[Gllug] r00ted?
Grzegorz Jaskiewicz
gj at pointblue.com.pl
Tue Sep 9 09:52:32 UTC 2003
Darren Beale wrote:
> Hi
>
> I think someone has attempted to r00t one of my servers, doubly
> annoying as I've got new hardware ready to build in order to ditch the
> 'dedicated' ones that I currently use. I think they've only partially
> succeeded but I need to know how far they've got and how I can safely
> continue to use this machine for the next month or so whilst the new
> machines are built. FYI yes there are backups, but data only so I
> can't rollback prior to Sat when I think the attack happened.
>
> So, the facts:
> looks like the attacker got in through an SSL hole, lots of logs show
> connections from the same machine.
>
> tcp 0 1 217.199.177.76:443 210.176.63.191:58436
> FIN_WAIT1
> tcp 0 1 217.199.177.76:443 210.176.63.191:58468
> FIN_WAIT1
> tcp 0 1 217.199.177.76:443 210.176.63.191:58644
> FIN_WAIT1
>
> <massive snip />
>
> 2 mins later the NIC was in promiscuous mode and rkdet shut the
> machine down
>
> rkdet also reckons that checksums differ on ps and netstat
>
> Snipped output from chkrootkit (0.41)
>
> Checking `lkm'... You have 13 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'...
> eth0 is not promisc
> eth0:0 is not promisc
chrootkit is nice, but e.g. from one of my production machines:
...
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... nothing detected
.....
jackie:~# netstat -anp|grep 465
tcp 0 0 0.0.0.0:465 0.0.0.0:*
LISTEN 80/inetd
jackie:~# cat /etc/inetd.conf|grep ssmtp
ssmtp stream tcp nowait root /usr/local/sbin/stunnel stunnel
-p /etc/stunnel.pem -r 127.0.0.1:26
So he is a bit wrong this time :D
I got this false detection eversince.
But your looks positive unfortunatelly.
>
> What I need to know is, based on what I've supplied, do you think this
> was a messy attempt at r00ting that failed? or they got in but
> whenever they start to try sniffing rkdet shuts the machine down.
>
> Ultimately this machine will be toast within two months, but I need it
> up and running until then, can anyone offer some advice on how to keep
> the machine up safely?
There is nothing you can do, either way - after breakin system must be
setup completly from scratch. Unless you have clean backup, which should
be created right after machine was setup.
Grab all config files, check them manualy. Setup new system, and try to
use those config files. But you need to be sure they are really clean
(fe no bindshells in xinet/inet).
Set it up, test it and create a backup. You can do this with: find /bin
/boot /lib /usr /var/ root /sbin |cpio -o -Hcrc |gzip -1
>/backup.cpio.gz ,for example.
--
GJ
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list