I recently inherited a machine that I think has been exploited.
It seems to have a stupid root kit installed unless this is a decoy.
What does it look like to you professionals?
[EMAIL PROTECTED] ...]# uname -a
Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknown
[EMAIL PROTECTED] ...]# ps auxww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3]
root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate]
root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd]
root 6 0.0 0.0 0 0 ? SW< 2001 0:00
[mdrecoveryd]
root 154 0.0 0.3 1104 392 ? S 2001 0:00
/usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r
/etc/sysconfig/apm-scripts/resume
bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap
root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd]
root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod]
root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd
nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
daemon 432 0.0 0.2 1144 296 ? S 2001 0:00
/usr/sbin/atd
root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond
root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd
root 478 0.0 1.6 3160 2120 ? S 2001 14:00
/usr/sbin/snmpd
root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t
imps2
xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs
-droppriv -daemon -port -1
root 645 0.0 0.0 852 100 ? S 2001 0:00
/etc/.../bindshell
root 646 0.0 0.0 864 124 ? S 2001 0:00
/etc/.../bnc
root 650 0.0 0.3 1092 408 tty2 S 2001 0:00
/sbin/mingetty tty2
root 651 0.0 0.3 1092 408 tty3 S 2001 0:00
/sbin/mingetty tty3
root 652 0.0 0.3 1092 408 tty4 S 2001 0:00
/sbin/mingetty tty4
root 653 0.0 0.3 1092 408 tty5 S 2001 0:00
/sbin/mingetty tty5
root 654 0.0 0.3 1092 408 tty6 S 2001 0:00
/sbin/mingetty tty6
root 655 0.0 0.0 856 104 ? S 2001 0:00
/etc/.../lsh 31333 v0idzz
named 9928 0.0 4.9 7268 6356 ? S 2001 6:48 named -u
named
root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00
/sbin/mingetty tty1
root 3574 0.0 0.5 1464 760 ? S 20:28 0:00
in.telnetd: calendar-spaces.
root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login --
ted
ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash
root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su -
root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash
root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd
-m 0
root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd
root 3817 0.0 0.5 2332 704 pts/0 R 20:43 0:00 ps auxww
[EMAIL PROTECTED] ...]# cd /etc/...
[EMAIL PROTECTED] ...]# ls -la
[EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/apmd
[EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/atd
Processess running after making a few kills:
[EMAIL PROTECTED] /root]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3]
root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW 2001 0:28 [kupdate]
root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd]
root 6 0.0 0.0 0 0 ? SW< 2001 0:00
[mdrecoveryd]
bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap
root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd]
root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod]
root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd
nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond
root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd
root 478 0.0 1.6 3160 2120 ? S 2001 14:00
/usr/sbin/snmpd
xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs
-droppriv -daemon -port -1
root 650 0.0 0.3 1092 408 tty2 S 2001 0:00
/sbin/mingetty tty2
root 651 0.0 0.3 1092 408 tty3 S 2001 0:00
/sbin/mingetty tty3
root 652 0.0 0.3 1092 408 tty4 S 2001 0:00
/sbin/mingetty tty4
root 653 0.0 0.3 1092 408 tty5 S 2001 0:00
/sbin/mingetty tty5
root 654 0.0 0.3 1092 408 tty6 S 2001 0:00
/sbin/mingetty tty6
named 9928 0.0 4.9 7268 6356 ? S 2001 6:50 named -u
named
root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00
/sbin/mingetty tty1
root 3574 0.0 0.5 1464 760 ? S 20:28 0:00
in.telnetd: calendar-spaces.
root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login --
ted
ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash
root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su -
root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash
root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd
-m 0
root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd
root 3926 0.0 0.5 2332 700 pts/0 R 21:13 0:00 ps aux
total 237
drwxr-xr-x 2 root root 1024 Jan 31 2000 .
drwxr-xr-x 34 root root 3072 Jan 3 20:38 ..
-rwxr-xr-x 1 root root 5717 Apr 5 1997 bindshell
-rwxr-xr-x 1 root root 11552 Apr 5 1997 bnc
-rw-r--r-- 1 root root 31 Apr 13 1997 bnc.conf
-rws--x--x 1 root root 26218 Sep 28 1999 in.pop3d
-rwxr-xr-x 1 root root 158300 Sep 28 1999 inetd
-rwxr-xr-x 1 root root 7544 Sep 2 1999 lsh
-rwxr-xr-x 1 root root 5528 Mar 8 1999 searchsniff
-rwxr-xr-x 1 root root 8155 Mar 13 1999 snif
-rwxr-xr-x 1 root root 8779 Mar 8 1999 sniff
[EMAIL PROTECTED] ...]# cat bnc.conf
pt:102938
ps:rewt
mu:5
dp:6667
Although mostly binary code this text appeared:
[EMAIL PROTECTED] ...]# cat bnc.conf
:[EMAIL PROTECTED] NOTICE %s :You need to say /quote PASS <password>
PASS :[EMAIL PROTECTED] NOTICE %s :Level two, lets connect to something
real now
:[EMAIL PROTECTED] NOTICE %s :type /quote conn [server] <port> <pass>
to connect
vip:[EMAIL PROTECTED] NOTICE %s :Your Vhost is now %s
conn:[EMAIL PROTECTED] NOTICE %s :Making reality through %s port %i
PASS %s
NICK %s
rbnc.conf***Ack! No config file (bnc.conf).
