CRIME Multiple breakins, but can't figure out how

From: A.J. Weinzettel (aj@private)
Date: Tue Nov 18 2003 - 12:19:46 PST

  • Next message: Quinby, Kris (MED): "CRIME Span time from vulnerability to patch for HTTPD servers"

    I have had multiple breakins somehow using different versions of RedHat
    (7.1,7.3,&8.0).  This started last week on the 7.1 and 7.3 boxes.  I
    have been keeping up on all the latest patches for Apache, Sendmail,
    SSH, MySQL.  So, I noticed the breakins and noticed a directory called
    /dev/rd/cdb.  In this directory there is a run.tgz and it is expanded in
    to a directory.  This is the contents:
    
     rwx------    1 1007     users      449008 Nov 18 13:20  kupdated
    -rwx------    1 1007     users         942 Jan 19  2000 checkmech
    -rwx------    1 1007     users       20313 Feb 12  2000 configure
    -rw-------    1 1007     users       17982 Jan 19  2000 COPYING
    -rw-r--r--    1 1007     users          87 Nov 12 21:39 emech.users
    -rw-------    1 1007     users        2147 Feb 12  2000 Makefile
    -rw-------    1 1007     users       22935 Feb 16  2000 mech.help
    -rw-r--r--    1 1007     users        1011 Nov 18 14:00 mech.levels
    -rw-------    1 root     root       144456 Nov 18 13:23 mech.pid
    -rw-r--r--    1 root     root          416 Nov 18 14:00 mech.session
    -rw-r--r--    1 1007     users        4202 Nov 12 21:39 mech.set
    drwx------    2 1007     users        4096 Feb 16  2000 randfiles
    -rw-------    1 1007     users        2300 Jun  4  2000 README
    -rwx------    1 1007     users      455957 Nov 18 14:03 send
    drwx------    2 1007     users        4096 Feb 23  2003 src
    -rw-------    1 1007     users        2007 Feb  5  2000 TODO
    -rw-------    1 1007     users       25043 Jun  4  2000 VERSIONS
    
    The README files starts off like this:
    
    +--+-------------------------------+--+
    |**|  StarGlider Class EnergyMech  |**|
    +--+-------------------------------+--+
    
    Compiling?
    ~~~~~~~~~~
    To compile the source:
    
    1) Uncompress the source code distribution archive.
    
    2) cd emech-2.7.6.1
    -- Since you are reading this file, you have most likely already
       come to this point.
    
    3) ./configure
    -- This script will prompt you for features to include or exclude,
       going with the default isnt a bad idea.
    
    4) make clean install
    
    If all went well you should now have an executable called ``mech''.
    
    <end of snippet>
    
    Running a trusted version of netstat (netstat -nap) and notice kupdated
    is talking to another server on port 6667. It looked something like
    this:
    
    tcp 0 0 compromised server:35501 other_server:6667  TIME_WAIT [kupdated]
    
    So, I have reinstalled all operating systems to Redhat 8.0, made sure
    there are no bogus entries in the /etc/passwd file, and updated to all
    the latest greatest versions of everything out there
    (Apache,MySQL,Sendmail,openssl,mod_ssl, and openSSH). The problem is
    after all of this reinstalling and making sure everything is clean, I am
    right back at square today.  The same problems and the same issues.  Has
    anyone out there heard of this or is anyone else out there experiencing
    similar problems?  
    
    Any advice would be greatly appreciated.
    
    Thanks, 
    A.J.
    



    This archive was generated by hypermail 2b30 : Tue Nov 18 2003 - 13:10:39 PST