Re: CRIME Multiple breakins, but can't figure out how

From: Crispin Cowan (crispin@private)
Date: Wed Nov 19 2003 - 14:21:24 PST

  • Next message: Crispin Cowan: "Re: CRIME Span time from vulnerability to patch for HTTPD servers"

    A.J. Weinzettel wrote:
    
    >I have had multiple breakins somehow using different versions of RedHat
    >(7.1,7.3,&8.0).
    >
    Can I interest you in Immunix 7.3:
    
        * Highly compatible with Red Hat 7.3
        * Multiple intrusion prevention layers
        * Survived 2 Defcon CtF games
        * http://www.immunix.com/products/immunixos/
    
    I can't help you with the forensics of discovering how you were cracked,
    as I have no experience with break-ins because I've never been 0wned :)
    
    Crispin
    
    >  This started last week on the 7.1 and 7.3 boxes.  I
    >have been keeping up on all the latest patches for Apache, Sendmail,
    >SSH, MySQL.  So, I noticed the breakins and noticed a directory called
    >/dev/rd/cdb.  In this directory there is a run.tgz and it is expanded in
    >to a directory.  This is the contents:
    >
    > rwx------    1 1007     users      449008 Nov 18 13:20  kupdated
    >-rwx------    1 1007     users         942 Jan 19  2000 checkmech
    >-rwx------    1 1007     users       20313 Feb 12  2000 configure
    >-rw-------    1 1007     users       17982 Jan 19  2000 COPYING
    >-rw-r--r--    1 1007     users          87 Nov 12 21:39 emech.users
    >-rw-------    1 1007     users        2147 Feb 12  2000 Makefile
    >-rw-------    1 1007     users       22935 Feb 16  2000 mech.help
    >-rw-r--r--    1 1007     users        1011 Nov 18 14:00 mech.levels
    >-rw-------    1 root     root       144456 Nov 18 13:23 mech.pid
    >-rw-r--r--    1 root     root          416 Nov 18 14:00 mech.session
    >-rw-r--r--    1 1007     users        4202 Nov 12 21:39 mech.set
    >drwx------    2 1007     users        4096 Feb 16  2000 randfiles
    >-rw-------    1 1007     users        2300 Jun  4  2000 README
    >-rwx------    1 1007     users      455957 Nov 18 14:03 send
    >drwx------    2 1007     users        4096 Feb 23  2003 src
    >-rw-------    1 1007     users        2007 Feb  5  2000 TODO
    >-rw-------    1 1007     users       25043 Jun  4  2000 VERSIONS
    >
    >The README files starts off like this:
    >
    >+--+-------------------------------+--+
    >|**|  StarGlider Class EnergyMech  |**|
    >+--+-------------------------------+--+
    >
    >Compiling?
    >~~~~~~~~~~
    >To compile the source:
    >
    >1) Uncompress the source code distribution archive.
    >
    >2) cd emech-2.7.6.1
    >-- Since you are reading this file, you have most likely already
    >   come to this point.
    >
    >3) ./configure
    >-- This script will prompt you for features to include or exclude,
    >   going with the default isnt a bad idea.
    >
    >4) make clean install
    >
    >If all went well you should now have an executable called ``mech''.
    >
    ><end of snippet>
    >
    >Running a trusted version of netstat (netstat -nap) and notice kupdated
    >is talking to another server on port 6667. It looked something like
    >this:
    >
    >tcp 0 0 compromised server:35501 other_server:6667  TIME_WAIT [kupdated]
    >
    >So, I have reinstalled all operating systems to Redhat 8.0, made sure
    >there are no bogus entries in the /etc/passwd file, and updated to all
    >the latest greatest versions of everything out there
    >(Apache,MySQL,Sendmail,openssl,mod_ssl, and openSSH). The problem is
    >after all of this reinstalling and making sure everything is clean, I am
    >right back at square today.  The same problems and the same issues.  Has
    >anyone out there heard of this or is anyone else out there experiencing
    >similar problems?  
    >
    >Any advice would be greatly appreciated.
    >
    >Thanks, 
    >A.J.
    >
    >  
    >
    
    -- 
    Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
    Chief Scientist, Immunix       http://immunix.com
                http://www.immunix.com/shop/
    



    This archive was generated by hypermail 2b30 : Wed Nov 19 2003 - 14:58:52 PST