Okay, I damn near had a panic attack this afternoon because I thought someone was attacking the main darquecathedral.org server.
Earlier today Slashdot had posted a story about Lupper.Worm making its way around the net. I wasn’t worried, as my webserver’s installs of Apache and PHP are relatively up-to-date. One of its features was that it copied a program to the /tmp folder and ran it under the username Apache runs under. Anyway, I was talking to CCShadow about it and happened to do a check on /tmp. To my shock, there was a whole shitload of files starting with “sess_” in the /tmp directory owned by the Apache user.
“What the hell???” I thought.
So, what I did was go to the access log, and checked. Sure enough, throughout today there had been a few attempts to make the server download and run a file that started with sess_ in the logs. Problem was… it showed that the requests were for files that didn’t exist on my server. So, I deleted the files. They reappeared… with no trace in the logs.
Curious, I downloaded the sess_ file shown in the logs. Sure enough, it was a Perl script that acted as a zombie IRC bot used for attacking computers. However… I couldn’t see how the files were being run. Every time I deleted the files they reappeared (albeit at zero size). I even rebooted the machine to no avail.
I even went as far as to install a new module into Apache called mod_security. No go. The files kept appearing, with no trace in the audit logs. I tried replicating the command from Safari on my Powerbook, and it got blocked (and appeared in the audit logs). I was stumped.
Then something worried me even more. One of the sess_ files that had appeared wasn’t a script file. It was private mailbox information for someone who uses the webmail on my server. At this point I was even more into a WTF mode.
Finally, I was talking to Sinc and Kanan about it on #Vampire, and Kanan pointed out the obvious: the sess_ files I had been seeing were normal cache files used by PHP. There was no compromise on my system. I tested, and he was right.
Gods, I felt like a fucking dumbass.
On the bright side, I did get mod_security tested and in place on the darquecathedral.org server, and I’ll end up implementing it on the MK Online server as soon as we get it nice and tested. Still… tonight was not one of my shining moments. *sigh*