Am i compromised?

From: Paul Gear (paulgearat_private)
Date: Wed Jun 26 2002 - 05:41:29 PDT

Next message: James Sneeringer: "Re: Unusual proxy port scan"

Previous message: Maxime Ducharme: "Someone looking for CodeRed infected boxes ?"
Next in thread: Sergey Latkin: "Re: Am i compromised?"
Reply: Sergey Latkin: "Re: Am i compromised?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi everyone,

I'm having a very perplexing problem that's troubling me no end.  It
all started one morning when i found this in the nightly tripwire
report from my Linux firewall/router (then running Red Hat 7.2 with
all updates applied):

-------------------------------------------------------------------------------
Rule Name: OS executables and libraries (/lib)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/lib/libc-2.2.4.so"

Obviously, this set off alarm bells in my head.  The tripwire report
said that the checksum had changed, but not the timestamp, ownership,
etc.  I found this unusual, so i pulled a good copy of the library
from my updates copy and compared the files.  What i found was two
changed function names as follows:

gear02:/root/keep/lib # diff strings.*
2239c2239
< __strcp       _smqll
---
> __strcpy_small
2388c2388
< ifmfre5nameindex
---
> if_freenameindex
gear02:/root/keep/lib # diff od.*
4701c4701
< 0223520   e   x  \0   _   _   s   t   r   c   p  \t   _   s   m
q   l
---
> 0223520   e   x  \0   _   _   s   t   r   c   p   y   _   s   m
a   l
4829c4829
< 0227520   d   r   a   n   d   4   8  \0   i   f   m   f   r   e
5   n
---
> 0227520   d   r   a   n   d   4   8  \0   i   f   _   f   r   e
e   n

I searched for __strcp\t_smqll and ifmfre5nameindex on google, but
found nothing.

There was no other evidence of a breakin.  There was nothing unusual
in the logs; the system seemed to be running normally; my cable modem
bandwidth wasn't being chewed up very quickly; i had process
accounting running, but it didn't seem to have anything helpful to
offer (not that i'd be much at reading it anyway).  However, being the
paranoid person that i am, i decided not to risk it, and had a friend
disconnect it from the outside world.  (I was away on holidays at the
time.)

When i returned, i investigated (a little) more, and then reinstalled
on Red Hat 7.3, restored/recreated configurations, and reconnected the
system (after taking an image of the hard disk).  (On a related note,
does anyone know if it's possible to access a compressed partition via
a loopback mount?  At the moment, i have to uncompress it to look at
it.)  All seemed well until this morning, when i got the following in
my tripwire report:

-------------------------------------------------------------------------------

Rule Name: Critical system boot files (/boot)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/boot/grub/stage2"

Now this one is a little bit trickier.  As far as i'm aware, the file
is only used on bootup.  Its diff (od -c against a good file) looks
like this:

gear02:/root/keep # diff -u stage2.*
--- stage2.1    Wed Jun 26 05:50:52 2002
+++ stage2.2    Wed Jun 26 05:50:43 2002
@@ -20,11 +20,7 @@
 0000460 212 004   <  \0   u 362 303  \0  \0  \0  \0  \0  \0  \0  \0
\0
 0000500  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
\0
 *
-0000660  \0  \0  \0  \0  \0  \0  \0  \0 207 035 004  \0   0  \0  \0
"
-0000700  \a 035 004  \0   @  \0  \0 032 277 034 004  \0  \b  \0  \0
031
-0000720 247 034 004  \0 020  \0  \0 027   ? 034 004  \0  \b  \0  \0
026
-0000740 257 033 004  \0 020  \0  \0 024   _ 033 004  \0   (  \0  \0
017
-0000760   ? 030 004  \0  \b  \0  \0 016   X 024 004  \0   /  \0
\b
+0000760 257 340  \f  \0 240  \0  \0 024   H 340  \f  \0   _  \0
\b
 0001000 352   p 202  \0  \0  \0 003 002 377 377  \0  \0  \0  \0  \0
\0
 0001020  \0  \0   0   .   9   1  \0   (   h   d   0   ,   0   )   /
b
 0001040   o   o   t   /   g   r   u   b   /   g   r   u   b   .   c
o

Now i'm guessing this (being boot loader code) is x86 assembler.  What
i don't know is whether it's random garbage or i have some sort of
persistent attacker finding holes into my system despite the latest
updates.  Again, nothing else seems to be wrong - my bandwidth usage
is good, and there is nothing suspicious in the log.  I've done TCP
and UDP port scans with nmap from another system and no additional
ports seem to be open.

I'm starting to think this is something like bad RAM or a motherboard
problem (it's a fairly old machine).  I have the disk mirrored using
Linux software RAID, so i would have thought a problem on one of the
disks would have been picked up.  Can anyone offer any suggestions?

Paul
http://paulgear.webhop.net



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: James Sneeringer: "Re: Unusual proxy port scan"
Previous message: Maxime Ducharme: "Someone looking for CodeRed infected boxes ?"
Next in thread: Sergey Latkin: "Re: Am i compromised?"
Reply: Sergey Latkin: "Re: Am i compromised?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 18:52:35 PDT