[Gllug] r00ted?

Darren Beale lists at acksys.co.uk
Mon Sep 8 09:57:54 UTC 2003 

Hi

I think someone has attempted to r00t one of my servers, doubly annoying 
as I've got new hardware ready to build in order to ditch the 
'dedicated' ones that I currently use. I think they've only partially 
succeeded but I need to know how far they've got and how I can safely 
continue to use this machine for the next month or so whilst the new 
machines are built. FYI yes there are backups, but data only so I can't 
rollback prior to Sat when I think the attack happened.

So, the facts:
looks like the attacker got in through an SSL hole, lots of logs show 
connections from the same machine.

tcp        0      1 217.199.177.76:443      210.176.63.191:58436 
FIN_WAIT1
tcp        0      1 217.199.177.76:443      210.176.63.191:58468 
FIN_WAIT1
tcp        0      1 217.199.177.76:443      210.176.63.191:58644 
FIN_WAIT1

<massive snip />

2 mins later the NIC was in promiscuous mode and rkdet shut the machine down

rkdet also reckons that checksums differ on ps and netstat

Snipped output from chkrootkit (0.41)

Checking `lkm'... You have    13 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
eth0:0 is not promisc

I've compared the output of ps and the PID's in /proc and there are 
indeed differences, but TBH I'm not sure what I'm looking for, the 
process names are innocuous enough, mysqld, httpd, chronolog...

Also, I had a look in /tmp and there was a suspicious tgz in there 
(owned by apache which would figure I guess), "x90 rootkit by anime" 
although the timestamp is July 25 so I don't know if that's a red 
herring. Looking at the kit's setup program, the first two things that 
it does is to change ps and netstat so that would match with what's 
happened, also it copies the original ps to /lib/security/.config/.ps

comparing the output of the two I see a few dodgy looking sshd processes 
and a syslogd one

syslogd -m 0 -a /home/virtual/FILESYSTEMTEMPLATE/log-
(the log- file was empty)
/usr/sbin/sshd
sshd -f /etc/ssh/sshd-rb_config
/usr/bin/sshd -q
/usr/local/sbin/cronolog /home/virtual/site8/fst/var/
/usr/local/sbin/cronolog /home/virtual/site21/fst/va

I've now killed these

Finally, when I was fishing around last night, rkdet was tripped (not by 
me I think) and it shut down again.

Warning: Interface eth0 is in promiscuous mode
Warning: Interface eth0:0 is in promiscuous mode
  11:47pm  up  7:06,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
bealers  pts/0    dsl-217-155-117-  6:15pm  7.00s  0.60s  0.59s  -bash
bealers  pts/1    dsl-217-155-117- 10:37pm  1:05m  0.08s  0.08s  -bash

So, reading up, all sensible solutions seem to be bring the machine up 
in single user mode, disconnected from the network and re-image it, but 
this is not feasible, the machine has to be up now.

What I need to know is, based on what I've supplied, do you think this 
was a messy attempt at r00ting that failed? or they got in but whenever 
they start to try sniffing rkdet shuts the machine down.

Ultimately this machine will be toast within two months, but I need it 
up and running until then, can anyone offer some advice on how to keep 
the machine up safely?

thanks

--
Darren Beale



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list