Machine compromised

From: Jan van Rensburg (jan.van.rensburgat_private)
Date: Wed Jan 09 2002 - 09:02:35 PST

  • Next message: Eric Landuyt: "Re: Large ICMP Packets with strange payload"

    Hi,
    One of our servers that's literally on the other side of the globe has been
    compromised on Saturday, 5 Jan. I'm not sure how the person got in, but it
    has to be either exim (early 2.x version), University of Washington IMAP/POP
    v 1.5.1 or Apache 1.3.9. It could also be that it was through ssh-1.2.26,
    although this is supposed to be firewall filtered, so I doubt it. The base
    machine is RedHat-5.2, but a lot has been changed since the original install
    about 3 years ago. 
    
    The rootkits installed appear to be similair to
    http://openbsd.org.br/ouah/compromisenov25.htm. A version of the tr0n v8
    rootkit also seems to be on the machine but not used. 
    
    I'm cleaning up as best as I can until we can ship a new disk to be
    installed. It looks overall the attempt was unsucessful. The
    /etc/rc.d/init.d/network script has been replaced and among the suspicious
    lines are: 
    
            /usr/bin/ssh2d -q
            cd /usr/src/.lib;./lpsched
    
    lpsched is a program to capture usernames/passwords on the network. It was
    running when I found the machine but I killed the procs. I found a core file
    of /usr/bin/ssh2d under /etc/rc.d/init.d, so obviously that did not work too
    well. But the network didn't start up at all, because the replaced network
    file assumes RedHat-7.0 or later. 
    
    But now for the question. I can't seem to do anything to /usr/bin/ssh2d and
    /etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in
    any way. 
    
    # stat /usr/bin/ssh2d /etc/rc.d/init.d/network
      File: "/usr/bin/ssh2d"
      Size: 205288       Filetype: Regular File
      Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
    root)
    Device:  8,0   Inode: 4119      Links: 1
    Access: Wed Jan  9 18:09:19 2002(00000.00:54:46)
    Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
    Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)
    
      File: "/etc/rc.d/init.d/network"
      Size: 5140         Filetype: Regular File
      Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
    root)
    Device:  8,0   Inode: 121925    Links: 1
    Access: Wed Jan  9 18:58:44 2002(00000.00:05:21)
    Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
    Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)
    
    But, for example: 
    # mv ssh2d ssh2d_foo
    mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted
    
    As far a I can see lsmod has not been trojaned, and it doesn't look like
    there's any suspicious kernel modules loaded. So why do I get 'Operation not
    permitted' when I try to do anything to the files?
    
    Thank you,
    Jan van Rensburg
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 13:28:33 PST