Re: apache compromised to send spam, need way to check file access

From: Ohmster (notareal_at_emailaddress.com)
Date: 04/25/05

• Next message: Ohmster: "Re: apache compromised to send spam, need way to check file access"
• Previous message: Ohmster: "Re: apache compromised to send spam, need way to check file access"
• In reply to: Newsbox: "Re: apache compromised to send spam, need way to check file access"
• Next in thread: Ohmster: "Re: apache compromised to send spam, need way to check file access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 25 Apr 2005 12:21:48 GMT

Newsbox <nospam_for_me_please@thanks.invalid> wrote in
news:3MadnU0a2YcmDPHfRVn-hA@acadia.net:

> Jem is a smart guy who has helped me more than once before (and right
> here!) What he says has value.

Yeah no kidding, his advice was very valuable, I am writing it on the
wall so as not to forget it, or at least will print it and tape it up.

>> Sorry, I just skimmed through your post. Remember that you really
>> can't trust any tools you use (even as root) on a compromised host.

Not really sure this is a compromised host, just a form mail or other
apache spam email exploit. No evidence of being compromised, other than
that.

>
> It is regrettable that you find yourself in this predicament. Please
> don't let it happen to you again. As complex as your requirements
> are, you should be using an IDS like tripwire, for early alerts for
> intrusions. That's 20/20 hindsight, but probably too late and not what
> you need most right now.
>
> http://www.tripwire.org/

I have tripwire installed, I used to get email from it every day, long as
hell emails that were very difficult to understand. That was years ago.
Tripwire is still there but I have not gotten email from it for a really
long time. Not sure what happened to it though. Will have to invistigate
that. Had to put in all kinds of pass phrases for it.

[ohmster@ohmster ohmster]$ rpm -q tripwire
tripwire-2.3.1-17.2.legacy.9

>
> Get some tools that you can trust, so you can see what has really
> happened. Many would say to immediately disconnect, and they would
> have good reasons. Whether you immediately disconnect or not might be
> your own choice in the short term. As long as you don't disconnect,
> whoever may have access to your systems may continue to infect and
> restrict your efforts.

Not disconnecting immediately, but will keep a very close eye on it and
stop services or connection if more evidence reveals an actual threat,
other than spam email from apache. Not taking this lightly though, will
really watch it for mal activity.

>
> Often, the best immediate forensic response is to boot from a "read
> only" OS like Knoppix (CD-ROM).
>
> www.knoppix.org

Have it, used it to copy both the / hard drive with swap and boot
partitions over to a larger one and the /home drive to a larger one.
Actually copied the drives with ghost and then used knoppix to boot and
mount the new / drive, mount it, chroot it, and then reinstalled grub on
it. Worked very well. Good stuff that knoppix.

>
> http://cart.cheapbytes.com/cgi-bin/cart/scan/mp=category/se=502/tf=titl
> e.html?id=en9NQIQV
>
>> But I would be tempted to try using 'lsof' (install it if you don't
>> already have it) to see what files are currently in use. As the web
>> server fetches files, they will be visible by lsof in real-time.

Yeah yeah, this for sure. Will be learning a lot about lsof now and how
to see what apache is doing and how to watch it.

>
> If you cannot promptly control this, them please disconnect. I wish
> you well and good luck.

Taking control, thank you for your advice and for your help.

-- 
~Ohmster
ohmster at newsguy dot com

• Next message: Ohmster: "Re: apache compromised to send spam, need way to check file access"
• Previous message: Ohmster: "Re: apache compromised to send spam, need way to check file access"
• In reply to: Newsbox: "Re: apache compromised to send spam, need way to check file access"
• Next in thread: Ohmster: "Re: apache compromised to send spam, need way to check file access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Mapped drives show disconnected when users log off and log on ... > I created roaming profile for all the users but since the wireless would ... > disconnect once in a while and they would loose their roaming profiles I ... > I have a vbs logon script which maps drives according to what groups the ... > computer they have two session starting, one is with the name of the computer ... (microsoft.public.windows.server.active_directory) Re: Dead PC - Wont POST ... Disconnect all such devices and try to POST. ... remove all DVDs from your drives. ... I get exactly the same from the onboard graphics. ... I wonder if it could be the BIOS battery? ... (uk.comp.homebuilt) RE: Mapped Drives over VPN ... server once you disconnect it. ... This method contains information about modifying the registry. ... Description of the Microsoft Windows Registry: ... Please check if the disconnect drives are listed. ... (microsoft.public.windows.server.sbs) Mapped drives show disconnected when users log off and log on ... I created roaming profile for all the users but since the wireless would ... disconnect once in a while and they would loose their roaming profiles I ... I have a vbs logon script which maps drives according to what groups the ... computer they have two session starting, one is with the name of the computer ... (microsoft.public.windows.server.active_directory) Re: Dead PC - Wont POST ... Disconnect all such devices and try to POST. ... remove all DVDs from your drives. ... I get exactly the same from the onboard graphics. ... I wonder if it could be the BIOS battery? ... (uk.comp.homebuilt)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint