Nick wrote on Thu, 04 May 2006 14:43:20 +1000:
> Bindz.... hmm. telnetting to the port gave me a root shell
A shell, not necessarily a root shell. It's running with apache user
rights it seems.
> -rwxrwxr-x 1 apache apache 19429 Jan 10 16:20 bindz
> -rw-r--r-- 1 apache apache 2100 Jan 8 21:32 dc.txt
> -rwxrwxr-x 1 apache apache 479843 Aug 3 2005 uselib24
You should suspect some php app or at least a web-based intrusion.
Break-ins this way usually don't get the intruder a root shell. And what
they are up for most often is distribution space for "warez/videoz". They
don't "waste time" with owning the machine in a better way.
Stop that stuff from running, firewall it more tightly and then look
around. I haven't seen a hack on one of my clients computers for two years
now, so I'm not familiar with what gets used today. Google for those apps
you found and you may find quite a few information what they replace. If
it's not in those directories, anyway, including another instance of the
exploit that helped to get in - for re-use on the next machine ... Try to
find out when the intrusion happened, there may be logs for "bindz" or
other apps or the creation data of some file may reveal this. Then check
your apache logs around that date.
If it's a good rootkit it's hard to get rid of it. Well, you said you want
to nuke it, anyway, good :-) If it's not a rootkit then you might think
about getting rid of the stuff because only some basic apps got replaced.
f.i. ls, ps, lsof, netstat and such, what you would use to look around and
identify files/processes that shouldn't be there. Since your netstat shows
the intruder it's obviously not been replaced or not working correctly and
nothing may have happened yet after the break-in. If you have a second
machine with same OS you can start by comparing (size, date, crc) and then
replacing (even if they compare ok) (if you replace first, you don't have
a chance to find what got replaced) some of these apps. Then compare
again.
Kai
