[Gllug] r00ted?

Ian Norton bredroll at darkspace.org.uk
Mon Sep 8 13:52:18 UTC 2003 

It sounds like they have succeeded,

if i were you, i would install a new box, upload a tarball of the 
entire system then unpack it over everything. 

then sort out lilo and go for a reboot, 

i know it sounds dodgy, but compaired to actually using a r00ted box?

Ian

On Mon, Sep 08, 2003 at 10:57:54AM +0100, Darren Beale wrote:
> Hi
> 
> I think someone has attempted to r00t one of my servers, doubly annoying 
> as I've got new hardware ready to build in order to ditch the 
> 'dedicated' ones that I currently use. I think they've only partially 
> succeeded but I need to know how far they've got and how I can safely 
> continue to use this machine for the next month or so whilst the new 
> machines are built. FYI yes there are backups, but data only so I can't 
> rollback prior to Sat when I think the attack happened.
> 
> So, the facts:
> looks like the attacker got in through an SSL hole, lots of logs show 
> connections from the same machine.
> 
> tcp        0      1 217.199.177.76:443      210.176.63.191:58436 
> FIN_WAIT1
> tcp        0      1 217.199.177.76:443      210.176.63.191:58468 
> FIN_WAIT1
> tcp        0      1 217.199.177.76:443      210.176.63.191:58644 
> FIN_WAIT1
> 
> <massive snip />
> 
> 2 mins later the NIC was in promiscuous mode and rkdet shut the machine down
> 
> rkdet also reckons that checksums differ on ps and netstat
> 
> Snipped output from chkrootkit (0.41)
> 
> Checking `lkm'... You have    13 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'...
> eth0 is not promisc
> eth0:0 is not promisc
> 
> I've compared the output of ps and the PID's in /proc and there are 
> indeed differences, but TBH I'm not sure what I'm looking for, the 
> process names are innocuous enough, mysqld, httpd, chronolog...
> 
> Also, I had a look in /tmp and there was a suspicious tgz in there 
> (owned by apache which would figure I guess), "x90 rootkit by anime" 
> although the timestamp is July 25 so I don't know if that's a red 
> herring. Looking at the kit's setup program, the first two things that 
> it does is to change ps and netstat so that would match with what's 
> happened, also it copies the original ps to /lib/security/.config/.ps
> 
> comparing the output of the two I see a few dodgy looking sshd processes 
> and a syslogd one
> 
> syslogd -m 0 -a /home/virtual/FILESYSTEMTEMPLATE/log-
> (the log- file was empty)
> /usr/sbin/sshd
> sshd -f /etc/ssh/sshd-rb_config
> /usr/bin/sshd -q
> /usr/local/sbin/cronolog /home/virtual/site8/fst/var/
> /usr/local/sbin/cronolog /home/virtual/site21/fst/va
> 
> I've now killed these
> 
> Finally, when I was fishing around last night, rkdet was tripped (not by 
> me I think) and it shut down again.
> 
> Warning: Interface eth0 is in promiscuous mode
> Warning: Interface eth0:0 is in promiscuous mode
>  11:47pm  up  7:06,  2 users,  load average: 0.00, 0.00, 0.00
> USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
> bealers  pts/0    dsl-217-155-117-  6:15pm  7.00s  0.60s  0.59s  -bash
> bealers  pts/1    dsl-217-155-117- 10:37pm  1:05m  0.08s  0.08s  -bash
> 
> So, reading up, all sensible solutions seem to be bring the machine up 
> in single user mode, disconnected from the network and re-image it, but 
> this is not feasible, the machine has to be up now.
> 
> What I need to know is, based on what I've supplied, do you think this 
> was a messy attempt at r00ting that failed? or they got in but whenever 
> they start to try sniffing rkdet shuts the machine down.
> 
> Ultimately this machine will be toast within two months, but I need it 
> up and running until then, can anyone offer some advice on how to keep 
> the machine up safely?
> 
> thanks
> 
> --
> Darren Beale
> 
> 
> 
> -- 
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS dpu s--: a-- C++++ UL++ P+++ L+++ E--- W-- N+ o K w---
O M-- V-- PS++ PE-- Y+ PGP+ t+++ 5++ X++ R+++ !tv b DI D----
G++ e+ h++ r++ y+++
------END GEEK CODE BLOCK------
----- Message of the Hour ------
Moooo :-)

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list