[Techtalk] Re: Server was hacked into; looking for tips on how to secure it

k.clair k at klerp.net
Mon Feb 24 11:58:28 EST 2003


A good trick to use when trying to trace processes is the --forest flag
to ps - it shows you a tree view of the processes, so you can see what
spawned what.

Interestingly enough, I had a recent hacking attempt that I think
originated with php, and the hacker eneded up with a shell. here's what
i saw from ps:

www      28205  0.0  0.0  1140  388 ?        S    Feb14   0:00 /usr/local/apache/bin/httpd
www      23593  0.0  0.0  1148  388 ?        S    Feb14   0:00  \_/usr/local/apache/bin/httpd
www       6266  0.0  0.0     0    0 ?        Z    Feb14   0:00  |   \_[shell_18070 <defunct>]
www       1864  0.0  0.0  1492  312 ?        S    Feb14   0:00  |   \_telnet
www       9439  0.0  0.0  1484  312 ?        S    Feb14   0:00  \_telnet

then looking in /proc for those processes, i saw that the current
working directory was a directory where one of our users had files for
a php program.  lsof for the process also listed the php directory.


- The only thing that could have been used was PostNuke, and most of the
- modules were not available (although someone who knew PostNuke well could
- have accessed them with a URL).  But since I found other processes in ps
- including one run as root, I suspect if anything they used the Web server to
- get a shell on my computer rather than using PostNuke to send mail.

### my gpg key can be found here:
lynx --dump --source http://www.klerp.net/gpgkey | gpg import
Key fingerprint = 6B2F AB26 A8A9 DE4D 91FD  8E93 7A6B 387A 2795 714B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://linuxchix.org/pipermail/techtalk/attachments/20030224/b1a82eef/attachment.pgp

More information about the Techtalk mailing list