[lug] R00tKIT!! Raah!
bgiles at coyotesong.com
Tue Jun 14 18:08:22 MDT 2005
Michael Belanger wrote:
> Now, here is a question, can the 'apache' user install a rootkit if they
> are not root?
Our last two compromises were thru apache. One was due to an old
version of mod_ssl. The other was due to an old version of
awstats. (The former because we couldn't update an ancient
version of RH, the latter because the Debian maintainer didn't
realize he needed to issue a critical security update.)
> I fear I may need to travel out there to rebuild the server... Anyone
> know if it is possible to 'clean' the system?
The "correct" answer is no.
The "practical" answer is that there's a very real chance that the
attacker was a script kiddie who didn't exploit his success. The
bigger problem in this case is that you may have been hit by
several attackers through the same exploit and that complicates
It comes down to an informed gamble. How much will you lose if
you guess wrong and can't clean out the damage, how much will you
lose from the effort required to do a clean reinstall? Don't
forget that you have to assume that your backups are compromised.
That's not an issue if it's just data (e.g., mailboxes and
static web pages), more complicated if you have third-party
software or a lot of local programs and scripts. (BTW this is
another argument for separate partitions for server data. They
can be backed up and restored without too much concern and mounted
If you do decide to clean the system, a few good places to start
(after reinstalling a clean kernel) is to look for executable
files in /dev, /tmp and /var/tmp, check all files with the SUID
and SGID bit set and force a reinstall of procps, passwd, login
and sudo. And netstat. I'm sure others can add to that list.
Speaking of netstat - get a list of every process that's listening
(netstat -l, iirc) and then use lsof to identify the process
that's attached to that port. Make sure you understand why it's
Again, you're still hosed if you had a competent attacker. On the
other hand if it was a worm it may be better to spend a few hours
cleaning out the system than spending a few days to rebuild it.
More information about the LUG