rpc.statd or bind exploited,some say its better to reinstall the box,personally i like diggin' :-))
first,disconnect,kick out all aliens,or save them somewhere,quarantined to check them out later,
then,get some new packages on cds,or floppies or from the lan,update the daemons,after assuring they're not trojanized,also,search for traces of adore,get the kstat program to detect it,( sorry no url at hand),
check your logs,email the attackers isp addresses if you can find something, and always be aware :)
good luck..
At 09:16 PM 1/3/02 -0500, Thedore Knab wrote:
I recently inherited a machine that I think has been exploited.
It seems to have a stupid root kit installed unless this is a decoy.
What does it look like to you professionals?
[EMAIL PROTECTED] ...]# uname -a Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
[EMAIL PROTECTED] ...]# ps auxww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3]
root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate]
root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd]
root 6 0.0 0.0 0 0 ? SW< 2001 0:00
[mdrecoveryd]
root 154 0.0 0.3 1104 392 ? S 2001 0:00
/usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r
/etc/sysconfig/apm-scripts/resume
bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap
root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd]
root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod]
root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd
nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
-o
daemon 432 0.0 0.2 1144 296 ? S 2001 0:00
/usr/sbin/atd
root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond
root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd
root 478 0.0 1.6 3160 2120 ? S 2001 14:00
/usr/sbin/snmpd
root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t
imps2
xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs
-droppriv -daemon -port -1
root 645 0.0 0.0 852 100 ? S 2001 0:00
/etc/.../bindshell
root 646 0.0 0.0 864 124 ? S 2001 0:00
/etc/.../bnc
root 650 0.0 0.3 1092 408 tty2 S 2001 0:00
/sbin/mingetty tty2
root 651 0.0 0.3 1092 408 tty3 S 2001 0:00
/sbin/mingetty tty3
root 652 0.0 0.3 1092 408 tty4 S 2001 0:00
/sbin/mingetty tty4
root 653 0.0 0.3 1092 408 tty5 S 2001 0:00
/sbin/mingetty tty5
root 654 0.0 0.3 1092 408 tty6 S 2001 0:00
/sbin/mingetty tty6
root 655 0.0 0.0 856 104 ? S 2001 0:00
/etc/.../lsh 31333 v0idzz
named 9928 0.0 4.9 7268 6356 ? S 2001 6:48 named -u
named
root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00
/sbin/mingetty tty1
root 3574 0.0 0.5 1464 760 ? S 20:28 0:00
in.telnetd: calendar-spaces.
root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd root 3817 0.0 0.5 2332 704 pts/0 R 20:43 0:00 ps auxww
[EMAIL PROTECTED] ...]# cd /etc/... [EMAIL PROTECTED] ...]# ls -la
[EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/apmd [EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/atd
Processess running after making a few kills:
[EMAIL PROTECTED] /root]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3] root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd] root 3 0.0 0.0 0 0 ? SW 2001 0:28 [kupdate] root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod] root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd] root 6 0.0 0.0 0 0 ? SW< 2001 0:00 [mdrecoveryd] bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd] root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ? S 2001 14:00 /usr/sbin/snmpd xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs -droppriv -daemon -port -1 root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 named 9928 0.0 4.9 7268 6356 ? S 2001 6:50 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ? S 20:28 0:00 in.telnetd: calendar-spaces. root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd root 3926 0.0 0.5 2332 700 pts/0 R 21:13 0:00 ps aux total 237 drwxr-xr-x 2 root root 1024 Jan 31 2000 . drwxr-xr-x 34 root root 3072 Jan 3 20:38 .. -rwxr-xr-x 1 root root 5717 Apr 5 1997 bindshell -rwxr-xr-x 1 root root 11552 Apr 5 1997 bnc -rw-r--r-- 1 root root 31 Apr 13 1997 bnc.conf -rws--x--x 1 root root 26218 Sep 28 1999 in.pop3d -rwxr-xr-x 1 root root 158300 Sep 28 1999 inetd -rwxr-xr-x 1 root root 7544 Sep 2 1999 lsh -rwxr-xr-x 1 root root 5528 Mar 8 1999 searchsniff -rwxr-xr-x 1 root root 8155 Mar 13 1999 snif -rwxr-xr-x 1 root root 8779 Mar 8 1999 sniff
