Hi,

Hi Thomas,

Something very similair happended to me some weeks ago. We traced it to be a vicious trojan, that replaced my system ls, ps and other such vital commands.

If I guess right your www process is running, but the 'ps aux' that you run won't show it.

No. httpd did NOT run -> and we couldn't restart it. Thats why we looked for suspucious activitites in our system. If httpd would have run as usual, propaply till today we wouldn't know, whats going on.

The www process is probably supplying data to the hacker through the trojan.

Yes, an irc-daemon was started as user wwwrun. And "top" revealed this.

In my particular attack the hacker had a keyboard sniffer, which tranmitted my root passwd etc through a tcp connection to a site somewhere in Russia. Also sited was an ftp host in Belgium which was getting some of the data that was being sniffed out.

I also found some hints. In /var/tmp/ the attacker created two directories: "..." and " " (one blank) there i found many tools and sources. - many irc-tools - a scanner, which scans other hosts for apache/ssl-vulnerabilities - apache/ssl-exploit - some tools to hide processes and a .bash_history for user wwwrun, so i was able to reconstruct many of the activities. if somebody ist interested in receiving the history or the tools, mail me.

I was running suse 7.3 w/ apache+mod_ssl, and disregarded to apply the security patch to cover a known vulnerability.

yeah, shit happens ...

Ended up changing the hard-drive and rebuilding the server!

yes. Thomas

pm

Thomas Langfeld wrote:

...

Hi,

we are running suse 7.3 and apache 1.3.20 with mod_ssl

Last week it happened: - webserver down - apache could not be restarted - error-log: '[crit] (98)Address already in use: make_sock: could not bind to port 443'

So, lets look, what wwwrun is doing: - a 'ps aux | grep wwwrun' showed nothing - but: 'top' and 'uwwwrun' showed some processes 'eggdrop' running by user 'wwwrun' -> maybe a rootkit which replaced '/usr/bin/ps' ??? - a portscan revealed open tcp-port 6667

1. question: Does anybody know, what's the reason for that ?!?

We suggested, it could by ssl-worm slapper, but it usually opens udp-ports and not tcp 6667

2. question: In Apache 1.3.27 all known security-holes are fixed.

But there is no RPM for suse 7.3. There is only a package with version 1.3.20-77 So, we don't know, if in this package all that security-holes are fixed ?

The same for mod_ssl / OpenSSL ?

So, we don't know, when we install the latest Suse-RPM's, are we protected against the above attack??

Anybody who can answer the questions ?

Thx, Thomas