On Wed, 9 Jan 2002, Jan van Rensburg wrote: > Hi, > One of our servers that's literally on the other side of the globe has been > compromised on Saturday, 5 Jan. I'm not sure how the person got in, but it > has to be either exim (early 2.x version), University of Washington IMAP/POP > v 1.5.1 or Apache 1.3.9. It could also be that it was through ssh-1.2.26, > although this is supposed to be firewall filtered, so I doubt it. The base > machine is RedHat-5.2, but a lot has been changed since the original install > about 3 years ago. Considering that I couldn't find any info of how old UW-IMAP-1.5.1 is (e.g. http://freshmeat.net/branches/11037/ lists only some "2000x" and "2001y" versions), I would consider it rather old. Anyhow, I might be wrong with the age, but if the version you're running is as old as your sshd, I think it really might have some holes considering Washington University's reputation with wu-ftpd and Pine. > But, for example: > # mv ssh2d ssh2d_foo > mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted > > As far a I can see lsmod has not been trojaned, and it doesn't look like > there's any suspicious kernel modules loaded. So why do I get 'Operation not > permitted' when I try to do anything to the files? Say "lsattr <path>/ssh2d". If you see an "i" somewhere in the middle of the dashes, the file has an immutable flag set. This means that even root cannot modify the file until the flag is removed (by issuing chattr -i). Read more from the manpages chattr(1) and lsattr(1). Secondly, if your machine is compromised you cannot trust the output of e.g. lsmod. I recommend that you recompile your kernel without support for modules and watch whether you get some unexpected "QM_MODULES: Function not implemented" messages while booting. This is how you can .try. to find out if your system attempts to install a kernel module backdoor during the bootup. You can do it more securely by compiling a kernel on a machine you know secure and uploading it to the hacked system. Nevertheless, I think the best and most efficient way to survive from a compromise is to reinstall the whole system. (And you should not scorn the importance of security updates although you have services blocked by firewall!) -Petrus ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:38:59 PST