You are not logged in.

#1 2003-04-26 18:25:58

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

need help

I'm having trouble booting and logging in,
the only way i can boot is using init=/bin/sh uid=0
when i do a ls -l /bin i get the following things that are weird:
-rwxr-xr-x   1 500      500         48872 Apr 22 12:32 login
-rwxr-xr-x   1 500      500         39696 Sep  3  2002 ls
-rwxr-xr-x   1 500      500         54152 Sep  3  2002 netstat
-rwxr-xr-x   1 500      500         62920 Mar 21 13:05 ps
-rwxr-xr-x   1 500      500         48872 Apr 22 05:02 xlogin
I attempted to do some fixes, but i cant chmod or chown these file nor remove or anything

now suddenly ps does the following:
ps: Symbol `Hertz' has different size in shared object, consider re-linking
ps: relocation error: ps: undefined symbol: proc_hackinit

Have i been hacked?? and how can i fix these files ??

Offline

#2 2003-04-26 18:33:53

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: need help

chkrootkit says:ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... /etc/ld.so.hash
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i686-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gimp/.packlist
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ...  /usr/include/file.h /usr/include/proc.h
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'...
nothing deleted

wtf ?? how can i solve this, i'm disabling my eth0 until i need it for now thanks in advance

Offline

#3 2003-04-26 19:21:48

jon
Member
Registered: 2002-11-28
Posts: 87

Re: need help

if this is a (brand) new install of arch and you dont have any files on the thing i suggest a reinstall because i know from expericnce that a incomplete install or a install with compliations (ie error messages) will result in a unusable system. you could also try a less drastic step of fscking the / partition.

btw: you need to re-format the partition as well (if you are re-installing).

Jon,
PS: that to say that re-install is your only option but it worked for me cuz it was fast & easy.

GOOD LUCK!!!!!!!!!

Offline

#4 2003-04-26 20:49:59

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: need help

Thanx for your reply.

tried fsck-ing didn't work.
why can't i remove these files? not even as root, and not even if i boot from a cd?

i don't like to reinstall, isn't there a way to let pacman download and install all packages i've got installed in a diferrent parttition and then change the root to that partition??

And how can i find out what method was used to install these rootkits? seems as if it was done using a trojan but where did that come from?

Offline

#5 2003-04-26 22:20:33

jon
Member
Registered: 2002-11-28
Posts: 87

Re: need help

this is a wack idea but..... when you usally use "init=/bin/sh uid=0" try changing the 0 to 500 ie (using init=/bin/sh uid=500) because if memory serves 0=root and your files dont seem to be owned by root so just try 500.

Or if that dont work try createding a user with a user ID of 500 and su into it and chown all the files to root.

Offline

#6 2003-04-26 22:30:27

apeiro
Daddy
From: Victoria, BC, Canada
Registered: 2002-08-12
Posts: 771
Website

Re: need help

Yea, it looks like you've been compromised...  His root kit compromised those executables to hide the existance of a process that's running on your box, probably with an open port as well (hence the hacked netstat binary).

I would recommend a complete rebuild of the box, you just can't trust any binaries on a system that's been rooted.  Your best bet would be to boot up with the Arch disks, mount your rooted partitions and copy anything off the system that you want to save (data only, NOT binaries).  Then wipe the system and reinstall.

Offline

#7 2003-04-27 07:33:34

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: need help

no sign off useradd or adduser on the system anymore sad

Ok thanks will reinstall. Never expected this to happen.


thanx for your help

Offline

#8 2003-04-27 10:58:36

andy
Member
From: Germany
Registered: 2002-10-11
Posts: 374

Re: need help

Also, if you are hacked (and it really looks like it), you also should use different passwords this time. If login is indeed trojaned it might have even collected passwords.

Cheers
Andreas (been there, done that)

Offline

#9 2003-05-01 19:38:46

xirus
Member
Registered: 2002-12-01
Posts: 113

Re: need help

so how does one get hacked?
I mean if you do a pacman -Syu everyday (which should give you the latest patches) and you don't have a lot of open ports...how does it happen?

eg if you have this:
netstat -a|grep LISTEN
tcp        0      0 *:3306                  *:*                     LISTEN
tcp        0      0 *:32782                 *:*                     LISTEN
tcp        0      0 *:6000                  *:*                     LISTEN
tcp        0      0 *:www                   *:*                     LISTEN
where apache and mysql only listen to localhost...
can you still get hacked then??

Offline

#10 2003-05-01 20:53:29

netkrash
Member
From: Viña del Mar, Chile.
Registered: 2003-03-19
Posts: 95

Re: need help

=X¥®µ§= wrote:

so how does one get hacked?
I mean if you do a pacman -Syu everyday (which should give you the latest patches) and you don't have a lot of open ports...how does it happen?

eg if you have this:
netstat -a|grep LISTEN
tcp        0      0 *:3306                  *:*                     LISTEN
tcp        0      0 *:32782                 *:*                     LISTEN
tcp        0      0 *:6000                  *:*                     LISTEN
tcp        0      0 *:www                   *:*                     LISTEN
where apache and mysql only listen to localhost...
can you still get hacked then??

weak passwords, a lot of user accounts with remote access, access to a compiler, kernel ptrace bug... openssh bug..

and of course a lot of lammers round the world trying to get into someone box just to destroy it and/or prove they can do it.


GNU/Linux: Share & Enjoy!

Offline

#11 2003-05-01 20:58:24

xirus
Member
Registered: 2002-12-01
Posts: 113

Re: need help

well I'm not running telnet or ssh or something...

Offline

#12 2003-05-08 20:11:39

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: need help

Ok all is working again thanx, though I still want to know how they came in. I only had apache+mysql+php, samba but port 139 blocked on the router and ssh running. No weak passwords only 3 user accounts. Now I dont trust any binary only apps anymore

Offline

#13 2003-05-08 21:12:42

xirus
Member
Registered: 2002-12-01
Posts: 113

Re: need help

that's my point: how can they get in then??

Offline

#14 2003-05-08 22:02:25

sarah31
Member
From: Middle of Canada
Registered: 2002-08-20
Posts: 2,975
Website

Re: need help

well perhaps they exploited something in apache? or ptrace in the kernel?

just because a port is blocked does not mean that it cannot be exploited if it is being used it can be found. the only non-exploitable port is a closed one.


AKA uknowme

I am not your friend

Offline

#15 2003-05-08 22:56:21

dariball
Member
From: Germany - Frankfurt
Registered: 2002-10-20
Posts: 118
Website

Re: need help

sarah31 : very, very wise .....


nothing,
maybe I have a perfect signature _someday_

Offline

Board footer

Powered by FluxBB