As you may or may not know Hetzner was recently reported in some large scale DDoS attacks where it was the source.
I have two servers at Hetzner. One of them I no longer maintain at all and is basically for testing purposes.
So here I probably had some open source old software which allows file uploads, a particularly badly configured /tmp directory (still allowed executables)
So it was eventually compromized and shells installed. interestingly it was never possible to exploit until shellshock.
This is what i found in my uploads temp directory. fake "su"
[email protected] /tmp # md5sum .b/su
possibly the real "su"
[email protected] /tmp # md5sum /bin/su
When was this compromised? Oh a long time ago apparently
[email protected] / # ls -ls /tmp/.b/
0 -rw-r--r-- 1 apache apache 0 Oct 25 18:02 13.89.pscan.22
1.4M -rwxr-xr-x 1 apache apache 1.4M Jun 6 2005 brute
84K -rwxr-xr-x 1 apache apache 80K Oct 17 19:09 pass.txt
4.0K -rwxr-xr-x 1 apache apache 148 Oct 17 19:12 print
16K -rwxr-xr-x 1 apache apache 16K Aug 13 2012 ps
4.0K -rwxr-xr-x 1 apache apache 1.2K Mar 14 2013 rand
4.0K -rwxr-xr-x 1 apache apache 552 Oct 17 18:59 su
All the fake executables have a system type name to hide it with regular process. But it wasnt hard to find once I was informed of the exploit.
I saw apache process running "./ps" which basically sends SYN Flood to target network.
What a waste.
Attaching the fun files for your play around. You can see that the attacker even uploaded a nice brute force file.
The fix: Just disabled all the apache hosted apps that I no longer used.
Added IPtables rules to prevent outgoing traffic from certain IP. Due to my setup with several public IPs it uniquely binds to one IP by default when sending outgoing requests which is a separate interface. The malware runs on its ow space so it does not use the IP of apache but of the system default.