Hi, One of our servers that's literally on the other side of the globe has been compromised on Saturday, 5 Jan. I'm not sure how the person got in, but it has to be either exim (early 2.x version), University of Washington IMAP/POP v 1.5.1 or Apache 1.3.9. It could also be that it was through ssh-1.2.26, although this is supposed to be firewall filtered, so I doubt it. The base machine is RedHat-5.2, but a lot has been changed since the original install about 3 years ago. The rootkits installed appear to be similair to http://openbsd.org.br/ouah/compromisenov25.htm. A version of the tr0n v8 rootkit also seems to be on the machine but not used. I'm cleaning up as best as I can until we can ship a new disk to be installed. It looks overall the attempt was unsucessful. The /etc/rc.d/init.d/network script has been replaced and among the suspicious lines are: /usr/bin/ssh2d -q cd /usr/src/.lib;./lpsched lpsched is a program to capture usernames/passwords on the network. It was running when I found the machine but I killed the procs. I found a core file of /usr/bin/ssh2d under /etc/rc.d/init.d, so obviously that did not work too well. But the network didn't start up at all, because the replaced network file assumes RedHat-7.0 or later. But now for the question. I can't seem to do anything to /usr/bin/ssh2d and /etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in any way. # stat /usr/bin/ssh2d /etc/rc.d/init.d/network File: "/usr/bin/ssh2d" Size: 205288 Filetype: Regular File Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 8,0 Inode: 4119 Links: 1 Access: Wed Jan 9 18:09:19 2002(00000.00:54:46) Modify: Sat Jan 5 14:43:32 2002(00004.04:20:33) Change: Sat Jan 5 14:43:34 2002(00004.04:20:31) File: "/etc/rc.d/init.d/network" Size: 5140 Filetype: Regular File Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 8,0 Inode: 121925 Links: 1 Access: Wed Jan 9 18:58:44 2002(00000.00:05:21) Modify: Sat Jan 5 14:43:32 2002(00004.04:20:33) Change: Sat Jan 5 14:43:34 2002(00004.04:20:31) But, for example: # mv ssh2d ssh2d_foo mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted As far a I can see lsmod has not been trojaned, and it doesn't look like there's any suspicious kernel modules loaded. So why do I get 'Operation not permitted' when I try to do anything to the files? Thank you, Jan van Rensburg ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 13:28:33 PST