[nmglug] unknown processes, sh -i

js at jasonschaefer.com js at jasonschaefer.com
Sun Feb 11 15:56:22 PST 2007 

It was an exploit in cacti (http://secunia.com/advisories/23528/). A good lesson
in not taking the default settings (/cacti).

tcpdump showed this person was pinging nasa.gov from my computer.

I am looking through all the apache logs to see what else has been going on.

Jason



Quoting Pi <pi at pihost.us>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jason Schaefer wrote:
> > This process has started twice in the last month. It takes 100% of my
> > cpu and netstat shows its connected to a hosting company in Italy
> > (serverdedicati.seflow.net). Apache has nothing in the logs regarding
> > this! Has anyone else seen this sh -i? Anything I might be missing?
> > 
> > This is what netstat -patn shows
> 
> d00d j00 b33n h4x0r3d.
> 
> Run chkrootkit, rkhunter, upgrade your apache, upgrade your webapps
> (anything
> PHP- or perl-based, AWStats, etc), look in /tmp for anything funky, look
> anywhere www-data can write for the same, make sure nothing's been
> overwritten.
> Also, if you're writing your own CGI or PHP, start throwing backticks,
> pipes,
> quotes, dollar signs, and backslashes at anything resembling an input field.
> It'll look like you're a cartoon swearing, but might reveal issues.
> 
> :
> > tcp        0      0 10.2.2.2:37924          213.92.118.223:49153
> > ESTABLISHED12780/sh -i
> > tcp        0      0 10.2.2.2:37923          213.92.118.223:49153
> > ESTABLISHED12761/sh -i
> > tcp        0      0 10.2.2.2:37906          213.92.118.223:49153
> > ESTABLISHED13122/sh -i
> > tcp        0      1 10.2.2.2:33807          213.92.118.223:49153
> > SYN_SENT   13449/sh -i
> > 
> > This is what ps aux |grep www-data shows:
> > USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
> > www-data 19198  0.0  0.2  24120  1784 ?        SN   Feb04   0:00
> > /usr/sbin/apache2 -k start -DSSL
> > www-data 19199  0.0  0.2  24120  2028 ?        SN   Feb04   0:00
> > /usr/sbin/apache2 -k start -DSSL
> > www-data 19200  0.0  0.2  24204  1796 ?        SN   Feb04   0:00
> > /usr/sbin/apache2 -k start -DSSL
> > www-data 19201  0.0  0.2  24232  1792 ?        SN   Feb04   0:00
> > /usr/sbin/apache2 -k start -DSSL
> > www-data 19202  0.0  0.2  24228  1776 ?        SN   Feb04   0:00
> > /usr/sbin/apache2 -k start -DSSL
> > www-data 23276  0.0  0.2  24120  2188 ?        SN   Feb04   0:00
> > /usr/sbin/apache2 -k start -DSSL
> > www-data 26063  0.0  0.2  24236  1768 ?        SN   Feb04   0:00
> > /usr/sbin/apache2 -k start -DSSL
> > www-data 12761  8.9  0.2   4820  2320 ?        RN   Feb05 218:42 sh -i
> > www-data 12780 27.1  0.2   4824  2312 ?        RN   Feb05 659:30 sh -i
> > www-data 13122 26.4  0.2   4828  2320 ?        RN   Feb05 642:09 sh -i
> > www-data 13449 18.9  0.2   4828  2308 ?        SN   Feb05 457:57 sh -i
> > 
> > 
> > This is what top shows:
> > 13122 www-data  35  10  4828 2320  972 R 10.7  0.3 642:12.92 perl
> > 12761 www-data  35  10  4820 2320  976 R  9.7  0.3 218:45.64 perl
> > 12780 www-data  35  10  4824 2312  976 R  9.4  0.3 659:33.24 perl
> > 
> > 
> > _______________________________________________
> > nmglug mailing list
> > nmglug at nmglug.org
> > http://www.nmglug.org/mailman/listinfo/nmglug
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFFy3vyKaiGM/xGKzQRAgieAKCuEJ1MnWnY7ttXlVcPMVZNUJmbbwCgv5wL
> 3Gmx0QVWMQpgqKJaXihSf88=
> =lKwC
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
>

More information about the nmglug mailing list