On Sun, May 25, 2003 at 02:25:28PM -0400, John Keimel wrote: > Here's one major thing to consider. If all of your servers within your > network are nearly the same, security wise, then you should consider > that ALL of them are hacked. Until you've rebuilt every single one with > trustable sources, your network is not safe. While you may not realize > it, this Evil entity could still be gathering information on all your > new systems, right as you put them online, which would really suck. That's the disturbing part. They aren't on the same network (unless you count the Internet) and they are *NOT* the same. One wasn't running Apache, all were running SSH, they were running different mail servers (one postfix, two sendmail, a few courier-mta even!). The kernels range from 2.4.17-2.4.20 (depending on maintenance contracts :). SSH is the only commonality I can see and that disturbs me. I've got a pretty good handle on this guy's rootkits.
He appears to modify the kernel image in memory via /dev/kmem (a next-generation LKM attack). I've considered removing /dev/kmem (does anything use it?) but I don't know about any side effects (and it doesn't prevent him mknod'ing it). It appears he actually has some sort of kernel-level TTY logger *AND* a kernel-hack to hide files and processes. The only comfort in this is that some of our kernels are apparently so exotic that his meddling crashes the machine during the break-in (instead of leaving a more compromized system). In general, all of the rootkits are the same flavor (and seem unrelated to the LKM stuff). He uses a number of rootkits, but they all seem to be littered with his handle (Kapitan). At first I thought it was the guy who made the rootkit, but later he appears to have customer configured it to e-mail his e-mail address at yahoo (also includes kapitan). It's also obvious that he's aspiring to script-kiddie-dom. Later hacks show progressively more hacking of the same rootkit to strip off some other poor sap's name and plaster his everywhere. > If you're THAT infested, you NEED to clean house. Take a weekend, or a > couple days, call in all the technical people who can build systems and > order in for Pizza. Take the entire network offline and rebuild it. > Until you can track all of the machine that are hacked or ensure that > they are all, in fact, clean, you can assume no level of safety. Uhhh, that's me. Trust me when I say I'm as technical as it gets (short of the Gods like Linus). It's not a single machine, it's a whole bunch of them. It's not a password problem either. He seems to have hacked multiple of them within an hour of each other (his rootkit files aren't very clever about covering up mtime). I just can't tell how he got in. I've got some process accouting logs to go through, but they're ... verbose. > I hope that some folks will assist you in finding what hole has been > exploited on your network, but as for right now, you need to seriously > consider whether boxes that you think are clean, are in fact, clean. Got a good handle on that. I was primarly trying to gauge if this is an epidemic or something I've done. Right now, it looks like an Apache hole (there are logs of odd Apache requests before the crack and a few machines that weren't cracked show web hits from the other machines), but that could be wrong. This guy's methods are crude once he gets in (hell, the only applications I've even seen are sniffers and an IRC relay: psybnc). Doesn't seem much more than your standard punk, script-kiddie. But he's got a *VERY* slick way of getting in. Not sure how... Thanks, Jayson
