Have you tried rebooting the machine with a known "good" init? I believe the suckit script copies the original instead of clobbering it. If they installed lkm there will be an invisible directory that you probably won't be able to see with any of the usual utils. SK default for this is /usr/share/locale/sk/.sk12 cd to it and see what ya see. Eric On Mon, Aug 18, 2003 at 04:27:56PM -0000, Frank wrote: > In-Reply-To: <3F3E9312.7060500at_private> > > Looks like a confirm > We've lost two linux Realservers last week (7 and 9th > of august), same rootkit. > All other services were firewalled, the Real services > running as a normal user was used to gain root access > somehow. OS Debian Linux, uptodate, 2.4.20grsec kernel. > On both helix servers the error logs mentions > restarts..and the access logs are empty... > We usually don't have empty access logs... > > ppl running Helix, watch out for unexpected restarts! > Real has been contacted. > > Frank > > > > > >Received: (qmail 15779 invoked from network); 17 Aug > 2003 16:42:09 -0000 > >Received: from outgoing3.securityfocus.com > (205.206.231.27) > > by mail.securityfocus.com with SMTP; 17 Aug 2003 > 16:42:09 -0000 > >Received: from lists.securityfocus.com > (lists.securityfocus.com [205.206.231.19]) > > by outgoing3.securityfocus.com (Postfix) with QMQP > > id 19A73A30D9; Sun, 17 Aug 2003 10:46:01 -0600 (MDT) > >Mailing-List: contact > incidents-helpat_private; run by ezmlm > >Precedence: bulk > >List-Id: <incidents.list-id.securityfocus.com> > >List-Post: <mailto:incidentsat_private> > >List-Help: <mailto:incidents-helpat_private> > >List-Unsubscribe: > <mailto:incidents-unsubscribeat_private> > >List-Subscribe: > <mailto:incidents-subscribeat_private> > >Delivered-To: mailing list incidentsat_private > >Delivered-To: moderator for incidentsat_private > >Received: (qmail 7218 invoked from network); 16 Aug > 2003 14:19:55 -0000 > >Message-ID: <3F3E9312.7060500at_private> > >Date: Sat, 16 Aug 2003 22:24:50 +0200 > >From: Juri Haberland <juriat_private> > >User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; > rv:1.3.1) Gecko/20030425 > >X-Accept-Language: en-us, de-de, en > >MIME-Version: 1.0 > >To: Mark Tinberg <mtinbergat_private> > >Cc: incidentsat_private > >Subject: Re: possible 0-day exploit for latest > Real-/Helixserver 9.0.2.794 > >References: <3F3CD032.8060601at_private> > <Pine.LNX.4.55.0308152356040.9706at_private> > >In-Reply-To: > <Pine.LNX.4.55.0308152356040.9706at_private> > >Content-Type: text/plain; charset=us-ascii > >Content-Transfer-Encoding: 7bit > > > >Mark Tinberg wrote: > >> On Fri, 15 Aug 2003, Juri Haberland wrote: > >> > >>> /sbin/init had nearly the same timestamp (Aug 12 > 23:17:29 2003) as the > >>> following log entry from the Realserver's > rmerror.log file: > >>> > >>> ***12-Aug-03 23:18:12.471 rmserver(11402): Server > automatically restarted > >>> due to fatal error condition > >> > >> From this it would seem most likely to be an exploit > of the rmserver > >> process. Check to see if there is an unpatched > SecurityFocus BID for > >> RealServer otherwise you were probably comprimised > with an > >> as-yet-publicly-unknown exploit. I'd try working > with Real.com and see if > >> they'll provide any help (well, here's to hoping 8^) > > > >I checked SecurityFocus before sending my initial > mail. Let's see what > >Real.com has to say. > > > >> If you can find a live copy of the exploit used on > the system, for example > >> if your system was used to attack others, that'd be > very helpful. > > > >Unfortunately there was nothing else other than rootkit. > > > >Cheers, > >Juri > > > > > >--------------------------------------------------------------------------- > >Captus Networks - Integrated Intrusion Prevention and > Traffic Shaping > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > > - Automatically Control P2P, IM and Spam Traffic > > - Ensure Reliable Performance of Mission Critical > Applications > > - Precisely Define and Implement Network Security and > Performance Policies > >**FREE Vulnerability Assessment Toolkit - WhitePapers > - Live Demo > >Visit us at: > >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > >---------------------------------------------------------------------------- > > > > > > --------------------------------------------------------------------------- > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance Policies > **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo > Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > ---------------------------------------------------------------------------- > -- Eric Nelson <enat_private> http://www.megahosted.com/~en/ GPG-key: C4AB5707 Fingerprint: 9E50 D5C2 2B02 A944 1A28 5CA5 366A 0294 C4AB 5707 --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 20 2003 - 16:46:43 PDT