[Nottingham] Rootkit/break in

Jon Masters nottingham at mailman.lug.org.uk
Mon Aug 11 14:52:02 2003


On Mon, 11 Aug 2003, Johannes Kling wrote:

> To clean the mess up, I reinstalled pretty much all basic system
> binaries (ls, find, ps, kill, killall etc.)

Obviously this is a very short term measure because the box will need to
be re-installed as soon as the investigation is cleared up.

> The host box runs RedHat 7.3, uname -a is:
> Linux XXXXXXX 2.4.18 #20 SMP Mon Aug 4 22:44:39 CDT 2003 i686 unknown

Several kernel vulnerabilities in 2.4.18 in particular remote and local
but Redhat fixed most so possibly a local user ptrace style exploit.

Did you interview the users yet and ask them why they gave someone they
did not trust an account on the system? Do they have stupid passwords Jo?

> Aside from the usual breaking of find, ls, ps, etc. there were a few
> more files installed:
> 
> ==================================================================
>   '/usr/bin/smbd -D' : (662395b size, 336990259f74c424ab7fff08ea14c434 md5sum)

This is the usual name under which Samba runs as the -D indicates to run
as a daemon process. You might check the MD5 by posting it to usenet.

Run objdump -x -D -s $file && send to me personally output and original.

> ==================================================================
>   '/usr/bin/(swapd)' : (11261b size, b41a4bb5027e59957aed39b201af95ee md5sum)

That one is amusing.

Run the command above on this and send to me also please.

> These three files are available at
> http://www.printk.net/~jok/non-site/nottlug_rk_files.tgz , for those
> who are interested.

Ah ok. Could you still send me the output of that program however on the
target system to aid my diagnostics. Please send me kernel/System.map.

Jon.