Opened 11 years ago
Closed 11 years ago
#517 closed defect (invalid)
nginx executable hacked
Reported by: | sasha1111 1111 | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 1.4.5 |
Component: | nginx-core | Version: | 1.4.x |
Keywords: | Cc: | ||
uname -a: | 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux | ||
nginx -V: | 1.4.5 |
Description
I've found out nginx 1.4.5 on one server behaves badly:
it dumps some of the POST requests going through into a file it stores in
/tmp/.ICE-unix/.<something>
There is no evidence that server has been hacked: no IDS alerts and all files integrity is intact, except nginx binary differs from that in 1.4.5 package. I assume binary has been infected with a backdoor. Unfortunately my knowledge is not enough to properly identify whats happened.
Here's a piece of strace dump where bad things happen:
open("/tmp/.ICE-unix/.1", O_RDONLY) = 18
close(18) = 0
open("/tmp/.ICE-unix/.a0df08f45", O_WRONLY|O_CREAT|O_APPEND, 0666) = 18
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80a445c000
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
lseek(18, 6399016, SEEK_SET) = 6399016
write(18, "YToyODp7czo0OiJsYW5nIjtzOjI6ImRl"..., 1222) = 1222
close(18) = 0
Change History (4)
comment:1 by , 11 years ago
comment:2 by , 11 years ago
Btw lsof shows that nginx keeps /tmp/.ICE-unix/.1 file opened:
nginx 29590 www-data 17r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 18r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 19r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 20r REG 253,7 1 97540 /tmp/.ICE-unix/.1
comment:4 by , 11 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
This doesn't looks like a problem in nginx. It looks like your server was compromised somehow, and the nginx binary was replaced. See, e.g., the How do I deal with a compromised server? question on serverfault.com for some basic description on how to deal with compromised servers.
Trac failed to attach binary to this ticket. Here it is on my gdrive.
https://drive.google.com/file/d/0B8Udrj1wuVjiOU1jTUJMVlBzS2c/edit?usp=sharing