Security issue

melco · Post by **melco** » 2011/09/13 10:30:14

Hello community!
I have a serious security issue.
System: centos 6 fully updated
Software:
nginx version: nginx/0.8.54 (public IP)
httpd-2.2.15-5.el6.centos.x86_64 (127.0.0.1) + PHP
exim-4.72-2.el6.x86_64 (Public IP)
openssh-server-5.3p1-207.el6_9.38.x86_64 (Public ip non-standard port)
Percona-Server-server-51-5.1.58-rel12.9.271.rhel6.x86_64 (mysql-server) (127.0.0.1 + unix socket)

All these have SELinux policies. All packages are up to date.
One day I noticed thousands of mail rejects in my mailbox (root alias -> my email)
I found that mail wasn't send by apache but instead from root (can be found in /var/spool/exim/input/). It was quite confusing for me and I've enabled additional auditing to /usr/sbin/sendmail which is alias to /usr/sbin/exim

/etc/audit/audit.rules:
[code]...
-w /usr/sbin/exim
-w /usr/sbin/sendmail
...[/code]

Now I have every call to sendmail logged to audit.log
What I found later:

ausearch -if /var/log/audit/audit.log.3
[code]
...
----
time->Tue Sep 13 09:39:07 2011
type=PATH msg=audit(1315892347.128:22769): item=1 name=(null) inode=1046887 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1315892347.128:22769): item=0 name="/usr/sbin/sendmail" inode=1182975 dev=fd:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:exim_exec_t:s0
type=CWD msg=audit(1315892347.128:22769): cwd="/root" type=EXECVE msg=audit(1315892347.128:22769): argc=2 a0="/usr/sbin/sendmail" a1="-t"
type=SYSCALL msg=audit(1315892347.128:22769): arch=c000003e syscall=59 success=yes exit=0 a0=6649d0 a1=78b6b0 a2=624c00 a3=7dc95a39a7f0 items=2 ppid=25264 pid=27468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/exim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
...
[/code]

while normal message from php website looks like:

[code]
----
time->Tue Sep 13 10:00:30 2011
type=PATH msg=audit(1315893630.757:30022): item=1 name=(null) inode=1046887 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1315893630.757:30022): item=0 name="/usr/sbin/sendmail" inode=1182975 dev=fd:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:exim_exec_t:s0
type=CWD msg=audit(1315893630.757:30022): cwd="/var/www/website.net/htdocs"
type=BPRM_FCAPS msg=audit(1315893630.757:30022): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=ffffffffffffffff new_pi=0000000000000000 new_pe=ffffffffffffffff
type=EXECVE msg=audit(1315893630.757:30022): argc=3 a0="/usr/sbin/sendmail" a1="-t" a2="-i"
type=SYSCALL msg=audit(1315893630.757:30022): arch=c000003e syscall=59 success=yes exit=0 a0=6ecd40 a1=6ece10 a2=6ebbc0 a3=7685f60a8cd0 items=2 ppid=26923 pid=7351 auid=4294967295 uid=1501 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:system_mail_t:s0 key=(null)
----
[/code]

notice uid in both outputs. In case of website uid is 1501. In case of spam source it's uid=0!!!
PID 27468 is not running for now. PPID 25264 also not running.
Notice the difference in the last line:

subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
VS
subj=system_u:system_r:system_mail_t:s0 key=(null)

How do I find how this access was gained and how to investigate this incident further?
Any help appreciated