rooted by some script kiddies,perhaps.. rpc.statd or bind exploited,some say its better to reinstall the box,personally i like diggin' :-)) first,disconnect,kick out all aliens,or save them somewhere,quarantined to check them out later, then,get some new packages on cds,or floppies or from the lan,update the daemons,after assuring they're not trojanized,also,search for traces of adore,get the kstat program to detect it,( sorry no url at hand), check your logs,email the attackers isp addresses if you can find something, and always be aware :) good luck..
At 09:16 PM 1/3/02 -0500, Thedore Knab wrote: >I recently inherited a machine that I think has been exploited. > >It seems to have a stupid root kit installed unless this is a decoy. > >What does it look like to you professionals? > >[root@moe ...]# uname -a >Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 >unknown > >[root@moe ...]# ps auxww >USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND >root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3] >root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd] >root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate] >root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod] >root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd] >root 6 0.0 0.0 0 0 ? SW< 2001 0:00 >[mdrecoveryd] >root 154 0.0 0.3 1104 392 ? S 2001 0:00 >/usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r >/etc/sysconfig/apm-scripts/resume >bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap >root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd] >root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod] >root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd >nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >daemon 432 0.0 0.2 1144 296 ? S 2001 0:00 >/usr/sbin/atd >root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond >root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd >root 478 0.0 1.6 3160 2120 ? S 2001 14:00 >/usr/sbin/snmpd >root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t >imps2 >xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs >-droppriv -daemon -port -1 >root 645 0.0 0.0 852 100 ? S 2001 0:00 >/etc/.../bindshell >root 646 0.0 0.0 864 124 ? S 2001 0:00 >/etc/.../bnc >root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 >/sbin/mingetty tty2 >root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 >/sbin/mingetty tty3 >root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 >/sbin/mingetty tty4 >root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 >/sbin/mingetty tty5 >root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 >/sbin/mingetty tty6 >root 655 0.0 0.0 856 104 ? S 2001 0:00 >/etc/.../lsh 31333 v0idzz >named 9928 0.0 4.9 7268 6356 ? S 2001 6:48 named -u >named >root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 >/sbin/mingetty tty1 >root 3574 0.0 0.5 1464 760 ? S 20:28 0:00 >in.telnetd: >calendar-spaces. > >root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login -- >ted >ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash >root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su - >root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash >root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd >-m 0 >root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd >root 3817 0.0 0.5 2332 704 pts/0 R 20:43 0:00 ps auxww > >[root@moe ...]# cd /etc/... >[root@moe ...]# ls -la > >[root@moe ...]# chmod 0 /etc/rc.d/init.d/apmd >[root@moe ...]# chmod 0 /etc/rc.d/init.d/atd > >Processess running after making a few kills: > >[root@moe /root]# ps aux >USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND >root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3] >root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd] >root 3 0.0 0.0 0 0 ? SW 2001 0:28 [kupdate] >root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod] >root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd] >root 6 0.0 0.0 0 0 ? SW< 2001 0:00 >[mdrecoveryd] >bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap >root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd] >root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod] >root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd >nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond >root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd >root 478 0.0 1.6 3160 2120 ? S 2001 14:00 >/usr/sbin/snmpd >xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs >-droppriv -daemon -port -1 >root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 >/sbin/mingetty tty2 >root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 >/sbin/mingetty tty3 >root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 >/sbin/mingetty tty4 >root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 >/sbin/mingetty tty5 >root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 >/sbin/mingetty tty6 >named 9928 0.0 4.9 7268 6356 ? S 2001 6:50 named -u >named >root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 >/sbin/mingetty tty1 >root 3574 0.0 0.5 1464 760 ? S 20:28 0:00 >in.telnetd: calendar-spaces. >root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login -- >ted >ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash >root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su - >root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash >root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd >-m 0 >root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd >root 3926 0.0 0.5 2332 700 pts/0 R 21:13 0:00 ps aux >total 237 >drwxr-xr-x 2 root root 1024 Jan 31 2000 . >drwxr-xr-x 34 root root 3072 Jan 3 20:38 .. >-rwxr-xr-x 1 root root 5717 Apr 5 1997 bindshell >-rwxr-xr-x 1 root root 11552 Apr 5 1997 bnc >-rw-r--r-- 1 root root 31 Apr 13 1997 bnc.conf >-rws--x--x 1 root root 26218 Sep 28 1999 in.pop3d >-rwxr-xr-x 1 root root 158300 Sep 28 1999 inetd >-rwxr-xr-x 1 root root 7544 Sep 2 1999 lsh >-rwxr-xr-x 1 root root 5528 Mar 8 1999 searchsniff >-rwxr-xr-x 1 root root 8155 Mar 13 1999 snif >-rwxr-xr-x 1 root root 8779 Mar 8 1999 sniff > > >root@moe ...]