On Sun, 13 Nov 2005, Jason Dewayne Clinton wrote:
On Sunday 13 November 2005 09:58 am, Matt Graham wrote:
I guess that since I even suspect that it's comproimised, I should reinstall.
Yea, your sentiments are correct. Unfortunately, you can't really say with certainty that your box is clean once it has been rooted.
Yeah, he should probably reinstall, but what evidence do we have that the box has been rooted? I think that it's more likely that the www-data user that runs apache is compromised.
Since the flow of evidence has stopped, I dug around a bit and here's what I think may be happening:
Matt is running a debian box on a local IP, so there's a router port-forwarding www, ssh, ftp and whatnot. This means that _if_ his box was compromised by the linux worm that I referred to in an earlier post, the backdoor it installs on port 7111 or 7222 isn't available to the internet at large.
The worm opens a file called /tmp/lupii. If this file is there, then the worm has got you but the ownership of this file will tell you which user has benn compromised. If Matt runs netstat -lp | grep lupii, then this will tell him if this worm has installed a listening daemon that, because of his specific setup, can essentially only listen to the wall.
The very fact that this backdoor is installed and running from /tmp tells you that this is (almost certainly) not a root exploit. Anybody can write to /tmp on most every box out there, but if you're root there are lots better places to hide things.
Since he's running debian, if reinstalls and upgrades awstats and PHP, he should then be immune from this exploit.
Regards,
-Don