Good try, script kiddies
I had problems sending out email over the weekend and couldn’t figure it out. I was getting email but discovered that outbound was getting relay refused by my smarthost. They had disabled me because they claimed I was an open relay. I knew that wasn’t right. I started poking around in my logs and found a whole bunch of outbound emails to random addresses but nothing inbound that I was relaying. Everything seemed to be coming from inside my machine.
Hmmm. Weird. I was pretty sure I hadn’t been spamming the world. I looked and everything was being sent by my apache user. Ok, not good. I couldn’t figure out why it was doing this. I had no formmail or any other way to email me, or anyone else, from my site. I started digging in logs and found some very interesting lines in my apache2 error log. They were very long and were calling a page on my site I didn’t even remember having. Reading the lines I realized that they were exploiting a security hole in a piece of software I had forgotten I’d even installed. It was ages ago. I installed it, didn’t like it and removed it. When I had the hard drive crash last year I had restored from backup and apparently restored this file too.
First thing, move that file elsewhere until we figure out what’s going on. The exploit was rather ingenious. It could get my apache user to execute any code they felt like. This is where it gets funny. They’d get it to go out to a remote site and download a rootkit. Usually not a good thing. Then they’d command apache to run the exploit on my machine to give them root access so they could take over the box. Well, this is where they ran into problems. They’d try over and over to run their kit and it wasn’t seeming to work. Script kiddies aren’t that bright it seems. Here’s the ‘file’ output of one of their programs:
tony@www /tmp/hack $ file xxxxx
xxxxx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped
Here’s the ‘file’ output of one of the programs on my machine:
tony@www /tmp/hack $ file /usr/bin/w
/usr/bin/w: ELF 32-bit MSB executable, SPARC32PLUS, V8+ Required, version 1 (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), stripped
Any 1/2way smart sysadmin will see there’s a big problem when it comes to running their code on my machine. Yeah, mine’s a Linux box but it’s not your average run-of-the-mill Linux box. Their code would never run on my machine. They tried dozens of times to get it to run and I’m sure pulled their hair out wondering why it wasn’t working. They left all kinds of rootkit toys in my tmp directory too. Thanks, guys!
Now, one very smart person did get code to run. He got my machine to send out spam emails using a clever perl script. Unluckily for him, my smarthost clamps down hard and fast when it sees more than 1,000 messages in a short time. That he got my machine to send spam pisses me off to no end but was easily killed. It’s kind of sad that a seemingly skilled programmer is using his talent for something like cracking machines and sending spam.
Knowing that my box wasn’t fully compromised makes me feel much better though.