need help

Nickm · 2003-04-26 18:25:58

I'm having trouble booting and logging in,
the only way i can boot is using init=/bin/sh uid=0
when i do a ls -l /bin i get the following things that are weird:
-rwxr-xr-x 1 500 500 48872 Apr 22 12:32 login
-rwxr-xr-x 1 500 500 39696 Sep 3 2002 ls
-rwxr-xr-x 1 500 500 54152 Sep 3 2002 netstat
-rwxr-xr-x 1 500 500 62920 Mar 21 13:05 ps
-rwxr-xr-x 1 500 500 48872 Apr 22 05:02 xlogin
I attempted to do some fixes, but i cant chmod or chown these file nor remove or anything

now suddenly ps does the following:
ps: Symbol `Hertz' has different size in shared object, consider re-linking
ps: relocation error: ps: undefined symbol: proc_hackinit

Have i been hacked?? and how can i fix these files ??

Nickm · 2003-04-26 18:33:53

chkrootkit says:ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... /etc/ld.so.hash
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i686-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gimp/.packlist
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... /usr/include/file.h /usr/include/proc.h
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'...
nothing deleted

wtf ?? how can i solve this, i'm disabling my eth0 until i need it for now thanks in advance

jon · 2003-04-26 19:21:48

if this is a (brand) new install of arch and you dont have any files on the thing i suggest a reinstall because i know from expericnce that a incomplete install or a install with compliations (ie error messages) will result in a unusable system. you could also try a less drastic step of fscking the / partition.

btw: you need to re-format the partition as well (if you are re-installing).

Jon,
PS: that to say that re-install is your only option but it worked for me cuz it was fast & easy.

GOOD LUCK!!!!!!!!!

Nickm · 2003-04-26 20:49:59

Thanx for your reply.

tried fsck-ing didn't work.
why can't i remove these files? not even as root, and not even if i boot from a cd?

i don't like to reinstall, isn't there a way to let pacman download and install all packages i've got installed in a diferrent parttition and then change the root to that partition??

And how can i find out what method was used to install these rootkits? seems as if it was done using a trojan but where did that come from?

jon · 2003-04-26 22:20:33

this is a wack idea but..... when you usally use "init=/bin/sh uid=0" try changing the 0 to 500 ie (using init=/bin/sh uid=500) because if memory serves 0=root and your files dont seem to be owned by root so just try 500.

Or if that dont work try createding a user with a user ID of 500 and su into it and chown all the files to root.

apeiro · 2003-04-26 22:30:27

Yea, it looks like you've been compromised... His root kit compromised those executables to hide the existance of a process that's running on your box, probably with an open port as well (hence the hacked netstat binary).

I would recommend a complete rebuild of the box, you just can't trust any binaries on a system that's been rooted. Your best bet would be to boot up with the Arch disks, mount your rooted partitions and copy anything off the system that you want to save (data only, NOT binaries). Then wipe the system and reinstall.

Nickm · 2003-04-27 07:33:34

no sign off useradd or adduser on the system anymore

Ok thanks will reinstall. Never expected this to happen.

thanx for your help

andy · 2003-04-27 10:58:36

Also, if you are hacked (and it really looks like it), you also should use different passwords this time. If login is indeed trojaned it might have even collected passwords.

Cheers
Andreas (been there, done that)

xirus · 2003-05-01 19:38:46

so how does one get hacked?
I mean if you do a pacman -Syu everyday (which should give you the latest patches) and you don't have a lot of open ports...how does it happen?

eg if you have this:
netstat -a|grep LISTEN
tcp 0 0 *:3306 *:* LISTEN
tcp 0 0 *:32782 *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
where apache and mysql only listen to localhost...
can you still get hacked then??

netkrash · 2003-05-01 20:53:29

=X¥®µ§= wrote:

so how does one get hacked?
I mean if you do a pacman -Syu everyday (which should give you the latest patches) and you don't have a lot of open ports...how does it happen?
eg if you have this:
netstat -a|grep LISTEN
tcp 0 0 *:3306 *:* LISTEN
tcp 0 0 *:32782 *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
where apache and mysql only listen to localhost...
can you still get hacked then??

weak passwords, a lot of user accounts with remote access, access to a compiler, kernel ptrace bug... openssh bug..

and of course a lot of lammers round the world trying to get into someone box just to destroy it and/or prove they can do it.

xirus · 2003-05-01 20:58:24

well I'm not running telnet or ssh or something...

Nickm · 2003-05-08 20:11:39

Ok all is working again thanx, though I still want to know how they came in. I only had apache+mysql+php, samba but port 139 blocked on the router and ssh running. No weak passwords only 3 user accounts. Now I dont trust any binary only apps anymore

xirus · 2003-05-08 21:12:42

that's my point: how can they get in then??

sarah31 · 2003-05-08 22:02:25

well perhaps they exploited something in apache? or ptrace in the kernel?

just because a port is blocked does not mean that it cannot be exploited if it is being used it can be found. the only non-exploitable port is a closed one.

dariball · 2003-05-08 22:56:21

sarah31 : very, very wise .....

Arch Linux

#1 2003-04-26 18:25:58

need help

#2 2003-04-26 18:33:53

Re: need help

#3 2003-04-26 19:21:48

Re: need help

#4 2003-04-26 20:49:59

Re: need help

#5 2003-04-26 22:20:33

Re: need help

#6 2003-04-26 22:30:27

Re: need help

#7 2003-04-27 07:33:34

Re: need help

#8 2003-04-27 10:58:36

Re: need help

#9 2003-05-01 19:38:46

Re: need help

#10 2003-05-01 20:53:29

Re: need help

#11 2003-05-01 20:58:24

Re: need help

#12 2003-05-08 20:11:39

Re: need help

#13 2003-05-08 21:12:42

Re: need help

#14 2003-05-08 22:02:25

Re: need help

#15 2003-05-08 22:56:21

Re: need help

Board footer