Opened 6 years ago

Closed 6 years ago

#517 closed defect (invalid)

nginx executable hacked

Reported by: sasha1111 1111 Owned by:
Priority: minor Milestone: 1.4.5
Component: nginx-core Version: 1.4.x
Keywords: Cc:
uname -a: 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
nginx -V: 1.4.5

Description

I've found out nginx 1.4.5 on one server behaves badly:
it dumps some of the POST requests going through into a file it stores in
/tmp/.ICE-unix/.<something>

There is no evidence that server has been hacked: no IDS alerts and all files integrity is intact, except nginx binary differs from that in 1.4.5 package. I assume binary has been infected with a backdoor. Unfortunately my knowledge is not enough to properly identify whats happened.

Here's a piece of strace dump where bad things happen:
open("/tmp/.ICE-unix/.1", O_RDONLY) = 18
close(18) = 0
open("/tmp/.ICE-unix/.a0df08f45", O_WRONLY|O_CREAT|O_APPEND, 0666) = 18
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80a445c000
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
lseek(18, 6399016, SEEK_SET) = 6399016
write(18, "YToyODp7czo0OiJsYW5nIjtzOjI6ImRl"..., 1222) = 1222
close(18) = 0

Change History (4)

comment:1 by sasha1111 1111, 6 years ago

Trac failed to attach binary to this ticket. Here it is on my gdrive.
https://drive.google.com/file/d/0B8Udrj1wuVjiOU1jTUJMVlBzS2c/edit?usp=sharing

comment:2 by sasha1111 1111, 6 years ago

Btw lsof shows that nginx keeps /tmp/.ICE-unix/.1 file opened:

nginx 29590 www-data 17r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 18r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 19r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 20r REG 253,7 1 97540 /tmp/.ICE-unix/.1

comment:3 by sasha1111 1111, 6 years ago

nginx 1.4.5 was installed from dotdeb debian repo

comment:4 by Maxim Dounin, 6 years ago

Resolution: invalid
Status: newclosed

This doesn't looks like a problem in nginx. It looks like your server was compromised somehow, and the nginx binary was replaced. See, e.g., the How do I deal with a compromised server? question on serverfault.com for some basic description on how to deal with compromised servers.

Note: See TracTickets for help on using tickets.