Question

How do I stop this apache exploit?

Asked by: vancetech

I noticed two processes running by apache this evening:
apache   32744  0.0  0.0  1364  272 ?        S    Jul25   0:00 ./ptrace
apache   32767 98.6  0.0  1348  288 ?        R    Jul25 378:36 ./localroot

and found the files in the /tmp directory:

/tmp
-rw-r--r--    1 apache   apache       1828 Mar 26 12:03 bd.c
-rwxr-xr-x    1 apache   apache      16400 Jul 25 18:01 logs
-rwxr-xr-x    1 apache   apache      17804 Apr  8 09:29 ptrace
-rwxr-xr-x    1 apache   apache      19913 Jul 26 00:33 localroot

Then I checked the apache log file and found this:

--18:01:17--  http://www.myxpls.hpg.com.br/exploit/locais/bd.c
           => `bd.c'
Resolving www.myxpls.hpg.com.br... done.
Connecting to www.myxpls.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,828 [text/plain]

    0K .                                                     100%    1.74 MB/s

18:01:17 (1.74 MB/s) - `bd.c' saved [1828/1828]

bd.c: In function `main':
bd.c:77: warning: comparison between pointer and integer

----------------------

So my question is, what am I doing wrong that I allowed this user gain access?  I am almost completly up2date on my Redhat 7.2 linux box ( have to update the kernel they just released ) so I was under the impression that I am hacker "resistant".

Should I be taking more security steps than just making sure my rpms are up2date like compiling the latest code from source?  I thought RPMs had the latest security flaws in them fixed?  I must be missing something.

Thank you for you help :(

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-07-26 at 01:13:00ID20691048
Tags

apache

,

exploit

Topic

Linux Network Security

Participating Experts
3
Points
250
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Apache-ssl will not start
    I need with apache web server I downloaded apache-ssl rpm for RedHAt 5.1 with 2.0.35-7 kernel and if I check status of webserver it return that it is dead I can install apache 1.3 (rpm) and it will work just fine. Can someone point me to the source of my problem?
  2. apache
    i have got red hat linux 6.o installed on my machine and i want to configure it for apache web server. is it built in or do i have to downlad it from www.apache.org? if i have to download ,can someone help me with the step by step instructions of downloading into the linux ma...
  3. apache
    I have installed my apache web server with RPM's method. I don't know how to activate it.. how can I activate it and also stop it ?
  4. Apache
    Can Apache on RedHat CD be installed on Slackware or BSD?
  5. Apache mass defacement
    Do you know what security hole did this hacker exploit and how to fix it? A hacker defaced the index.html of all web sites on the Apache server. Hint left behind is 2 files: -rwxr xr x 1 apache apache 17320 Feb 22 23:35 bindshell -rw r r 1 apache ap...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: jleviePosted on 2003-07-26 at 07:33:19ID: 9010883

I believe that your system has been sucessfully cracked. Whether that happened via an Apache vulnerability or some other entry point can't really be determined from the Apache log. That simply shows the attacker downloading a piece of code from a repository of exploit tools. If you look at the site the code was downloaded from you'll find that it contains a tool kit for attacking and exploiting various security vulnerabilities.

A completely up to date 7.2 system should be immune to attacks against flaws in the RedHat furnished packages. But if you've installed any packages that did not come from the RedHat 7.2 distribution there could be vulnerabilities in any of those pacakges. Also you could have one or more insecure services running and exposed to Internet access that might be exploited via password sniffing (telnet, ftp, pop, imap, etc). It is also possible that this box was cracked by a leap frog attack, meaning that the attacker was able to penetrate some other system that this server considers trustworthy. There's more to securing a system than just keeping it up to date.

The correct action at this point is to disconnect the system from the network. Then you need to backup configuration and site data and do a full re-install of the OS. All applicable RedHat errata then need to be applied to the system and it needs to be hardened. If there were any non-redhat packages on the system those must be checked to see if there are any known vulnerabilities and later versions obtained before re-installing those applications. The site data must be carefully examined for malicious code or trojans before it is re-loaded onto the server. Oh yes, all passwords need to be changed too.

Once the system is ready for use, and before re-connecting it to the Internet, I recommend that you configure tripwire to monitor all of the important system files/dirs. That won't stop an attacker, but it will let you know exactly what an attacker did to the system. Using that information it is possible to recover from an attack without needing to re-install everything. I'd also recommend that you protect the box with a restrictive IPtables firewall that only allows access from the Internet to exactly those services that are required. And you don't want to have any of the insecure services exposed unless those services are "black boxed", meaning that users of those services don't correspond to Linux accounts. The only access that a user with a Linux account should have is via ssh/scp/sftp or other encrypted session.

 

by: fishtankPosted on 2003-07-26 at 19:53:06ID: 9013160

If you did try hard to keep system up2date then it should like jlevie said it should be immune to attacks.  Usually remote break-in method is buffer overflow to gain the root privilege and the shell. According to those running process purposes are local root exploit, it means that someone want to escalate their privilege from normal user to root. This means that someone already logined/break-in as NORMAL USER and try to gain the root privilege and create a backdoor for future connection.