# cat bnc.conf >pt:102938 >ps:rewt >mu:5 >dp:6667 > > >Although mostly binary code this text appeared: > >root@moe ...]# cat bnc.conf > >:[EMAIL PROTECTED] NOTICE %s :You need to say /quote PASS <password> >PASS :[EMAIL PROTECTED] NOTICE %s :Level two, lets connect to something >real now >:[EMAIL PROTECTED] NOTICE %s :type /quote conn [server] <port> <pass> >to connect >vip:[EMAIL PROTECTED] NOTICE %s :Your Vhost is now %s >conn:[EMAIL PROTECTED] NOTICE %s :Making reality through %s port %i >PASS %s >NICK %s >rbnc.conf***Ack! No config file (bnc.conf). >#: >ptmudppsvhConfig line %i rejected-what weirdo told you '%s' goes in my >config file? >-NONE- >Irc Proxy v2.2.4 GNU project (C) 1997-98 >Coded by James Seter bugs-> ([EMAIL PROTECTED]) >***Using defaults(Not recommended) >--Configuration: > Daemon port......:%u > Password.........:%s > Maxusers.........:%u > Default conn port:%u > >[root@moe ...]# ./bnc > >Irc Proxy v2.2.4 GNU project (C) 1997-98 >Coded by James Seter bugs-> ([EMAIL PROTECTED]) > >--Configuration: >Daemon port......:102938 >Password.........:rewt >Maxusers.........:5 >Default conn port:6667 > >[root@moe ...]# ps aux >USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND >root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3] >root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd] >root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate] >root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod] >root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd] >root 6 0.0 0.0 0 0 ? SW< 2001 0:00 >[mdrecoveryd] >root 154 0.0 0.3 1104 392 ? S 2001 0:00 >/usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r >/etc/sysconfig/apm-scripts/resume >bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap >root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd] >root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod] >root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd >nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e >-o >daemon 432 0.0 0.2 1144 296 ? S 2001 0:00 >/usr/sbin/atd >root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond >root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd >root 478 0.0 1.6 3160 2120 ? S 2001 14:00 >/usr/sbin/snmpd >root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t >imps2 >xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs >-droppriv -daemon -port -1 >root 645 0.0 0.0 852 100 ? S 2001 0:00 >/etc/.../bindshell >root 646 0.0 0.0 864 124 ? S 2001 0:00 >/etc/.../bnc >root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 >/sbin/mingetty tty2 >root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 >/sbin/mingetty tty3 >root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 >/sbin/mingetty tty4 >root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 >/sbin/mingetty tty5 >root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 >/sbin/mingetty tty6 >root 655 0.0 0.0 856 104 ? S 2001 0:00 >/etc/.../lsh 31333 v0idzz >named 9928 0.0 4.9 7268 6356 ? S 2001 6:49 named -u >named >root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 >/sbin/mingetty tty1 >root 3574 0.0 0.5 1464 760 ? S 20:28 0:00 >root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login -- >ted >ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash >root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su - >root 3600 0.0 0.7 1748 996 pts/0 S 20:28 0:00 -bash >root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd >-m 0 >root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd >root 3826 0.0 0.2 864 292 ? S 20:47 0:00 ./bnc >root 3831 0.0 0.5 2332 700 pts/0 R 20:48 0:00 ps aux >[root@moe ...]# date >Thu Jan 3 20:48:36 EST 2002 >[root@moe ...]# kill -9 3826 > >When I typed irc tab, these binaries came up: >[root@moe ...]# irpd >bindshell bnc bnc.conf in.pop3d inetd lsh >searchsniff snif sniff > >I started to turn off these processes: > > 1068 kill -9 645 > 1069 ps aux > 1070 kill -9 646 > 1071 kill -9 655 > 1072 ps aux > 1073 ls -la > 1074 chmod 0 * > 1075 ps aux > > 1076 vi /etc/hosts.deny > ALL: 6667 > > 1079 kill -9 543 > > 1080 kill 154 > > 1086 crontab -l > 1087 chmod 0 /etc/rc.d/init.d/ampd > 1088 chmod 0 /etc/rc.d/init.d/apmd > 1089 chmod 0 /etc/rc.d/init.d/atd > >[root@moe ...]# netstat -p >(Not all processes could be identified, non-owned process info > will not be shown, you would have to be root to see it all.) > Active Internet connections (w/o servers) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 144 moe.:telnet calendar-spaces.w:32888 > ESTABLISHED 3574/in.telnetd: ca > Active UNIX domain sockets (w/o servers) > Proto RefCnt Flags Type State I-Node PID/Program > name Path > unix 2 [ ] DGRAM 802437 3719/syslogd > /dev/log > unix 0 [ ] STREAM CONNECTED 159 1/init [3] > @00000016 > unix 0 [ ] DGRAM 802456 > 9928/named > unix 0 [ ] DGRAM 802448 > 3728/klogd > unix 0 [ ] DGRAM 802245 3575/login -- > ted > unix 0 [ > ] DGRAM 623 604/xfs > unix 0 [ ] DGRAM 429 414/identd > > Where do I go from here ? > > > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Petre L. Daniel,System Administrator Canad Systems Pitesti Romania, http://www.cyber.ro email:[EMAIL PROTECTED] tel:+4048220044 +4048206200 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
