When server is compromised via some PHP script security hole intruders are getting relatively low level of access to the server. Although its enough to install PHP shell script or start some backdoor network daemon or proxy server or network scanner.
Lets see if we can find them
First step should be to disable the security hole itself – but on massive hosting server it’s not always the simple task to find the problem. So the best approach should be to work in parallel – locate the running backdoor or proxy and find out as much as possible about the way it was uploaded and started.
The best tool for finding open network ports is lsof – “LiSt Open Files”. In unix everything is a file. The syntax is
|
1 2 3 4 |
lsof -Pni4 -P - disable port number conversion -n - disable IP resolution -i4 - match IPv4. |
If you have web server running on port 80 it would help to filter out these connections
|
1 |
lsof -Pni4 | grep -v :80 |
Now you can look for anomalies. Don’t get fooled by the program name – hackers would try to mask the process under legitimate name to “get lost in the crowd”, so it could be anything – apache, httpd, sendmail. It just the anomalies that give up the offender, for example
- apache or any other daemon has no business to listen on the high number port it was not configured on
- sendmail run by user apache or nobody is also very suspicious.
- perl process that is listening on some network port (that’s all time popular)
- some process with obscure name,run by apache user
Unfortunately I can not find infected system to give a real example. But lsof output for the healthy system should look somewhat like this
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
[root@ServerX ~]# lsof -Pni4| grep -v :80 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME named 1753 named 20u IPv4 6337 TCP 127.0.0.1:53 (LISTEN) named 1753 named 21u IPv4 6339 TCP 95.142.100.123:53 (LISTEN) named 1753 named 22u IPv4 6341 TCP 62.4.84.123:53 (LISTEN) named 1753 named 23u IPv4 6343 TCP 82.98.193.103:53 (LISTEN) named 1753 named 24u IPv4 6344 TCP 127.0.0.1:953 (LISTEN) named 1753 named 512u IPv4 6336 UDP 127.0.0.1:53 named 1753 named 513u IPv4 6338 UDP 95.142.100.123:53 named 1753 named 514u IPv4 6340 UDP 62.4.84.123:53 named 1753 named 515u IPv4 6342 UDP 82.98.193.103:53 sshd 1909 root 3u IPv4 7894 TCP *:22 (LISTEN) mysqld 1995 mysql 10u IPv4 8001 TCP *:3306 (LISTEN) dovecot 2031 root 5u IPv4 8040 TCP *:143 (LISTEN) dovecot 2031 root 6u IPv4 8041 TCP *:993 (LISTEN) dovecot 2031 root 7u IPv4 8042 TCP *:110 (LISTEN) dovecot 2031 root 8u IPv4 8043 TCP *:995 (LISTEN) sendmail 2080 root 4u IPv4 8259 TCP *:25 (LISTEN) pure-ftpd 2152 root 4u IPv4 8461 TCP *:21 (LISTEN) imap-logi 30127 dovecot 0u IPv4 8040 TCP *:143 (LISTEN) imap-logi 30127 dovecot 1u IPv4 8041 TCP *:993 (LISTEN) imap-logi 30149 dovecot 0u IPv4 8040 TCP *:143 (LISTEN) imap-logi 30149 dovecot 1u IPv4 8041 TCP *:993 (LISTEN) imap-logi 30255 dovecot 0u IPv4 8040 TCP *:143 (LISTEN) imap-logi 30255 dovecot 1u IPv4 8041 TCP *:993 (LISTEN) pop3-logi 31758 dovecot 0u IPv4 8042 TCP *:110 (LISTEN) pop3-logi 31758 dovecot 1u IPv4 8043 TCP *:995 (LISTEN) pop3-logi 31778 dovecot 0u IPv4 8042 TCP *:110 (LISTEN) pop3-logi 31778 dovecot 1u IPv4 8043 TCP *:995 (LISTEN) pop3-logi 31779 dovecot 0u IPv4 8042 TCP *:110 (LISTEN) pop3-logi 31779 dovecot 1u IPv4 8043 TCP *:995 (LISTEN) |
lsof provides enough information on processes listening on TCP/UDP ports to have a shot at finding running backdoor or proxy or vulnerabilities scanner, started by hacker on compromised server – process name, user account under which this process started, port on which the process is listening, list of open file descriptors (fd).
Another benefit of running lsof to get a snapshot of network I/O on your system is to find possible performance bottlenecks. For example – if you see a lot of connections to mysql from apache process then it looks like your PHP applications are running suboptimal mysql queries and that requires attention. Same goes for connections from apache to UDP port 53 – DNS could be a bottleneck.
A lot of ssh connections on the server with shell access disabled could indicate possible brute force attack, a lot of sendmail processes running trying to connect to outside servers – your server is used by spamming either via uploaded malicious script or … customers who are violating your Terms of Service.
There is plenty of useful information provided by lsof. Sky is the limit – happy lsof-ing.
0 Comments.