Congratulations Gordon, it looks like you've found a new (unpublished) rootkit. A rootkit is what a hacker uses to hide & often includes backdoors for later access. As this is binary-layer (as opposed to library or kernel) rootkit, and the rootkit is 'unknown' the skill of your attacker is beginner to intermediate. How your attacker gained access cannot be determined by the rootkit deployed, except under circumstances when it is an identifiable rootkit used exclusively with a worm or auto-rooter. The best thing you can do when you've been hacked is to power-off the server without touching the keyboard or logging in. The reason for this is to preserve evidence where possible. It is best to then 'dd' (use 'man dd' for more info) to copy the harddisk images and then examine them offline. If however you are able to login to the server without adjusting wtmp or utmp (i.e. you overflow to get a shell) then you are in a 'better' position to recover the memory contents (which you would lose had you simply powered down the server). The leading opensource software to deal with intrusions like this are The Coroners Toolkit (http://www.fish.com/tct/). Atstake have produced two opensource software packages to be used with TCT, they are: 1] The @stake Sleuth Kit (TASK) (http://www.atstake.com/research/tools/task) 2] The Autopsy Forensic Browser (http://www.atstake.com/research/tools/autopsy/). The ChkRootkit project will detect 'known' rootkits (http://www.chkrootkit.org/) > According to an rpm -V, all kinds of binaries have been changed: ps, > top, netstat, ifconfig, ... ps & top were modified to hide processes, netstat to hide network connections, and ifconfig to hide PROMISC mode. At least this is true for most rootkits. Could you please send the modified binaries to the list, and if possible make disk images of the hacked server available, ala the honeypot project. On 20 Dec 2002 14:11:31 -0700 Gordon Chamberlin <glacat_private> wrote: > I found suspicious looking files on a Redhat 7.1 Linux server earlier > today. Can anyone confirm or deny that the machine has been hacked? > > The files: > /usr/bin/hpd > /usr/bin/afb > /usr/bin/sn > > The following line is in /etc/rc.local: > /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null > > The contents of hpd are: > #!/bin/sh > /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null > /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null > > namp reports the following ports open: > Port State Service > 5/tcp open rje > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 111/tcp open sunrpc > 443/tcp open https > 808/tcp open unknown > 1024/tcp open kdm > 3306/tcp open mysql > 7000/tcp open afs3-fileserver > 8009/tcp open ajp13 > > According to an rpm -V, all kinds of binaries have been changed: ps, > top, netstat, ifconfig, ... > > I copied a good version of ps in and found the two afb processes > running. > > Anyone know about this hack, what afb does and/or how they usually get > in? > > Embarrassedly, > -Gordon > > -- > Gordon Chamberlin Software Architect > Visualize, Inc. http://www.visualize.com > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:27:41 PST