Tracking down source of bots with user nobody - Linux Forums

Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search |

Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Write an article for LinuxForums Today! Win Great Prizes!

New to Linux Forums? Register here for free!

		Linux Forums > GNU Linux Zone > Linux Security > Tracking down source of bots with user nobody

Linux Security Discussion about keeping your machines secure, and the crackers out.

Site Navigation
Linux Articles
Linux Forums
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds

Linux Forum Topics
Linux Forums
Linux Forums Site News
Your Distro
Redhat / Fedora Linux Help Ubuntu Help SuSE Linux Help Mandriva Linux Help Slackware Linux Help Debian Linux Help Gentoo Linux Help Knoppix Help Forum Other Distributions
Linux Resources
Linux Tutorials, HOWTO's & Reference Material
GNU Linux Zone
Wireless Internet Linux Newbie Installation Misc Linux Applications Servers Linux Networking Peripherals / Hardware Linux Desktop / X-Windows Linux Programming & Scripting Gaming / Games / Multimedia / Entertainment Linux Security The Linux Kernel Linux On Laptops / Netbooks / Minibooks Wine Art & Imaging in Linux
The Community
The Coffee Lounge Comments / Feedback / Suggestions Everything BSD

Reply

07-02-2009	#1 (permalink)
cosmicmittens Just Joined! Join Date: Jul 2009 Posts: 10	Tracking down source of bots with user nobody I have a multiuser server that has apache running as nobody and bots using RFI exploits to drop php shells. The shells are being used to drop psybnc and other crap in /dev/shm, /tmp and /var/tmp (all as user nobody). Given the size of this server it's very difficult to find their php shells because the names are always different and find is too slow. I need to find what php script is creating the bots in the temporary directories. We have installed suPHP on some servers which helps to locate the users' webroots, but not always the files. They create the files and close the write streams fast enough that I can't lsof to their creator. Any creative solutions?

07-02-2009	#2 (permalink)
Rubberman Linux Guru Join Date: Apr 2009 Location: I can be found either 40 miles west of Chicago, or in a galaxy far, far away. Posts: 2,540	Taking this bass-ackward aren't we? First, sandbox your web server (chroot it's file system) and lockdown system directories and files. Change root password, and use SELinux and high-security encryption for system passwords. Take this server off-line until it is locked down and scrubbed of infected web pages. __________________ Sometimes, real fast is almost as good as real time.

07-02-2009	#3 (permalink)
cosmicmittens Just Joined! Join Date: Jul 2009 Posts: 10	The server runs cPanel which, so far as I know, doesn't support chrooting at the moment. The root password is changed frequently, they haven't gained root. SELinux isn't a viable option unfortunately. I can't take the server offline because there are about 300 users. We have lots of ways to prevent the shells from dropping but given the volume of accounts it will still occur no matter what measures we take. The problem I'm really having is finding the root source. Is there any hackish way to log all php execution commands?

07-02-2009	#4 (permalink)
cosmicmittens Just Joined! Join Date: Jul 2009 Posts: 10	The server runs cPanel which, so far as I know, doesn't support chrooting at the moment. The root password is changed frequently, they haven't gained root. SELinux isn't a viable option unfortunately. I can't take the server offline because there are about 300 users. We have lots of ways to prevent the shells from dropping but given the volume of accounts it will still occur no matter what measures we take. The problem I'm really having is finding the root source. Is there any hackish way to log all php execution commands? I'm able to find most r57 and c99 shells through the apache logs, still having trouble finding the obscure ones.

Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is On HTML code is Off Trackbacks are Off Pingbacks are Off Refbacks are Off

Free Magazines

Run Your Own Web Server Using Linux & Apache - Free 191 Page Preview
Learn about everything you'll need to build and maintain your Linux servers, and to deploy Web applications to them.
subscribe

Open Source Security Myths Dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization
subscribe

InformationWeek
InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology.
subscribe

All times are GMT. The time now is 11:01 AM.