Hi,
Last sunday, August 3rd 2003, one of my servers was hacked which i, by
coincidence, was able to catch 'in progress'.
My loganalyzer showed four "Did not receive identification string from
w.x.y.z" logentries from sshd. This happens all the time and i certainly
don't check all of them out, but i happen to do so this time.
I noticed suspicious network connections with netstat[1]. Shortly
thereafter i noticed i had two init processes and multiple syslogd
processes. I killed the syslogd processes immediately, as the
networktraffic appeared to be IRC-traffic. Then i practically sealed the
machine from outside with my firewall, allowing me to do some further
research.
I found the following:
- The extra init process was somehow spawned, but the originally binary
seems to have been deleted [2].
- All base system programs where ok, including init and syslogd. Md5s
matched.
- in / there was "rpm-4.0.4.i386.tar.gz". I found that the content
was installed. It matches the archive on ftp.rpm.org (md5)
- I didn't find any other out-of-the-ordinary files
- chkrootkit didn't find anything but the extra init proces running.
I'm puzzled about how they managed to get those processes running (as
root). There are no local accounts, other than some accounts for the
sysadmins. Does anyone have any idea how they might have done this?
Anyone seen similar hacks recently? I'd sure like to solve this problem,
but at this moment i wouldn't know how, so suggestions are more than
welcome.
Unfortunately i don't have the resources to get an IDS system up and
running...
regards and tia,
Thijs Welman
Delft University of Technology
the Netherlands
-----
[0] My server is running Debian stable with:
- linux-2.4.21-ac4 custom compiled kernel without LKM-support
- sshd
- apache
- apache-ssl
- php4
- smbd/nmbd (firewalled at the university network border)
- postfix (not accessible from outside)
- bind9 (not accessible from outside)
- mysql (firewalled)
- proftpd (firewalled)
- snmpd (firewalled)
- amanda-client from inetd (firewalled)
All packages are unmodified releases from Debian stable and, yes, i do
update packes from security.debian.org as soon as there are any updates. :)
[1] netstat -anp at that time:
tcp 0 0 MYIP:36789 IP#1:21 ESTABLISHED 12642/wget
tcp 1448 0 MYIP:36790 IP#1:20 ESTABLISHED 12642/wget
tcp 0 0 MYIP:44367 IP#2:60666 ESTABLISHED 10051/syslogd
tcp 0 0 MYIP:33397 IP#2:60666 ESTABLISHED 10051/syslogd
tcp 0 80 MYIP:53731 IP#3:59780 ESTABLISHED 10764/init
Note: i found out 'init' and 'syslogd' where 'extra' processes. My
normal init and syslogd were running normally (seemed untouched)
[2] lsof output:
init 1 root cwd DIR 3,3 4096 2 /
init 1 root rtd DIR 3,3 4096 2 /
init 1 root txt REG 3,3 27844 312195 /sbin/init
init 1 root mem REG 3,3 90210 179291 /lib/ld-2.2.5.so
init 1 root mem REG 3,3 1153784 179294 /lib/libc-2.2.5.so
init 1 root 10u FIFO 3,3 49116 /dev/initctl
init 9 root cwd DIR 3,3 4096 2 /
init 9 root rtd DIR 3,3 4096 2 /
init 9 root txt REG 3,3 29304 312205 /sbin/init (deleted)
init 9 root 0u CHR 1,3 49079 /dev/null
init 9 root 1u CHR 1,3 49079 /dev/null
init 9 root 2u CHR 1,3 49079 /dev/null
init 9 root 3u CHR 1,2 49078 /dev/kmem
init 9 root 4u sock 0,0 19 can't identify protocol
