Last sunday, August 3rd 2003, one of my servers was hacked which i, by coincidence, was able to catch 'in progress'.
My loganalyzer showed four "Did not receive identification string from
w.x.y.z" logentries from sshd. This happens all the time and i certainly
don't check all of them out, but i happen to do so this time.
I noticed suspicious network connections with netstat[1]. Shortly
thereafter i noticed i had two init processes and multiple syslogd processes. I killed the syslogd processes immediately, as the networktraffic appeared to be IRC-traffic. Then i practically sealed the machine from outside with my firewall, allowing me to do some further research.
I found the following:
- The extra init process was somehow spawned, but the originally binary
seems to have been deleted [2].
- All base system programs where ok, including init and syslogd. Md5s matched.
- in / there was "rpm-4.0.4.i386.tar.gz". I found that the content
was installed. It matches the archive on ftp.rpm.org (md5)
- I didn't find any other out-of-the-ordinary files
- chkrootkit didn't find anything but the extra init proces running.
I'm puzzled about how they managed to get those processes running (as
root). There are no local accounts, other than some accounts for the
sysadmins. Does anyone have any idea how they might have done this? Anyone seen similar hacks recently? I'd sure like to solve this problem, but at this moment i wouldn't know how, so suggestions are more than welcome.
Unfortunately i don't have the resources to get an IDS system up and running...
regards and tia,
Thijs Welman Delft University of Technology the Netherlands ----- [0] My server is running Debian stable with: - linux-2.4.21-ac4 custom compiled kernel without LKM-support - sshd - apache - apache-ssl - php4 - smbd/nmbd (firewalled at the university network border) - postfix (not accessible from outside) - bind9 (not accessible from outside) - mysql (firewalled) - proftpd (firewalled) - snmpd (firewalled) - amanda-client from inetd (firewalled)
All packages are unmodified releases from Debian stable and, yes, i do update packes from security.debian.org as soon as there are any updates. :)
[1] netstat -anp at that time: tcp 0 0 MYIP:36789 IP#1:21 ESTABLISHED 12642/wget tcp 1448 0 MYIP:36790 IP#1:20 ESTABLISHED 12642/wget tcp 0 0 MYIP:44367 IP#2:60666 ESTABLISHED 10051/syslogd tcp 0 0 MYIP:33397 IP#2:60666 ESTABLISHED 10051/syslogd tcp 0 80 MYIP:53731 IP#3:59780 ESTABLISHED 10764/init
Note: i found out 'init' and 'syslogd' where 'extra' processes. My normal init and syslogd were running normally (seemed untouched)
[2] lsof output: init 1 root cwd DIR 3,3 4096 2 / init 1 root rtd DIR 3,3 4096 2 / init 1 root txt REG 3,3 27844 312195 /sbin/init init 1 root mem REG 3,3 90210 179291 /lib/ld-2.2.5.so init 1 root mem REG 3,3 1153784 179294 /lib/libc-2.2.5.so init 1 root 10u FIFO 3,3 49116 /dev/initctl init 9 root cwd DIR 3,3 4096 2 / init 9 root rtd DIR 3,3 4096 2 / init 9 root txt REG 3,3 29304 312205 /sbin/init (deleted) init 9 root 0u CHR 1,3 49079 /dev/null init 9 root 1u CHR 1,3 49079 /dev/null init 9 root 2u CHR 1,3 49079 /dev/null init 9 root 3u CHR 1,2 49078 /dev/kmem init 9 root 4u sock 0,0 19 can't identify protocol
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