If you have a firewall to blocked the external connection beside the http, https, smtp, dns, pop3 etc.. then you should check whether these services apply the latest patch but not only the kernel. For example sendmail should be upgrade/patch to 8.12.9 for critical security note for remote exploit problem announced on 2003-03-29.

Any system shutdown and restart records are suspecious? Any record suspect look modified? Is it possible this incident caused by local user login locally and run these services?  Did you check syslog, maillog, user login records? Any core dump found? You need to take note on every details to find clue.

 

by: xDamoxPosted on 2003-07-27 at 06:02:23ID: 9014255

Hi vancetech,

you have been cracked jlevie is correct Perfect.BR Team are a well know Defacement group I use to know the group members
there results of sites and cracks they have done are:


No  Attacker     Single IP   defacements Mass    defacements Total   defacements Homepage   defacements Subdir
7.    Perfect.Br  1590          0                                    1590                           1590                                       0

I would suggest you reinstall your Distrobution because they are proberbly using it for a shell account to attack other
peoples sites.

 

by: xDamoxPosted on 2003-07-27 at 06:04:40ID: 9014257

Also that http://www.myxpls.hpg.com.br/exploit/locais/bd.c

the bd.c is a backdoor which is open on port 44999 and the password is perfectbr

 

by: fishtankPosted on 2003-07-27 at 16:49:02ID: 9016203

Perfect.BR Team are a well know Defacement group:
http://www.zone-h.org/en/defacements/filter/filter_defacer=Perfect.Br/

Usually they did defacement and leave the break-in person name there to annouced to public.

I doubt will they break-in your system without defacement and leave a backdoor there for future attack. Do they need this for they can break-in many vulnerable systems when they want.

Simply identify the attack being done by someone based on the downloaded backdoor source may easy to mis lead to the wrong way.   bd.c is written by Perfect.BR Team but ptrace and localroot are written by another persons. How about the ptrace and localroot? How about the source download site www.myxpls.hpg.com.br? Do they'll leave so many obvious clue to you?  This break-in look like someone want to use your system but he/she may a green hand for too many traces leave in the system.

Vancetech suggest you reinstall your system is one of the solution but you need to figure out how can they do it to illuminate such incident happened again.  If resource is allow, re-built another system for production first, take out this system and use a Vulnerability scanner such as nessus http://www.nessus.org to scan this system see any vulnerable services can leave a door for other break-in. If not then you may think about the local user or physical break-in (boot up as single user). You may learn something after these excise.  Good luck.

 

by: vancetechPosted on 2003-07-29 at 02:06:00ID: 9026403

I have looked the system up and down for suspicious error messages, user scripts, and root kits and can't find anything that I think points to the method of entry, backdoor or any trail left behind.  Ipchains firewall running smoothly ( darn passive FTP clients ) and PHP safemode is on and Perl/CGI is in a suexec wrapper as well.

All I can see is around 18:01:17 in  the apache error_log when bd.c was downloaded...

The following around that same time from /var/log/messages:

Jul 25 18:02:07 broomfundel modprobe: modprobe: Can't locate module net-pf-14
Jul 25 18:02:07 broomfundel kernel: request_module[net-pf-14]: waitpid(32746,...) failed, errno 512

I don't know if that the latest redhat kernel release July 21st that I didn't apply until June 26th was the open door but that was the only RPM that wasn't upgraded at the time.

I've learned that updated Redhat RPMs are patched stable versions of the software where security holes are found, and it is not necessary to upgrade to the latest release.

Thank you all for your help and time!

 

by: vancetechPosted on 2003-07-31 at 16:07:04ID: 9044846

Are there more logging features that I can employ to try and catch the expoit that was used? Kernel level, apache, dns, sendmail detailed logging??  It seems to me I don't have enough information recorded to find out how the user opened a shell with apache!!

The apache error_log ( I forgot to include the "sh: option '-c' requires an argument" line that apache reported ):

sh: option `-c' requires an argument
--20:06:54--  http://www.myxpls.hpg.com.br/exploit/locais/bd.c
           => `bd.c'
Resolving www.myxpls.hpg.com.br... done.
Connecting to www.myxpls.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,828 [text/plain]

    0K .                                                     100%    1.74 MB/s

20:06:54 (1.74 MB/s) - `bd.c' saved [1828/1828]

bd.c: In function `main':
bd.c:77: warning: comparison between pointer and integer

 

by: jleviePosted on 2003-07-31 at 18:07:45ID: 9045284

My guess, if this was an attack via an Apache vulnerability, is that the attack was made using a buffer overflow vulnerability. The "wonderful thing" about such vulnerabilities from an attacker's view is that most such vulnerabilites won't be logged by any level of detail logging. The buffer overflow allows the attacker to execute some command as root and since the system doesn't provide facilities to log all commands executed by every user (we aren't talking about shell history files) there won't typically be a record of the penetration. If you are lucky some other things related to the attack (like the download and build of the back door may be logged. But even then a good cracker will edit or remove log files to cover their tracks.

I've done forensic analysis on several systems where no evidence of the attack whatsoever was left in any log file. The only clue as to when the attack occured was the timestamp of a binary built during the attack. Knowing that date/time a close examination of the log files indicated that they might have been edited to delete evidence of the attack.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...