[Gllug] r00ted?

Grzegorz Jaskiewicz gj at pointblue.com.pl
Tue Sep 9 09:52:32 UTC 2003 

Darren Beale wrote:

> Hi
>
> I think someone has attempted to r00t one of my servers, doubly 
> annoying as I've got new hardware ready to build in order to ditch the 
> 'dedicated' ones that I currently use. I think they've only partially 
> succeeded but I need to know how far they've got and how I can safely 
> continue to use this machine for the next month or so whilst the new 
> machines are built. FYI yes there are backups, but data only so I 
> can't rollback prior to Sat when I think the attack happened.
>
> So, the facts:
> looks like the attacker got in through an SSL hole, lots of logs show 
> connections from the same machine.
>
> tcp        0      1 217.199.177.76:443      210.176.63.191:58436 
> FIN_WAIT1
> tcp        0      1 217.199.177.76:443      210.176.63.191:58468 
> FIN_WAIT1
> tcp        0      1 217.199.177.76:443      210.176.63.191:58644 
> FIN_WAIT1
>
> <massive snip />
>
> 2 mins later the NIC was in promiscuous mode and rkdet shut the 
> machine down
>
> rkdet also reckons that checksums differ on ps and netstat
>
> Snipped output from chkrootkit (0.41)
>
> Checking `lkm'... You have    13 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'...
> eth0 is not promisc
> eth0:0 is not promisc

chrootkit is nice, but e.g. from one of my production machines:
...
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... nothing detected
.....

jackie:~# netstat -anp|grep 465
tcp        0      0 0.0.0.0:465             0.0.0.0:*               
LISTEN      80/inetd

jackie:~# cat /etc/inetd.conf|grep ssmtp
ssmtp   stream  tcp     nowait  root    /usr/local/sbin/stunnel stunnel 
-p /etc/stunnel.pem -r 127.0.0.1:26

So he is a bit wrong this time :D

I got this false detection eversince.

But your looks positive unfortunatelly.

>
> What I need to know is, based on what I've supplied, do you think this 
> was a messy attempt at r00ting that failed? or they got in but 
> whenever they start to try sniffing rkdet shuts the machine down.
>
> Ultimately this machine will be toast within two months, but I need it 
> up and running until then, can anyone offer some advice on how to keep 
> the machine up safely?

There is nothing you can do, either way - after breakin system must be 
setup completly from scratch. Unless you have clean backup, which should 
be created right after machine was setup.

Grab all config files, check them manualy. Setup new system, and try to 
use those config files. But you need to be sure they are really clean 
(fe no bindshells in xinet/inet).
Set it up, test it and create a backup. You can do this with: find /bin 
/boot /lib /usr /var/ root /sbin |cpio -o -Hcrc |gzip -1 
 >/backup.cpio.gz ,for example.

--
GJ


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list