apache compromised to send spam, need way to check file access

Ohmster <notareal@emailaddress.com> writes:

>"Dave {Reply Address in.sig}" <noone$$@llondel.org> wrote in

>Yeah. Tried that yesterday but I cannot figure out how to grep the output
>of "cat *" in /var/log/httpd or at least each set of logs at a time such
>as "grep access*" and then filter out specifically for .pl, .cgi, or
>.php. Just using the letters gave me far too much irrelevent output,
>these logs are freaking huge and there are lots of them. Trying to grep
>with the . such as .pl did not seem to work. There must be a better
>way...

grep '\.pl' nameoffile

.. in a regexp means any letter. So to get . itself it needs to be escaped.
But you need to protect the escape from the shell or it will interpret the
\ first, thus the single quotes.


>Don't believe the machine has been compromised as no evidence of it,
>other than apache spamming the public now and apache would do this with

"There is no evidence the man is dead except his heart is not beating".


>any one of several files it can use in the www roots to email with? Wish
>there were more evidence in the mails as to what file or file(s) are
>doing this. Have to watch this now more closely. Have not totally ruled
>out a compromised host, will watch very closely, not taking your advice
>lightly. If you have anymore suggesgtions, please feel free to express
>them, I am watching.

Ohmster wrote:
> First of all, I am not a linux expert. I have done linux for a few years
> and have managed to get a successful server/gateway/firewall with samba

I took the liberty of running a scan against www.ohmster.com.

You need a firewall as you have a load of ports open and a lot of
vulnerabilities in the exposed applications.

In my opinion, a rogue perl script is the least of your problems on this
machine.

Drop me an email to mike AT michaelmoyse.co.uk and I'll send you a PDF
of the report. It lists what you need to do to fix the problems.

On Mon, 25 Apr 2005 12:57:33 +0000, Ohmster wrote:

> Newsbox <nospam_for_me_please@thanks.invalid> wrote in
> news:3MadnU0a2YcmDPHfRVn-hA@acadia.net:
>
>>
>> http://www.tripwire.org/
>
> Tripwire is still in the cron queue as per webmin. It runs every day at 4
> in the morning. Wonder why it does not email me anymore? Will have to
> investigate this further. I have not gotten any tripwire mails in a long,
> long time, close to two years, I bet. Hard to understand them, maybe I
> became complacent. Need to figure this out, saving all posts for future
> review and to do that I say I will do. Thank you, Newsbox.

Don't worry about Tripwire right now. Put it right at the bottom of your
list and don't come back to it until you have your other issues resolved.
Tripwire is indeed difficult to use; it absorbs resources and time (time
that you need now for other things). At best, it will tell you that there
has been an intrusion, -- *after* *the* *fact*. Running tripwire now will
be less than useful. It needs to be first run on a known good system
which yours is not. When you are back to a known good system ask a
separate question about tripwire, with particular interest in the value of
running it as a cron job. I'm sure you will get good answers. For the
moment, forget about tripwire completely and concentrate on your other
issues.

Best wishes.

Newsbox <nospam_for_me_please@thanks.invalid> wrote in
news:XcKdnfTpjYL4zvDfRVn-oQ@acadia.net:

> Don't worry about Tripwire right now. Put it right at the bottom of
> your list and don't come back to it until you have your other issues
> resolved. Tripwire is indeed difficult to use; it absorbs resources
> and time (time that you need now for other things). At best, it will
> tell you that there has been an intrusion, -- *after* *the* *fact*.
> Running tripwire now will be less than useful. It needs to be first
> run on a known good system which yours is not. When you are back to a
> known good system ask a separate question about tripwire, with
> particular interest in the value of running it as a cron job. I'm
> sure you will get good answers. For the moment, forget about tripwire
> completely and concentrate on your other issues.
>
> Best wishes.

Couldn't agree more, Newsbox. Tripwire might be a really good blueprint
tool where you can see all of the original files, and it sure did list
them, all of them, over a meg of pure text in each mail, when you install
it. Then you get a report every day on what, if anything, changed, and
there are severity levels for each particular class of files. This is not
going to help me now, will worry about it when the box is secured. I
actually did not mind not getting the tripwire emails as they were huge
text files, listing every darned file on the system. What good is this? I
would have preferred a summary, nothing changed, suid on such and such
changed, temp files changed (who cares?), etc. This massive list of paths
and files every single day was pretty dreary.

