rookits: was: Re: [TriLUG] Server DEAD!
auto668 at hush.com
auto668 at hush.com
Thu Aug 28 16:42:05 EDT 2003
Durn! That's what I figured...
All of the data is on /www partition.. so I can just keep that and reload..
Geez! I KNOW what my mistake was.. or at least I feel like I do.. and
the more I think about it the dumber I feel.. this machine was comprimised
a few weeks back (it had been up for almost 2+ years with VERY little
maintenance/updates, not in my hands). I just reloaded and used the
same root password without thinking! What an idiot!
Maybe, that's not it.. I wasn't allowing root to connect via ssh.. who
knows..
thanks to all...
l-
On Thu, 28 Aug 2003 13:35:07 -0700 Jeremy Portzer <jeremyp at pobox.com>
wrote:
>On Thu, 2003-08-28 at 16:11, auto668 at hush.com wrote:
>> Ok.. more updates...
>>
>> Did the following:
>> rpm --root /mnt/sysimage-q --queryformat
>> '%{NAME}-%{VERSION}-%{RELEASE}-%{ARCH}\n' glibc kernel
>> (that should all be on one line)
>>
>> Here's the output:
>> glibc-2.3.2-11.9-i686
>> glibc-2.3.2-11.27-i686
>> kernel-2.4.20-9-i686
>> kernel-2.4.20-20.9-i686
>> kernel-smp-2.4.20-9-i686
>> kernel-smp-2.4.20-19.9-i686
>> kernel-smp-2.4.20-20.9-i686
>>
>> This is an smp box.. it it 'normal' to have to glibc's listed?
>
>No, definitely not normal to have two glibc's. I'm not sure what
>would
>have caused that, unless you've been installing things with ugly
>options
>like --force. The current glibc package for RHL 9 is glibc-2.3.2-
>11.27
>.
>
>> And I ram the rpm -V on the coreutils and received the following
>>
>> S.5....T /bin/basename
>
>That's not good. It means the "size", "md5sum," and "timestamp"
>are all
>wrong (see man rpm for the full description of the verify output).
>
>> " /bin/cat
>> " /bin/chgrp
>>
>> For net-tools I get the following..
>> S.5....T /bin/hostname
>> S.5....T /bin/netstat
>> S.5....T /bin/ifconfig
>
>And that's a lot worse. The modified netstat is probably to hide
>connections to/from an attacking server. The modified ifconfig
>may be
>to hide an interface that's in promiscious mode.
>
>> Before I go any further.. what do you think? rootkitted?
>>
>
>My best guess is that you have been rootkitted. I would try to
>see if
>chkrootkit will run, but depending on how difficult it is to format
>and
>restore from backups, that's probably the best solution :-(
>
>Sometimes you can run "strings" on the compromized binaries and
>find
>evidence of various things, like hostnames that are to be exlcuded
>from
>netstat, etc. A google search on some of this output may tell you
>a lot
>more about the particular rootkit. There seem to be an amazing
>number
>of variations on any given rootkit, however.
>
>Of course, it would be nice to figure out how they got in. A common
>problem is to install updated packages via up2date, or other updating
>programs, but forgetting to restart the given service. Sometimes
>libraries like openssl will be used by other programs like Apache
>-- an
>openssl update requires a restart of Apache, and all other programs
>using it, before it's totally effective.
>
>Folks -- take this as a reminder that Windows isn't the only OS
>that can
>have security problems -- security affects all types of computing.
>
>--Jeremy
>
>--
>/---------------------------------------------------------------
>------\
>| Jeremy Portzer jeremyp at pobox.com trilug.org/~jeremy
> |
>| GPG Fingerprint: 712D 77C7 AB2D 2130 989F E135 6F9F F7BC CC1A
>7B92 |
>\---------------------------------------------------------------
>------/
>
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
More information about the TriLUG
mailing list