[PLUG] Questions regarding compromised system

Fri Jan 19 19:00:43 UTC 2007

On 1/19/07, alan <alan at clueserver.org> wrote:
>
> On Thu, 18 Jan 2007, David Mandel wrote:
>
> > I have a server that appears to have been compromised.
> >
> > I found three executable files where none should be:
> >
> > -r-xr-xr-x  1 root root 111748 2007-01-16 17:12 /dev/pt
> > -rwxr-xr-x  1 root root 102512 2007-01-16 17:12 /dev/nt
> > -rwxr-xr-x  1 root root 20404 2007-01-16 17:12 /dev/tr
> >
> > I also found three files in /bin that were associated with a
> non-existent
> > user.
> >
> > -rwxr-xr-x  1  501   501  713798 2003-03-01 12:18 kswaps
> > -rwxr-xr-x  1  501   501   15859 2003-03-01 12:20 netstat
> > -r-xr-xr-x  1  501   501  111748 2007-01-17 18:03 ps
> > -rwxrwxr-x  1  501   501   13763 2003-03-16 05:42 scat
> >
> > and I found the following in /usr/bin/
> >
> > -rwxr-xr-x  1  501     501   15859 2003-03-01 12:22 pstree
> > -rwxr-xr-x  1  500     502  496231 2006-11-19 02:52 sshd
> >
> > worse yet, I seem to have multiple sshd files around and none of them
> > appear to be
> > the length I expect.
> >
> > And worst of all,  certain files like /bin/cp and /bin/vim aren't
> > right.  In fact, I get Segmentation Errors when I run them.  I have
> > tryed replacing the with a corrected file, but these corrected files
> > get "unreplaced" before long.
> >
> > Finally, I have a couple ports open that shouldn't be open.
> > These are:
> >          444/tcp  open   snpp
> >          6668/tcp open   irc
> >
> > Ok, so what is going on?
>
> You have been rooted.  Those applications (and a few more, I would guess)
> have been replaced with rigged versions.  (Usually to hide the real apps.)
>
>
> chkrootkit is your friend in this case.
>
> > I know I have been compromised and will have to figure out a way to
> > rebuild the system which isn't easy given the location of the machine.
> > However, I would really like to know how I was compromised so I can
> > prevent it in the future.  At the moment, I'm looking at my log files,
> > but I haven't found much useful information - except that I'm very
> > suspious of a machine with ip= 81.181.170.26.  It is in Romania.
>
> Sound like the IRC twits that rooted my machine about five years back.
>
> > Is this a well known event that every security person knows about?
> > I don't claim to know anything about computer security - well, just
> > enough to get by - usually - but not today.
>
> You will need to reinstall.  Most rootkits install all sorts of backdoors.
> Finding them all is a royal pain.
>
> What version of Linux are you running?
>
> If you need help with it, contact me off-line.
>
> --
> "Invoking the supernatural can explain anything, and hence explains
> nothing."
>                   - University of Utah bioengineering professor Gregory
> Clark
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

Yeah, you got hacked. What distro and version are you using? What services
were you running before the hack? They could have used a known exploit that
had yet to be patched. They could have used a brute force attack to gain
access. You will want to get your data off that box asap, and reinstall. It
is not likely that you will be able to locate the attacker. The IP address
in Romania is probably another box they rooted, an internet cafe, public
library, college computer lab or something like that. It's not likely that
it's the IP address that their ISP assigned them. Unless you have
potentially lost significant intelectual property, it's not going to worth
persueing. It would be worth finding the exploit they used though, if it's
not too much work, and most people here would probably be interested to
know.

In the future, keep up with updates to the services you are running. Use
good passwords. These two things alone will likely prevent most attacks from
succeeding. Perhaps install an IDS and something like Tripwire routinely
check the integrity of your binaries.

-- 
Rob Anderson
riznob at gmail.com