Anyway, will fix it later, see ya Newsbox and thanks.

--
~Ohmster
ohmster at newsguy dot com

Mike <honey@michaelmoyse.co.uk> wrote in
news:X_adnbpNZ_SmqPDfRVnyvw@pipex.net:

> I took the liberty of running a scan against www.ohmster.com.
>
> You need a firewall as you have a load of ports open and a lot of
> vulnerabilities in the exposed applications.
>
> In my opinion, a rogue perl script is the least of your problems on
this
> machine.
>
> Drop me an email to mike AT michaelmoyse.co.uk and I'll send you a PDF
> of the report. It lists what you need to do to fix the problems.

Oooohh... this is bad.

Okay Mike, I have and use firestarter firewall because it was pretty easy
to install and setup. Got me NAT'ed and online quickly. Was supposed to
only open service ports that were needed at the time. Of course, I have
not messed with it since, other than to forward a few ports to my XP
machine for p2p and gaming. I also enabled network UPnP for Windows
Messenger and run upnpd to enable that network universal plug and play
stuff and do whatever it is that it does for Messenger.

Agreed that the machine is old now and out of date for security. I do
have fedoralegacy for my apt.sources and did a major upgrade with apt-get
a couple of months ago. Got close to 80 packages that way, only one I
really did not want, the rp-pppoe package. I have rp-pppoe-3.5-1
installed and when I tried 3.5-2 years ago, it simply did not work, at
all and had to downgrade back to 3.5-1 again. Forgot all about that and
after the apt upgrade from fedoralegacy, I lost the net again and the
wife was pissed because it took me hours to figure it out and remember
about the rp-pppoe package again.

So what did you find? Detailed analysis would be appreciated,
suggestions, or recommendations too of course. Thank you for your time
and for your help, Mike. You got the right machine. I still have to find
the source of this email spam from apache and will be working on that
unless you come up with something of a higher priority

Email sent and anxiously awaiting your reply. Thanks buddy.

--
~Ohmster
ohmster at newsguy dot com

Unruh <unruh-spam@physics.ubc.ca> wrote in
news:d4is7t$ccr$1@nntp.itservices.ubc.ca:

> grep '\.pl' nameoffile
>
> . in a regexp means any letter. So to get . itself it needs to be
> escaped. But you need to protect the escape from the shell or it will
> interpret the \ first, thus the single quotes.
>
>
>>Don't believe the machine has been compromised as no evidence of it,
>>other than apache spamming the public now and apache would do this
>>with
>
> "There is no evidence the man is dead except his heart is not
> beating".

Hey Unruh,

Oh I cannot understand regex to save my life but sure wish I did. A
reference table for it would be a gift from the Gods, if there were such
a thing. Okay, I have your grepping instructions and will be getting to
work in this, this evening. This should make the task a little less
daunting.

The heartbeat. Heh, yeah well, I have not ruled out a totally compromised
system but have to confirm that first, will do a rootkit on it, someone
in the sendmail group sent me some info on that. I will hold off on that
judgment until the results are in, meanwhile off to find the rogue apache
file(s). No doubt a total distro upgrade would work wonders here but it
is not in the cards for the next several months.

Thank you my friend. Saving these posts for further review and reference.
Will also post back for more questions as I get closer, and of course to
announce any success with thanks for everyone that helped. Cheers mate.
--
~Ohmster
ohmster at newsguy dot com

On Mon, 25 Apr 2005 22:59:25 GMT,
Ohmster (notareal@emailaddress.com) wrote:
> Hey Unruh,
>
> Oh I cannot understand regex to save my life but sure wish I did. A
> reference table for it would be a gift from the Gods, if there were such
> a thing. Okay, I have your grepping instructions and will be getting to
> work in this, this evening. This should make the task a little less
> daunting.

Try `apropos regular expressions`, and then `man 7 regex`

Beverly
--
Many a smale maketh a grate -- Geoffrey Chaucer

"Bev A. Kupf" <bevakupf@myhome.net> wrote in
news:slrnd6qtv9.h0s.bevakupf@myhome.net:

> Try `apropos regular expressions`, and then `man 7 regex`
>
> Beverly

Oh that is quite useful. Thanks Bev.

--
~Ohmster
ohmster at newsguy dot com