LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-05-2005, 11:47 AM   #1
delling81
LQ Newbie
 
Registered: Jun 2003
Location: Dunedin NZ
Distribution: RedHat
Posts: 5

Rep: Reputation: 0
Unhappy Compromised machine


Seems a machine I used to admin now has become compromised.

I've been running a few tests, and I can't say I'm happy with what I've found, but beeing no linux expert, I figurd I'd get som help.

Ebay contacted us and said we had been hosting a fake ebay front for them. Not a fun thing, and we found the page on our machine and all.

I'm supposed to find out what went wrong and got the machine compromised, and this is what came out when I ran rootkithunter:

These files come out bad in the file check:

/bin/ls [ BAD ]
/bin/mount [ OK ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/su [ BAD ]

THe rootkit hunter comes out bad on two ocasions:

Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /var/log/rkhunter.log).
--------------------------------------------------------------------------------

Rootkit 'Sin Rootkit'... [ Warning! ]


After the rootkit check is done, it also reports this:

* Suspicious files and malware
Scanning for known rootkit strings [ BAD ]
Scanning for known rootkit files [ OK ]



* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/ttyoa: ASCII text
/dev/ttyof: ASCII text
/dev/ttyop: ASCII text
---------------------------------------------

This ain't so good, as when I check the dev files, they come up looking anything but clean:

/dev/ttyoa file contents:
2 213.233
2 217.10
2 193.231
2 80.97
3 6667
4 6667
3 7999
4 7999
3 31337
4 31337

/dev/ttyof file contents:
psbnc
smbd
iceconf.h
icekey.h
icepid.h
uptime
startwu
r00t

/dev/ttyop file contents:
3 swapd
3 psybnc
3 sl2
3 sl3
3 smbd
3 uptime
3 x2
3 startwu
3 scan
3 r00t

And when I do strings --all on the files mentioned as bad I see /dev/ttyop show up in /bin/ps (only one checked so far)


This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.

I have not beeing the one doing the updates on the machine, but was sent in to do the cleanup. Any sugestions on what to do next? I obviously should reinstall, and only keep the things most desperately needed, but is this most likely the work of a script-kiddy or something that has been configured wrong and allowed a hacker to take over?
 
Old 04-05-2005, 01:24 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
First I would do as little as possible on the compromised machine, maybe get the output of lsof -i and then immediately take it offline. Immediately remove the drive and put it some place safe, then put a new drive in the system and do a reinstall.

Normally I'd suggest looking around the system and doing forensic analysis yourself, simply because most authorities won't really do much for the average hacked machine. In this case however, your system may contain info relevant to a phishing scam (fraud) and may be helpful in identifying the perpetrators. I'd contact ebay and ask them if they have any information regarding the use of your machine to commit fraud (the phishing scam). If so, you should contact your local authorities and report that you may have information regarding a phishing scam. If the fraud is involves significant financial losses, they may actually want the drive so that their own forensic specialists can examine it, so monkeying around on it is not a good idea.

Last edited by Capt_Caveman; 04-05-2005 at 01:52 PM.
 
Old 04-05-2005, 01:38 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Rootkit 'Dreams Rootkit'... [ Warning! ]
Only thing I read was 'Dreams' exploits a gzip buffer overflow.


/Unusual files:
/dev/ttyoa: ASCII text

The ttyo.* are config files for hiding stuff: A for netstat, P for ps.


This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.
Arbitrairy classification at least, as 'fairly protected' got the box compromised anyway. Take an older or unpatched version or insecure install and presto: root.


I'd make myself some disk images to work on if you care for that, for the rest I agree what CC wrote is the best approach.
 
Old 04-05-2005, 10:20 PM   #4
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
I'd make myself a disk image to keep. Given the situation described, there is likely some serious liability for someone. I would make certain that I had a complete copy of the data that was on the system so that I could turn aside any attempt to make me the one liable.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Machine compromised, now have ports opened tvn Linux - Security 4 09-21-2005 03:04 AM
Machine compromised, now have ports opened tvn Fedora 1 09-13-2005 05:30 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 12:31 AM
If I had a compromised machine... TheIrish Linux - Security 9 11-28-2003 01:31 PM


All times are GMT -5. The time now is 07:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration