Personally, what I would be doing in this case is looking at the majority of files in /bin /sbin and maybe /usr/bin (if it isn't the same as /bin) and compare md5 checksums with a known good source. Most likely the intruder left other droppings along in there if they used a standard rootkit. If things like ps, ls, ifconfig, netstat and other similar utilities do not match up, then you can then find out which rootkit they used. If they do match the good ones, I would still worry about an LKM rootkit being in place. At that point I would be prepared to dd the entire hd off to the side, and run Autopsy and the coroners toolkit (TCT) against the image and see what useful information you can garner that way. In any case, that machine has been intruded on. Don't trust it. If you plan on looking at it for forensic evidence, then dd the partitions so that you know you haven't accidently tampered with the filesystem or deleted inodes that may give you a better clue of what happened and in what order. Well hope that helps give you some ideas of where to go now. Scott On Tue, 16 Jul 2002, Mark Ruth wrote: > I would rather call this a backdoor, except the fact you can find > some other modified progs. like ps, ls, ... or at least a kernel module. > There's a lil diff between a rootkit and a trojaned sshd. > > regards > > > > > > > Hello. > > > > Recently one of my OpenBSD 3.0 boxes got compromised. The > > attacker used OpenSSH exploit and installed trojaned sshd > > binary. There were obvious signs of compromise: > > > > <root@svrtr:/root:251># ls -al /usr/sbin/sshd > > -rwxr-xr-x 1 root wheel 966656 Oct 18 2001 > > /usr/sbin/sshd* <root@svrtr:/root:252># md5 /usr/sbin/sshd > > MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d > > <root@svrtr:/root:253># ldd /usr/sbin/sshd > > ldd: /usr/sbin/sshd: not a dynamic executable > > <root@svrtr:/root:254># strings /usr/sbin/sshd | grep > > OpenSSH_3 OpenSSH_3.4 > > > > 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. > > File modification date is earlier than 3.4 release date. > > > > 2) Binary is statically linked, therefore much larger than > > original sshd. > > > > 3) It was installed with other perms (0755) than original one (0555). > > > > I've compared good OpenSSH 3.4 binary with compromised one > > and found the following: > > > > --- s1 Sun Jul 14 08:48:17 2002 > > +++ s2 Sun Jul 14 08:48:26 2002 > > @@ -6,9 +6,10 @@ > > -@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $ > > +grOet2CS62G4k > > +@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $ > > [...] > > -nobody > > +daemon > > [...] > > +/etc/sshd_config > > [...] > > -Connection refused by tcp wrapper > > -libwrap refuse returns > > [...] > > -/usr/src/usr.bin/ssh/sshd/../sshd.c > > +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c > > [...] > > > > Full diff output can be found at: > > > http://www.frasunek.com/sshd_diff.gz > > And compromised sshd binary: > > http://www.frasunek.com/sshd_rooted.gz > > -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * > * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF * > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For more > information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- > GMX - Die Kommunikationsplattform im Internet. > http://www.gmx.net > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 10:38:19 PDT