Trying to figure out how server was rooted
One of my servers was rooted recently. I'm trying to figure out how, to prevent it happening again.
It's an OpenVZ virtual machine, running debian 5.0.4. Services running are:
Apache 2.2.9 with PHP/5.2.6-1 (SSL not enabled)
There's not much running on the website, other than phpmyadmin.
I discovered the compromise because some system binaries weren't working (ps, ls etc). Looks as if the attacker had installed a root kit with trojaned binaries, but they hadn't worked because it's a 64 bit machine.
After restoring these binaries, I was able to use 'find' to find all the rootkit files (by searching in uid and modified times). As well as the trojaned binaries, there was a backdoored SSH server and psybnc (irc proxy). None of these were running.
My guess is that the attacker wasn't too savvy and gave up when he found that none of this pre-compiled binaries would run on the system.
Two root-level accounts had been added to /etc/passwd. My guess is he added these when he couldn't get the rootkit SSH server to run. So not very sophisticated, plus he hadn't removed his logs from wtmp, so they were visible with 'last'.
My main worry is how he got in. If the Apache user had been compromised (say via phpmyadmin), I wouldn't be too surprised; but if he did come in via Apache, he had also found a way to gain root. Unfortunately many of the logs from the original incident have been rotated out. There was no trace of the www-data user having been the source though: no files owned by www-data in /tmp (or other locations), no sign of this user having logged in. Also, no sign of say a local root exploit script.
Having Googled around, there was rumour of a openssh exploit last summer, but can't find anything more recent. I've tried fetching the latest version of openssh, vsftp, apache via apt, but am already up to date.