LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-04-2010, 07:41 AM   #1
mrkorb
LQ Newbie
 
Registered: Nov 2009
Location: Tigard, OR, USA
Distribution: Fedora Core release 6
Posts: 5

Rep: Reputation: 0
Connections to IRC server, and it's not me


For some time now I've been noticing the network activity light for my linux box blinking like mad on my router. After a little looking around for ways to see what connections my box has established, I found the following using lsof -i

Code:
bash      13839 root    1u  IPv4 3118972       TCP shana:49148->Oslo.NO.EU.undernet.org:ircd (SYN_SENT)
bash      13839 root    2u  IPv4 3118986       TCP shana:34323->161.53.178.240:distinct (SYN_SENT)
bash      13839 root    3u  IPv4 3118543       UDP *:33437
bash      13839 root    4u  IPv4 3118982       TCP shana:58438->oslo.no.eu.undernet.org:ircd (SYN_SENT)
I know I'm not using IRC, and I have my sshd locked down fairly tight, requiring a key to log in, so obviously, it looks like there's something or somebody in Croatia (the origin of that IP address) connecting my system to undernet.org for some nefarious purpose. Looking at my processes, ID 13839 shows up as
Code:
13839 ?        S      0:00 bash
Just 'bash', not '-bash' as

Code:
13426 pts/0    S      0:00 -bash
my session appears. Previously, this odd bash process was ID 2704, which seemed to imply that it had launched fairly soon after my system booted up, which really makes me wonder. Oh, and yes, I did kill that 2704 process, and it returned as this 13839. 2704 also had those same IRC connections present in lsof.

Any ideas on where I might start with this? This kind of hacker crap really stresses me out.
 
Old 02-04-2010, 08:53 AM   #2
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
use these commands:
Code:
lsof -Pwn
netstat -anpe
ps -axfwwwe
to check what's going on. posting of outputs is welcome.
it looks like you're rooted.
IRC is the most used bot control proto.
when you find that malicious app creating connections let us know. Perhaps it's that "bash". Check where it is located. Run rkhunter and other rootkit-checkers.

Last edited by Web31337; 02-04-2010 at 08:56 AM.
 
2 members found this post helpful.
Old 02-04-2010, 09:39 AM   #3
carbonfiber
Member
 
Registered: Sep 2009
Location: Sparta
Posts: 237

Rep: Reputation: 46
IIWY I'd also inspect the binary to see if I can find out some details regarding (at least) the IRC connection it's making. Perhaps, if it's joining any particular channel - I'd drop by and say "Hello". Also, what distribution are you using, and where do you stand as far as up-to-date...-ness goes?
 
1 members found this post helpful.
Old 02-04-2010, 08:30 PM   #4
mrkorb
LQ Newbie
 
Registered: Nov 2009
Location: Tigard, OR, USA
Distribution: Fedora Core release 6
Posts: 5

Original Poster
Rep: Reputation: 0
The outputs clocked in at about 280k so I've attached them as text files since I was way over the 30k character limit otherwise. As for what I'm running, it's Fedora Core 6. I honestly couldn't tell you how up to date I am on everything since this system is used as a webserver and so I'm not frequently logging into it and tinkering with it's stuff.

Last edited by mrkorb; 02-05-2010 at 12:58 AM. Reason: Attachments removed
 
Old 02-04-2010, 09:22 PM   #5
mrkorb
LQ Newbie
 
Registered: Nov 2009
Location: Tigard, OR, USA
Distribution: Fedora Core release 6
Posts: 5

Original Poster
Rep: Reputation: 0
Ah ha! Got it.

The lsof output showed

Code:
bash      13839 root  txt    REG      253,0   492135    6750341 /etc/crond/bash
So I headed over to /etc/crond and found this nice little eggdrop bot running. I stop crond, kill the fake bash process, chmod'd all the script files they had in there to -x, and moved all that crap out. Started crond again, and guess what didn't start running again almost immediately like it had before.

I think I'll leave the system unplugged from the network for a few more hours, making sure that the process doesn't start up again somehow, but I'm feeling pretty confident about this.
 
Old 02-04-2010, 09:50 PM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You haven't determined how you were compromised. This link should help you get started.

http://web.archive.org/web/200801092...checklist.html

I don't think that FC 6 is supported any more. You should probably re-install after you conclude your investigation, and determine what changes need to be made.

