[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Sun Jun 14 15:04:05 UTC 2009
Drew <drew.kay at gmail.com>

> B .Can i conclude that the attacker  came through the horde framework ( cmdshell.php) ? The horde framework was  installed from the centos repo.....!!!

> C. BUT THE WORST THING OF ALL IS THESE LINES BELOW....
>
<snip>
> 14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]


To answer B & C, I'm reasonably certain that the answer to both is
Yes. I got curious so I downloaded the file at:
http://mv.do.am/unix.tgz into a secured area of my computer. I was
surprised the hacker hasn't moved on but it contains the files you
identified sitting in /dev/shm/unix.

It looks to me like the hacker exploited a weakness in horde's
cmdshell.php to upload the file "unix.tgz" to /dev/shm, then unpacked
it and off he/she went.

Going forward I would recommend, after doing a wipe & reinstall,
investigate putting Apache into a chroot jail and hardening php using
suhosin/hardened-php or the like. The jail will will limit the damage
a hacker can do when they break in, and Suhosin will make it harder
for them to do so.


-- 
Drew

"Nothing in life is to be feared. It is only to be understood."
--Marie Curie