[Techtalk] Re: Server was hacked into; looking for tips on how to secure it
k.clair
k at klerp.net
Mon Feb 24 11:58:28 EST 2003
Hello...
A good trick to use when trying to trace processes is the --forest flag
to ps - it shows you a tree view of the processes, so you can see what
spawned what.
Interestingly enough, I had a recent hacking attempt that I think
originated with php, and the hacker eneded up with a shell. here's what
i saw from ps:
www 28205 0.0 0.0 1140 388 ? S Feb14 0:00 /usr/local/apache/bin/httpd
www 23593 0.0 0.0 1148 388 ? S Feb14 0:00 \_/usr/local/apache/bin/httpd
www 6266 0.0 0.0 0 0 ? Z Feb14 0:00 | \_[shell_18070 <defunct>]
www 1864 0.0 0.0 1492 312 ? S Feb14 0:00 | \_telnet
www 9439 0.0 0.0 1484 312 ? S Feb14 0:00 \_telnet
then looking in /proc for those processes, i saw that the current
working directory was a directory where one of our users had files for
a php program. lsof for the process also listed the php directory.
kristina
-
- The only thing that could have been used was PostNuke, and most of the
- modules were not available (although someone who knew PostNuke well could
- have accessed them with a URL). But since I found other processes in ps
- including one run as root, I suspect if anything they used the Web server to
- get a shell on my computer rather than using PostNuke to send mail.
-
### my gpg key can be found here:
http://www.klerp.net/gpgkey
lynx --dump --source http://www.klerp.net/gpgkey | gpg import
Key fingerprint = 6B2F AB26 A8A9 DE4D 91FD 8E93 7A6B 387A 2795 714B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://linuxchix.org/pipermail/techtalk/attachments/20030224/b1a82eef/attachment.pgp
More information about the Techtalk
mailing list