Hacked again :-(

Every few days my server is hacked via apache and I don't know how they get
in.
For some background information is my post from the 26/07

This time I got a bit more information. I ran the lsof command to see what
files are open.

Somehow the hackers get a file on my system which they are able to execute.
The file is called bd.zip

Here is the interesting information lsof:

bd.zip 21333 wwwrun cwd DIR 3,3 584 2 /
bd.zip 21333 wwwrun rtd DIR 3,3 584 2 /
bd.zip 21333 wwwrun txt REG 3,3 17318 74028
/var/tmp/bd.zip
bd.zip 21333 wwwrun mem REG 3,3 112347 6827
/lib/ld-2.3.2.so
bd.zip 21333 wwwrun mem REG 3,3 569145 46312
/usr/lib/GL/libGL.so.1.2
bd.zip 21333 wwwrun mem REG 3,3 1461208 6824
/lib/i686/libc.so.6
bd.zip 21333 wwwrun mem REG 3,3 80714 6826
/lib/i686/libpthread.so.0
bd.zip 21333 wwwrun mem REG 3,3 66876 16463
/usr/X11R6/lib/libXext.so.6.4
bd.zip 21333 wwwrun mem REG 3,3 1121082 16453
/usr/X11R6/lib/libX11.so.6.2
bd.zip 21333 wwwrun mem REG 3,3 13625 6836
/lib/libdl.so.2
bd.zip 21333 wwwrun 0u CHR 1,3 26298 /dev/null
bd.zip 21333 wwwrun 1u CHR 1,3 26298 /dev/null
bd.zip 21333 wwwrun 2u CHR 1,3 26298 /dev/null
bd.zip 21333 wwwrun 3u IPv4 340065 TCP *:19375
(LISTEN)
bd.zip 21333 wwwrun 8u unix 0xc9d33040 128398 socket
bd.zip 21333 wwwrun 15w REG 3,3 108244 74043
/var/log/httpd/error_log

Looks like it is listening for further command on port 19375. Thankfully my
router's firewall is stopping them.

Any ideas on how they are getting in?

obviously the 1st thing to do is upgrade apache to latest version, what version you running at present
?

"Dan Eskildsen" <danes@image.dk> wrote in message news:cea8pi$2pm$1@news.cybercity.dk...
> Every few days my server is hacked via apache and I don't know how they get
> in.
> For some background information is my post from the 26/07
>
> This time I got a bit more information. I ran the lsof command to see what
> files are open.
>
> Somehow the hackers get a file on my system which they are able to execute.
> The file is called bd.zip
>
> Here is the interesting information lsof:
>
> bd.zip 21333 wwwrun cwd DIR 3,3 584 2 /
> bd.zip 21333 wwwrun rtd DIR 3,3 584 2 /
> bd.zip 21333 wwwrun txt REG 3,3 17318 74028
> /var/tmp/bd.zip
> bd.zip 21333 wwwrun mem REG 3,3 112347 6827
> /lib/ld-2.3.2.so
> bd.zip 21333 wwwrun mem REG 3,3 569145 46312
> /usr/lib/GL/libGL.so.1.2
> bd.zip 21333 wwwrun mem REG 3,3 1461208 6824
> /lib/i686/libc.so.6
> bd.zip 21333 wwwrun mem REG 3,3 80714 6826
> /lib/i686/libpthread.so.0
> bd.zip 21333 wwwrun mem REG 3,3 66876 16463
> /usr/X11R6/lib/libXext.so.6.4
> bd.zip 21333 wwwrun mem REG 3,3 1121082 16453
> /usr/X11R6/lib/libX11.so.6.2
> bd.zip 21333 wwwrun mem REG 3,3 13625 6836
> /lib/libdl.so.2
> bd.zip 21333 wwwrun 0u CHR 1,3 26298 /dev/null
> bd.zip 21333 wwwrun 1u CHR 1,3 26298 /dev/null
> bd.zip 21333 wwwrun 2u CHR 1,3 26298 /dev/null
> bd.zip 21333 wwwrun 3u IPv4 340065 TCP *:19375
> (LISTEN)
> bd.zip 21333 wwwrun 8u unix 0xc9d33040 128398 socket
> bd.zip 21333 wwwrun 15w REG 3,3 108244 74043
> /var/log/httpd/error_log
>
> Looks like it is listening for further command on port 19375. Thankfully my
> router's firewall is stopping them.
>
> Any ideas on how they are getting in?
>
>

Dan Eskildsen wrote:

> Every few days my server is hacked via apache and I don't know how they get
> in.

I don't know how they got in in the first place, but once a system has
been compromised, you cannot know what backdoors have been set up. Your
best bet is to completely reinstall everything from the OS up from known
clean disks. BTDT. It sucks but it is the only way to be sure they
can't come back again. After reinstalling the OS, make sure you have
all of the latest software and security fixes.

--
Stan McCann "Uncle Pirate"
Webmaster/Computer Center Manager, NMSU at Alamogordo
Cooordinator, Tularosa Basin Chapter, ABATE of NM AMA#758681
'94 1500 Vulcan (now wrecked) :( http://motorcyclefun.org/Dcp_2068c.jpg
A zest for living must include a willingness to die. - R.A. Heinlein