#:
ptmudppsvhConfig line %i rejected-what weirdo told you '%s' goes in my
config file?
-NONE-
Irc Proxy v2.2.4 GNU project (C) 1997-98
Coded by James Seter bugs-> ([EMAIL PROTECTED])
***Using defaults(Not recommended)
--Configuration:
Daemon port......:%u
Password.........:%s
Maxusers.........:%u
Default conn port:%u
[EMAIL PROTECTED] ...]# ./bnc
Irc Proxy v2.2.4 GNU project (C) 1997-98
Coded by James Seter bugs-> ([EMAIL PROTECTED])
--Configuration:
Daemon port......:102938
Password.........:rewt
Maxusers.........:5
Default conn port:6667
[EMAIL PROTECTED] ...]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3]
root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate]
root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd]
root 6 0.0 0.0 0 0 ? SW< 2001 0:00
[mdrecoveryd]
root 154 0.0 0.3 1104 392 ? S 2001 0:00
/usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r
/etc/sysconfig/apm-scripts/resume
bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap
root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd]
root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod]
root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd
nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
daemon 432 0.0 0.2 1144 296 ? S 2001 0:00
/usr/sbin/atd
root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond
root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd
root 478 0.0 1.6 3160 2120 ? S 2001 14:00
/usr/sbin/snmpd
root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t
imps2
xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs
-droppriv -daemon -port -1
root 645 0.0 0.0 852 100 ? S 2001 0:00
/etc/.../bindshell
root 646 0.0 0.0 864 124 ? S 2001 0:00
/etc/.../bnc
root 650 0.0 0.3 1092 408 tty2 S 2001 0:00
/sbin/mingetty tty2
root 651 0.0 0.3 1092 408 tty3 S 2001 0:00
/sbin/mingetty tty3
root 652 0.0 0.3 1092 408 tty4 S 2001 0:00
/sbin/mingetty tty4
root 653 0.0 0.3 1092 408 tty5 S 2001 0:00
/sbin/mingetty tty5
root 654 0.0 0.3 1092 408 tty6 S 2001 0:00
/sbin/mingetty tty6
root 655 0.0 0.0 856 104 ? S 2001 0:00
/etc/.../lsh 31333 v0idzz
named 9928 0.0 4.9 7268 6356 ? S 2001 6:49 named -u
named
root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00
/sbin/mingetty tty1
root 3574 0.0 0.5 1464 760 ? S 20:28 0:00
root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login --
ted
ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash
root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su -
root 3600 0.0 0.7 1748 996 pts/0 S 20:28 0:00 -bash
root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd
-m 0
root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd
root 3826 0.0 0.2 864 292 ? S 20:47 0:00 ./bnc
root 3831 0.0 0.5 2332 700 pts/0 R 20:48 0:00 ps aux
[EMAIL PROTECTED] ...]# date
Thu Jan 3 20:48:36 EST 2002
[EMAIL PROTECTED] ...]# kill -9 3826
When I typed irc tab, these binaries came up:
[EMAIL PROTECTED] ...]# irpd
bindshell bnc bnc.conf in.pop3d inetd lsh
searchsniff snif sniff
I started to turn off these processes:
1068 kill -9 645
1069 ps aux
1070 kill -9 646
1071 kill -9 655
1072 ps aux
1073 ls -la
1074 chmod 0 *
1075 ps aux
1076 vi /etc/hosts.deny
ALL: 6667
1079 kill -9 543
1080 kill 154
1086 crontab -l
1087 chmod 0 /etc/rc.d/init.d/ampd
1088 chmod 0 /etc/rc.d/init.d/apmd
1089 chmod 0 /etc/rc.d/init.d/atd
[EMAIL PROTECTED] ...]# netstat -p
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 144 moe.:telnet calendar-spaces.w:32888
ESTABLISHED 3574/in.telnetd: ca
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program
name Path
unix 2 [ ] DGRAM 802437 3719/syslogd
/dev/log
unix 0 [ ] STREAM CONNECTED 159 1/init [3]
@00000016
unix 0 [ ] DGRAM 802456 9928/named
unix 0 [ ] DGRAM 802448 3728/klogd
unix 0 [ ] DGRAM 802245 3575/login --
ted
unix 0 [ ] DGRAM 623 604/xfs
unix 0 [ ] DGRAM 429 414/identd
Where do I go from here ?
