Re: Machine compromised

From: Petrus Repo (pantheonat_private)
Date: Wed Jan 09 2002 - 14:55:29 PST

  • Next message: Frank Knobbe: "RE: Think I've got trouble"

    On Wed, 9 Jan 2002, Jan van Rensburg wrote:
    
    > Hi,
    > One of our servers that's literally on the other side of the globe has been
    > compromised on Saturday, 5 Jan. I'm not sure how the person got in, but it
    > has to be either exim (early 2.x version), University of Washington IMAP/POP
    > v 1.5.1 or Apache 1.3.9. It could also be that it was through ssh-1.2.26,
    > although this is supposed to be firewall filtered, so I doubt it. The base
    > machine is RedHat-5.2, but a lot has been changed since the original install
    > about 3 years ago. 
    
    Considering that I couldn't find any info of how old UW-IMAP-1.5.1 is
    (e.g. http://freshmeat.net/branches/11037/ lists only some "2000x" and
    "2001y" versions), I would consider it rather old. Anyhow, I might be
    wrong with the age, but if the version you're running is as old as your
    sshd, I think it really might have some holes considering Washington
    University's reputation with wu-ftpd and Pine.
    
    
    > But, for example: 
    > # mv ssh2d ssh2d_foo
    > mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted
    > 
    > As far a I can see lsmod has not been trojaned, and it doesn't look like
    > there's any suspicious kernel modules loaded. So why do I get 'Operation not
    > permitted' when I try to do anything to the files?
    
    Say "lsattr <path>/ssh2d". If you see an "i" somewhere in the middle of
    the dashes, the file has an immutable flag set. This means that even root
    cannot modify the file until the flag is removed (by issuing chattr -i).
    Read more from the manpages chattr(1) and lsattr(1).
    
    Secondly, if your machine is compromised you cannot trust the output of
    e.g. lsmod. I recommend that you recompile your kernel without support for
    modules and watch whether you get some unexpected "QM_MODULES: Function
    not implemented" messages while booting. This is how you can .try. to find
    out if your system attempts to install a kernel module backdoor during the
    bootup. You can do it more securely by compiling a kernel on a machine you
    know secure and uploading it to the hacked system. Nevertheless, I think
    the best and most efficient way to survive from a compromise is to
    reinstall the whole system. (And you should not scorn the importance of
    security updates although you have services blocked by firewall!)
    
    
     -Petrus
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:38:59 PST