been tamĀ*pered with".

    happily, it gave me a clean bill of health, so that's a positive I guess :-)

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Normal Netstat? you mean like a baseline? I'd suggest doing a baseline on a regular basis so you can build your own "normal netstat". It will probably help. You might also keep an eye on processes and users to see if anything unusual happens. I'm guessing here but it sounds like you caught the guy in the act before any real serious damage was done. Perhaps a honeypot would be worthwhile if you have an old machine around. Something that would keep the guy busy while you watch him fool around and such.

    Just an idea off the top of my head.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •