{"id":8960,"date":"2007-09-06T20:36:00","date_gmt":"2007-09-07T00:36:00","guid":{"rendered":"https:\/\/nuxx.net\/blog\/2007\/09\/06\/10-8mbsec\/"},"modified":"2026-07-01T11:36:00","modified_gmt":"2026-07-01T15:36:00","slug":"10-8mbsec","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2007\/09\/06\/10-8mbsec\/","title":{"rendered":"10.8Mb\/sec"},"content":{"rendered":"<p><center><img decoding=\"async\" src=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2026\/06\/katester_hack_whenfound.png\" height=182 width=640 border=0>Something isn&#8217;t right&#8230;<\/center><\/p>\n<p>This afternoon, not long before leaving work, I just happened to check out <a href=\"http:\/\/bandwidthd.sourceforge.net\/\">bandwidthd<\/a> running on <a href=\"http:\/\/nuxx.net\/wiki_archive\/A\/nuxx.net\">nuxx.net<\/a>. I was a bit surprised that it looked like <a href=\"http:\/\/nuxx.net\/files\/katester_hack\/Bandwidthd_whenfound.html\">this<\/a>.<\/p>\n<p>Yes, something was hacked. So, what happened?<\/p>\n<p><!--more Click here to find out semi-technical details...-->Well, the first thing I did was just run <tt>top<\/tt> as root to see if anything stood out. The first thing I saw was the user <tt>katester<\/tt> running <tt>perl<\/tt> and taking up loads of CPU, having consumed something like 26 hours of CPU time. In short: ack!<\/p>\n<p>Next I took a quick stab at what was doing it&#8230;<\/p>\n<p><tt>root@rowla:~# ps auxw | grep katester | grep perl<br \/>\nkatester     23802 94.4  0.1  3184  2520  ??  R    Wed01PM 1582:07.71 perl udp.pl irc.world-crew.net 6667 1200 (perl5.8.8)<\/tt><\/p>\n<p>Well, there&#8217;s the culprit&#8230; So, I killed it off, and it didn&#8217;t come back. Traffic immediately went back to normal, as can be seen <a href=\"http:\/\/nuxx.net\/files\/katester_hack\/Bandwidthd_fixed.htm\">here<\/a>, in a mirror taken a bit after fixing things.<\/p>\n<p><tt>root@rowla:~# kill 23802<\/tt><\/p>\n<p>Next I shut down all of the sites owned by <tt>katester<\/tt> by commenting out their includes in the <a href=\"http:\/\/www.lighttpd.net\">lighttpd<\/a> config file and then restarting lighttpd.<\/p>\n<p>Not finding any copies of <tt>udp.pl<\/tt> anywhere on the box, with nothing weird beneath <tt>\/tmp<\/tt> or <tt>~katester<\/tt> I threw <tt>udp.pl<\/tt> into <a href=\"http:\/\/www.google.com\/\">Google<\/a>. There were a few results, most of them showing <a href=\"http:\/\/nuxx.net\/files\/katester_hack\/udp.pl.txt\">this file<\/a>, which appears to be a tool for DOSing boxes rather inefficiently by throwing random data at a port.<\/p>\n<p>One of the next things I saw were two zombie processes and a copy of <tt>bash<\/tt> running as <tt>katester<\/tt>, along with the <a href=\"http:\/\/www.php.net\">PHP<\/a> processes normally allocated to that account:<\/p>\n<p><tt>root@rowla:~katester# ps -U katester<br \/>\n  PID  TT  STAT      TIME COMMAND<br \/>\n17603  ??  Z      0:00.01 &lt;defunct&gt;<br \/>\n17605  ??  S      0:03.76 .\/bash<br \/>\n23800  ??  Z      0:00.00 &lt;defunct&gt;<br \/>\n51838  ??  I      7:27.67 \/usr\/local\/bin\/php-cgi<br \/>\n51842  ??  I      7:17.46 \/usr\/local\/bin\/php-cgi<br \/>\n51843  ??  I      7:29.32 \/usr\/local\/bin\/php-cgi<br \/>\n51851  ??  I      7:19.06 \/usr\/local\/bin\/php-cgi<br \/>\n59959  ??  Is     0:00.93 \/usr\/local\/bin\/php-cgi<br \/>\n67261  ??  I      6:31.64 \/usr\/local\/bin\/php-cgi<\/tt><\/p>\n<p>I noticed (but didn&#8217;t capture) that the copy of <tt>bash<\/tt> there was started at the same time as <tt>udp.pl<\/tt>. Because I was trying to isolate this user as much as possible I went ahead began killing off the PHP processes. As soon as I killed <tt>59959<\/tt> the next one, <tt>67261<\/tt> died as well. I then noticed that <tt>bash<\/tt> and both of the zombies were gone.<\/p>\n<p>Now I figured it was time to start looking for where the infection came from so I could get the four downed sites back up as soon as possible. I just simply used grep to look through the httpd&#8217;s log files for things occurring during 13:00:00 EDT on 05-Sep-2007. (I also checked the 12:00:00 and 14:00:00 blocks and didn&#8217;t see anything suspectious.) After a few moments I noticed this:<\/p>\n<p><tt>142.166.3.123 www.katester.net - [05\/Sep\/2007:13:37:02 -0400] \"GET \/blog\/index.php\/feed\/ HTTP\/1.1\" 200 17637 \"-\" \"radianrss-1.0\"<\/tt><\/p>\n<p>Throwing <tt>radianrss-1.0<\/tt> into Google gave me no results, which is more than a little suspicious for what sounds like an RSS reader&#8217;s useragent. I looked through the other logs for the site and I could see other visits from <tt>142.166.3.123<\/tt> and found something interesting.