Ok I went in to clean this up today and managed to save some files. The extent of one rootkit is pretty clear but there are still some leftover files that I don't know about. I rebuilt the whole server, not trusting the old system at all. Interestingly, even though I didn't touch the original (corrupted) partition, when I mounted it from the new system to extract a couple of the rootkit dirs, some files had disappeared. The entire directory /dev/\ \ \ was gone. I'm not sure if this is because I remounted it with nodev, nosuid and noexec (seems unlikely) or if this is explained by some mysterious hanging it used to engage in when shut down the "usual" way (ie, it was cleaning up after itself every time it shut down). That particular rootkit seems to have been saved (in original form) in /tmp as cashu.tgz, as near as I can tell, so I've re-compressed & attached that. It set up compromised versions of ps, ls, netstat, lpd, ifconfig, find, top, lsof, slocate, dir, md5sump pstree, sshd, ftpd and ipop3d, doing some clever stuff with checksums and what not (which makes me wonder if the gross ease of finding these files means there's another hidden part somewhere that I never did find). It created a fake library called /lib/lidps1.so and installed a subverted libproc.so as well. It also created a user tty1, whose home directory contains another rootkit that points to a directory /dev/.id. The executables mentioned there seem to reappear in another directory /dev/.so All that is pretty clear. However, there are still a few other suspicious files around, and if they're connected I haven't found the connection yet. /etc/passwd had some more mysterious users added from somewhere - cgi, r00t, cisco and liloboot (the root userid was weirdly corrupted as well) - I've attached the suspicious parts of this file. In /usr/sbin there are a couple binaries which had been set immutable: pidof and xntp3. Hooks for the latter had been added twice to the end of rc.sysinit, sandwiching the sshd hook. This server was sitting behind a firewall, and supposedly all ports were blocked except for http, which is routed to it via NAT. Thus, unless our local ISP is lying (which is quite possible) I'm guessing it came by an Apache exploit. Can anyone ID it? I've searched for the most obvious text strings already and not turned up anything which rang a bell. Files: http://www.creek-and-cowley.com/cashu.tar.bz2 http://www.creek-and-cowley.com/suspicious_files.tar.bz2 -- Steve Bougerolle Creek & Cowley Consulting http://www.creek-and-cowley.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 10:35:22 PDT