During the last days I've noticed a weird behavior on one of a web server I manage. It all started with an abnormal utilization of system resources - but no further evidence was detected. Until I saw weird processes running as Apache user which shouldn't be there:
www-data 10979 0.0 0.0 23672 3788 ? S Jan19 0:00 /usr/sbin/cron
www-data 11005 0.0 0.0 22744 3396 ? S Jan19 0:00 /usr/sbin/httpd
www-data 28561 0.1 0.1 23564 4436 ? S 09:12 0:24 /sbin/log
There were several different processes at different times of the day but I won't list them all now. Even a Linux novice will see that these processes don't fit in so where the hell did they come from? That they've been started by a web browser is obvious but the difficult thing is to find the exact method for about 300 websites on that server.
After some research in the right files I found this:
22.214.171.124 - - [24/Jan/2011:09:12:42 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"
126.96.36.199 - - [24/Jan/2011:09:12:44 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"
This clearly shows the POST method which was used to upload files into a chmodded 777 directory. After a manual check of the web account's files and websites this turned out to be an OSCommerce webshop. The hacker used a security vulnerability of this web-application to be able to upload anything he wanted to - which turned out to be STUNSHELL. A kind of small hacking-webpage built with tools and scripts to execute on the attacked server.
I hope this information can help any administrator out there who finds such processes mentioned above running on his system. My research on the Internet didn't get me any results. Watch out for files named like these
These are typical files used by the discovered STUNSHELL. Already if some customers on your webserver uses OSCommerce, administrators should be very careful!