<\/p>\n<p>I next went ahead and called the site&#8217;s owner, discussed it with her, archived <tt>...\/blog<\/tt>, and deleted that directory from the server. I was then able to bring the <tt>katester<\/tt> PHP processes and sites back online.<\/p>\n<p>While there were other visits from <tt>142.166.3.123<\/tt> accessing <tt>\/blog\/index.php\/feed\/<\/tt>, every other one before that time had a useragent of <tt>Jakarta Commons-HttpClient\/3.1-beta1<\/tt>. Here&#8217;s an example:<\/p>\n<p><tt>142.166.3.123 www.katester.net - [05\/Sep\/2007:03:19:47 -0400] \"GET \/blog\/index.php\/feed\/ HTTP\/1.1\" 200 17637 \"-\" \"Jakarta Commons-HttpClient\/3.1-beta1\"<br \/>\n142.166.3.123 www.katester.net - [05\/Sep\/2007:08:27:11 -0400] \"GET \/blog\/index.php\/feed\/ HTTP\/1.1\" 200 17637 \"-\" \"Jakarta Commons-HttpClient\/3.1-beta1\"<\/tt><\/p>\n<p>Then, next was the first entry with the odd useragent. All right around the time things began, and nothing else from that IP but those specific requests. I&#8217;ve now got <a href=\"http:\/\/en.wikipedia.org\/wiki\/Tcpdump\">tcpdump<\/a> running, listening for anything from that IP, so I can (hopefully) see exactly what the malicious request was. There have been other requests since yesterday afternoon with the same <tt>radianrss-1.0<\/tt> useragent, so I expect (and hope) the exploit will be attempted again.<\/p>\n<p>Here&#8217;s what I suspect happened:<\/p>\n<p>&middot; The copy of <a href=\"http:\/\/wordpress.org\/\">WordPress<\/a>, known for it&#8217;s numerous security holes, which happened to be running on <a href=\"http:\/\/katester.net\">katester.net<\/a> was somehow exploited.<br \/>\n&middot; The exploit was able to write a small script to the machine and execute it.<br \/>\n&middot; This script then grabbed, spawned, and deleted <tt>udp.pl<\/tt>.<br \/>\n&middot; I found things and cleaned them up.<\/p>\n<p>I suppose in the future that I could have left <tt>udp.pl<\/tt> running for a little longer so that I could better investigate it, but I didn&#8217;t want to allow the DOSing that was happening to continue.<\/p>\n<p>As some of you probably remember, back on <a href=\"http:\/\/c0nsumer.livejournal.com\/2006\/07\/08\/\">08-Jul-2006<\/a> the then-server hosting <a href=\"http:\/\/nuxx.net\">nuxx.net<\/a> and many other sites was compromised. That happened because I had all the vhosts, PHP, and the httpd running as the same user with one of those vhosts running an old, vulnerable copy of <a href=\"http:\/\/www.phpbb.com\/\">phpBB<\/a>. When things finally settled down and I moved to the new box I was able to run the httpd as its own user, with separate banks of PHP processes running for each user. Each user&#8217;s files were also held under their own home directories with accessible, but not modifiable (by the user) log files.<\/p>\n<p>While the exploiting script last time was able to access (and delete) the contents of all the root directories of each user&#8217;s website, the more-proper privilege separation in new configuration mitigated potential risk. Fortunately it appears that this attack did little more than DOS an IRC server, but had it tried to do more it&#8217;s nice to know that it would have likely been contained to just <tt>~katester<\/tt>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Something isn&#8217;t right&#8230; This afternoon, not long before leaving work, I just happened to check out bandwidthd running on nuxx.net. I was a bit surprised that it looked like this. Yes, something was hacked. So, what happened?<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,34],"tags":[],"class_list":["post-8960","post","type-post","status-publish","format-standard","hentry","category-computers","category-moved-from-livejournal"],"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=8960"}],"version-history":[{"count":2,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8960\/revisions"}],"predecessor-version":[{"id":24613,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8960\/revisions\/24613"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=8960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=8960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=8960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}