Re: CRIME Multiple breakins, but can't figure out how

From: Crispin Cowan (crispin@private)
Date: Wed Nov 19 2003 - 14:21:24 PST

  • Next message: Crispin Cowan: "Re: CRIME Span time from vulnerability to patch for HTTPD servers" 

    A.J. Weinzettel wrote:

>I have had multiple breakins somehow using different versions of RedHat
>(7.1,7.3,&8.0).
>
Can I interest you in Immunix 7.3:

    * Highly compatible with Red Hat 7.3
    * Multiple intrusion prevention layers
    * Survived 2 Defcon CtF games
    * http://www.immunix.com/products/immunixos/

I can't help you with the forensics of discovering how you were cracked,
as I have no experience with break-ins because I've never been 0wned :)

Crispin

>  This started last week on the 7.1 and 7.3 boxes.  I
>have been keeping up on all the latest patches for Apache, Sendmail,
>SSH, MySQL.  So, I noticed the breakins and noticed a directory called
>/dev/rd/cdb.  In this directory there is a run.tgz and it is expanded in
>to a directory.  This is the contents:
>
> rwx------    1 1007     users      449008 Nov 18 13:20  kupdated
>-rwx------    1 1007     users         942 Jan 19  2000 checkmech
>-rwx------    1 1007     users       20313 Feb 12  2000 configure
>-rw-------    1 1007     users       17982 Jan 19  2000 COPYING
>-rw-r--r--    1 1007     users          87 Nov 12 21:39 emech.users
>-rw-------    1 1007     users        2147 Feb 12  2000 Makefile
>-rw-------    1 1007     users       22935 Feb 16  2000 mech.help
>-rw-r--r--    1 1007     users        1011 Nov 18 14:00 mech.levels
>-rw-------    1 root     root       144456 Nov 18 13:23 mech.pid
>-rw-r--r--    1 root     root          416 Nov 18 14:00 mech.session
>-rw-r--r--    1 1007     users        4202 Nov 12 21:39 mech.set
>drwx------    2 1007     users        4096 Feb 16  2000 randfiles
>-rw-------    1 1007     users        2300 Jun  4  2000 README
>-rwx------    1 1007     users      455957 Nov 18 14:03 send
>drwx------    2 1007     users        4096 Feb 23  2003 src
>-rw-------    1 1007     users        2007 Feb  5  2000 TODO
>-rw-------    1 1007     users       25043 Jun  4  2000 VERSIONS
>
>The README files starts off like this:
>
>+--+-------------------------------+--+
>|**|  StarGlider Class EnergyMech  |**|
>+--+-------------------------------+--+
>
>Compiling?
>~~~~~~~~~~
>To compile the source:
>
>1) Uncompress the source code distribution archive.
>
>2) cd emech-2.7.6.1
>-- Since you are reading this file, you have most likely already
>   come to this point.
>
>3) ./configure
>-- This script will prompt you for features to include or exclude,
>   going with the default isnt a bad idea.
>
>4) make clean install
>
>If all went well you should now have an executable called ``mech''.
>
><end of snippet>
>
>Running a trusted version of netstat (netstat -nap) and notice kupdated
>is talking to another server on port 6667. It looked something like
>this:
>
>tcp 0 0 compromised server:35501 other_server:6667  TIME_WAIT [kupdated]
>
>So, I have reinstalled all operating systems to Redhat 8.0, made sure
>there are no bogus entries in the /etc/passwd file, and updated to all
>the latest greatest versions of everything out there
>(Apache,MySQL,Sendmail,openssl,mod_ssl, and openSSH). The problem is
>after all of this reinstalling and making sure everything is clean, I am
>right back at square today.  The same problems and the same issues.  Has
>anyone out there heard of this or is anyone else out there experiencing
>similar problems?  
>
>Any advice would be greatly appreciated.
>
>Thanks, 
>A.J.
>
>  
>

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

    This archive was generated by hypermail 2b30 : Wed Nov 19 2003 - 14:58:52 PST