Also, given you are running a webserver and mysql database, I'm wondering if you disabled se-linux protection.
This may help you learn how to make sense of what log files is produces:
http://docs.fedoraproject.org/selinu...nced_Linux.pdf

Last edited by jschiwal; 02-04-2010 at 09:53 PM.
 
Old 02-04-2010, 10:27 PM   #7
mrkorb
LQ Newbie
 
Registered: Nov 2009
Location: Tigard, OR, USA
Distribution: Fedora Core release 6
Posts: 5

Original Poster
Rep: Reputation: 0
Oh, I know how I was compromised. It was about 3 months ago, they got in using a phpMyAdmin exploit, which I promptly took down. At the time I also had the default insecure sshd configuration, which I tightened up to the point where even I have problems logging in on occasion. This IRC bot was likely left over from that intursion and I just hadn't caught it until now. If they manage to reestablish themselves, then I'll certainly start thinking about installing a newer OS, but I'm pretty confident that it's much harder now then it was 3 months ago to get into my box.
 
Old 02-04-2010, 11:39 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
An unsupported OS can lead to more compromises. You also want to verify that your binaries and kernel weren't altered.

They could have created their own back doors in the time they controlled your server.
 
Old 02-05-2010, 12:57 AM   #9
mrkorb
LQ Newbie
 
Registered: Nov 2009
Location: Tigard, OR, USA
Distribution: Fedora Core release 6
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jschiwal View Post
An unsupported OS can lead to more compromises. You also want to verify that your binaries and kernel weren't altered.

They could have created their own back doors in the time they controlled your server.
There are a lot of things they could have done, yes, I agree. They just haven't. Does it make sense for nothing else to have happened in the last 3 months? I'm completely open to the possibility that this IRC bot was put on the box sometime since I shored up security in November, but it seems improbable to me that a measly IRC bot is all they did with it. They haven't taken over root (which they did the first time), they haven't added users (which they did the first time), they haven't touched the Apache installation (which they did the first time), they haven't done anything vaguely useful with it. This leads me to believe that they have been shut out, and this bot was a leftover from that initial break in. Just because I believe it doesn't make it fact, I'll agree with you, but until there is any evidence to the contrary (and I still have yet to run a rootkit detection program), I have no reason to believe that a problem still exists. I appreciate your concern, but I'm feeling pretty safe about things. Believe me, if something else happens, nobody's gonna be pointing fingers at myself for being too lax more than I will be.
 
Old 02-05-2010, 01:49 AM   #10
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
any chance to see that bot? did you remove it?
i'd like to see what it is and try to run it at my virtual machine, to investigate what is it. i'm always curious about such things.
If you didn't remove it, can you mail it to me(use the menu on my nickname on the post)?
 
Old 02-08-2010, 04:39 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,467
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by Web31337 View Post
i'd like to see what it is and try to run it at my virtual machine, to investigate what is it.
Looking at your current track record (indicating you are not willing to follow proper incident response procedure) please do not ask fellow LQ members for malicious binaries.
 
1 members found this post helpful.
Old 02-08-2010, 04:50 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,467
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by mrkorb View Post
Does it make sense (..) it seems improbable (..) They haven't taken over root (..) This leads me to believe that (..) (..) I'm feeling pretty safe about things.
You run a deprecated release, you run insecure SW, admit to having your machine cracked months ago, and you patched it up. At this point you really should consider doing the right thing and not drag things on: arguing doesn't make sense, ensuring integrity does. Given the machines security was breached that means starting from scratch (as I'm pretty sure you are not able to verify machine integrity the right way), not patching things up as you go. You may think it is OK to hold a certain a risk for you, but it also is a risk to other Internet users, meaning us all. However if you still want to have a go at verifying machine state let us know, OK?
 
Old 02-09-2010, 02:01 AM   #13
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
Marked that for myself, I knew I'm probably wrong here. Sorry.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Specified ident-reply for different irc-connections or program/process askest Linux - Software 1 12-27-2009 07:29 PM
IRC bouncer cannot connect to irc server. E71 Linux - Networking 0 03-07-2009 06:08 PM
irc fserv - irc file server rastiazul Linux - Software 0 10-16-2008 04:02 PM
LXer: How To Set Up An IRC Server And Anope IRC Services LXer Syndicated Linux News 0 02-02-2007 12:24 AM
How speak irc client and irc server program? mech Linux - Networking 1 03-31-2004 05:23 PM


All times are GMT -5. The time now is 07:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration