Ivan Barrera A. wrote:
Using some packaged distro (as fedora) is pretty easy rpm -VVV on each package, and reinstall the affected ones (supossing that you have some binary replaced) The eggdrop.. you can wipe it out of the disk Eben Goodman wrote:I actually know which user it got through on, it came in through an insecure php nuke application. I have since removed the nuke app, but the damage appears to be done, since this eggdrop crap is still running on the server. Is there a way to find, and remove the software once it has found it's way on? thanks, Eben Dan Mahoney, System Admin wrote:On Mon, 6 Jun 2005, Eben Goodman wrote: If you're doing multi-hosting, look into suexec. the fact that it runs CGI's as the user is kinda secondary to the fact that it shows you WHICH user uploaded the insecure script. For PHP scripts, I've had good luck running suPHP (which is not an official apache project, but something similar really should be). -DanI recently had an irc exploit on my server running this eggdrop relay thing via apache. I was able to find the offending files and remove them and the eggdrop processes went away for awhile, but now they are back and try as I might I can't find any files that correspond to this software. When viewing top it shows the eggdrop processes running as apache. If I don't reboot the server for a couple days the eggdrop apache processes start sucking up all cpu and gobbling bandwidth. Has anyone else dealt with this? thanks, Eben --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx-- Amerikanskaya firma Transceptor Technology pristupila k poizvodstu komputerov "Personal'ni Sputnik" --Snap, "The Power"
Ivan's solution is not "acceptable" in terms of what you *should* do, but nothing says that you *can't* have a compromised machine on your network. I'd understand doing this if a) you just didn't care, or b) you just don't care.
It's never safe to assume that a "little" compromise is as small as it seems. Always save your data, and restore the OS. But hey, if you've got some time to spare, by all means investigate the situation and learn from it, and more importantly, what you can do to prevent it in the future.
During re-installation, make sure that all areas that Apache and PHP have access to are on filesystems where the 'noexec' bit can be set. This will make it so that no programs can be excuted off of a given mounted filesystem. Many people (myself included) make /tmp and /var/tmp 'noexec' to prevent executions on temp filesystems which *should* have no executions on them to begin with.
Hope that helps -dant --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx