What you have to do now is called forensic analysis. Ask google for
details. First separate you from network and "dd" your hard drive content
to somewhere. Install a complete new system and apply all current
patches and harden the box at your best knowlegde (hopefully enough).
With the backup of the compromised system you can now try to find out
how attacker came in and owned your box.
One point to start from is here:
http://www.sleuthkit.org/autopsy/index.php
Hope that helps
The bob
--
technician
http://www.hs-pongratz.de
info@hs-pongratz.de
----- Original Message -----
From: "Jeroen Taalman"
Hi There,
We have a number of servers running 8.2. One of them was recently hacked. We noticed that an IFRAME-tag was added to a few index.html files. This IFRAME-tag sends a URL to the client and forces the client to download malware from another server. It seems they tried to exploit a IE vulnerability this way. Further, the global PHP.INI was edited. The option 'auto-append' was set to '/etc/.app'. This file (.app) contains the same URL as the IFRAME-tag. This results in a behaviour that clients are getting awful pop-ups every time they request a php page. The file dates and times of the changed files were all lying in a small time frame of about 10 minutes.
We didn't find anything unusual in the system logs etc. The only remarkable finding is that /USR/SBIN/CRON has been changed. It is 28024 bytes and its date and time is March 7, 00:55 hrs. (On our other servers (same OS version) this file is 23928 bytes and dated March 14, 2003.) Of course I googled but didn't find very much. This URL describes a 6KB worm on BSD-systems: http://craiu.pcnet.ro/papers/papers/exsee.html, but i doubt whether this is the cause in my case.
At the time of the hack we were using:
Apache 1.3.28 and 1.3.29 PHP 4.3.2 Cvsd 0.9.20 Openssl 0.9.6i Suse auto_update Webmin 1.131
- Is there anyone who knows more about this? - How can I see which code (worm) is added to the file CRON? - Does CVSD has any specific weaknesses which can be related to this?
Thanks in advance for you help, Jeroen
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Die Nachricht wurde 'bereinigt', das hei?t, potentiell gef?hrlicher Inhalt der EMail wurde umgeschrieben oder entfernt. Die folgenden ?nderungen wurden vorgenommen [Fragen an mappeldorn@codi].
Sanitizer (start="1079816236"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): ScanFile (file="/var/spool/filter/quarantine/att-unnamed.txt-405cb02d.J5"): Scan succeeded, file is clean.
Enforced policy: unknown
Match (names="unnamed.txt", rule="9"): Enforced policy: accept
Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.79 2003/06/19 19:22:00 bre Exp $