Looks like we got hacked…

My face is red…

My friend Sean got hacked a couple of weeks ago and I thought it was pretty funny. I saw evidence of the same hack attempts on my server, but thought I was immune.

Hah.

For about a week I’ve been noticing that a perl process owned by apache had been eating a bunch of CPU, and I just figured it was an awstats bug or something.

Then I got curious so I started poking around a bit. Strace didn’t show me anything useful, but poking around in the process table showed that the cmdline for the process was /usr/sbin/apache/logins.

There is no such binary on my system.

So I stopped apache and then tried to restart it. I got an error stating that port 80 was already in use. WTF?

A little poking around showed that a process owned by apache and named ./r0nin was running. Uh-oh.

Sure enough, in /tmp was a file named r0nin dated Dec 17th! Man. That’s a pisser.

Running strings on r0nin showed this:

socket
bind
listen
PsychoPhobia Backdoor is starting…
OK, pid = %d
/dev/null
/var/tmp
HOME=%s

Whoops.

Looks like the same PHP bug that bit Sean.

The RedHat ES 3 version of PHP is 4.3.2, kind of old. I was running 4.3.2-14 and the latest version is 4.3.2-26, so I upgraded. The release notes say they fixed some security holes, so I hope this plugs this one.

Guess maybe I should find a later version – maybe download the source and compile it.

I think my server is okay, I’m betting that my firewall blocked the inbound connection attempts, but maybe not, since it seemed to be trying to listen on port 80…

I’m going to have to poke around some more on the box. 🙁