[EMAIL PROTECTED] ...]# cat bnc.conf pt:102938 ps:rewt mu:5 dp:6667
Although mostly binary code this text appeared:
[EMAIL PROTECTED] ...]# cat bnc.conf
:[EMAIL PROTECTED] NOTICE %s :You need to say /quote PASS <password> PASS :[EMAIL PROTECTED] NOTICE %s :Level two, lets connect to something real now :[EMAIL PROTECTED] NOTICE %s :type /quote conn [server] <port> <pass> to connect vip:[EMAIL PROTECTED] NOTICE %s :Your Vhost is now %s conn:[EMAIL PROTECTED] NOTICE %s :Making reality through %s port %i PASS %s NICK %s rbnc.conf***Ack! No config file (bnc.conf). #: ptmudppsvhConfig line %i rejected-what weirdo told you '%s' goes in my config file? -NONE- Irc Proxy v2.2.4 GNU project (C) 1997-98 Coded by James Seter bugs-> ([EMAIL PROTECTED]) ***Using defaults(Not recommended) --Configuration: Daemon port......:%u Password.........:%s Maxusers.........:%u Default conn port:%u
[EMAIL PROTECTED] ...]# ./bnc
Irc Proxy v2.2.4 GNU project (C) 1997-98 Coded by James Seter bugs-> ([EMAIL PROTECTED])
--Configuration: Daemon port......:102938 Password.........:rewt Maxusers.........:5 Default conn port:6667
[EMAIL PROTECTED] ...]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3] root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd] root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate] root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod] root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd] root 6 0.0 0.0 0 0 ? SW< 2001 0:00 [mdrecoveryd] root 154 0.0 0.3 1104 392 ? S 2001 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r /etc/sysconfig/apm-scripts/resume bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd] root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e -o daemon 432 0.0 0.2 1144 296 ? S 2001 0:00 /usr/sbin/atd root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ? S 2001 14:00 /usr/sbin/snmpd root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t imps2 xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs -droppriv -daemon -port -1 root 645 0.0 0.0 852 100 ? S 2001 0:00 /etc/.../bindshell root 646 0.0 0.0 864 124 ? S 2001 0:00 /etc/.../bnc root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 root 655 0.0 0.0 856 104 ? S 2001 0:00 /etc/.../lsh 31333 v0idzz named 9928 0.0 4.9 7268 6356 ? S 2001 6:49 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ? S 20:28 0:00 root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0 S 20:28 0:00 -bash root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd root 3826 0.0 0.2 864 292 ? S 20:47 0:00 ./bnc root 3831 0.0 0.5 2332 700 pts/0 R 20:48 0:00 ps aux [EMAIL PROTECTED] ...]# date Thu Jan 3 20:48:36 EST 2002 [EMAIL PROTECTED] ...]# kill -9 3826
When I typed irc tab, these binaries came up: [EMAIL PROTECTED] ...]# irpd bindshell bnc bnc.conf in.pop3d inetd lsh searchsniff snif sniff
I started to turn off these processes:
1068 kill -9 645 1069 ps aux 1070 kill -9 646 1071 kill -9 655 1072 ps aux 1073 ls -la 1074 chmod 0 * 1075 ps aux
1076 vi /etc/hosts.deny ALL: 6667
1079 kill -9 543
1080 kill 154
1086 crontab -l 1087 chmod 0 /etc/rc.d/init.d/ampd 1088 chmod 0 /etc/rc.d/init.d/apmd 1089 chmod 0 /etc/rc.d/init.d/atd
[EMAIL PROTECTED] ...]# netstat -p
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 144 moe.:telnet calendar-spaces.w:32888
ESTABLISHED 3574/in.telnetd: ca
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program
name Path
unix 2 [ ] DGRAM 802437 3719/syslogd
/dev/log
unix 0 [ ] STREAM CONNECTED 159 1/init [3]
@00000016
unix 0 [ ] DGRAM 802456 9928/named
unix 0 [ ] DGRAM 802448 3728/klogd
unix 0 [ ] DGRAM 802245 3575/login --
ted
unix 0 [ ] DGRAM 623 604/xfs
unix 0 [ ] DGRAM 429 414/identd
Where do I go from here ?
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Petre L. Daniel,System Administrator Canad Systems Pitesti Romania, http://www.cyber.ro email:[EMAIL PROTECTED] tel:+4048220044 +4048206200
