LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Connections to IRC server, and it's not me (http://www.linuxquestions.org/questions/linux-security-4/connections-to-irc-server-and-its-not-me-786951/)

mrkorb 02-04-2010 07:41 AM

Connections to IRC server, and it's not me
 
For some time now I've been noticing the network activity light for my linux box blinking like mad on my router. After a little looking around for ways to see what connections my box has established, I found the following using lsof -i

Code:

bash      13839 root    1u  IPv4 3118972      TCP shana:49148->Oslo.NO.EU.undernet.org:ircd (SYN_SENT)
bash      13839 root    2u  IPv4 3118986      TCP shana:34323->161.53.178.240:distinct (SYN_SENT)
bash      13839 root    3u  IPv4 3118543      UDP *:33437
bash      13839 root    4u  IPv4 3118982      TCP shana:58438->oslo.no.eu.undernet.org:ircd (SYN_SENT)

I know I'm not using IRC, and I have my sshd locked down fairly tight, requiring a key to log in, so obviously, it looks like there's something or somebody in Croatia (the origin of that IP address) connecting my system to undernet.org for some nefarious purpose. Looking at my processes, ID 13839 shows up as
Code:

13839 ?        S      0:00 bash
Just 'bash', not '-bash' as

Code:

13426 pts/0    S      0:00 -bash
my session appears. Previously, this odd bash process was ID 2704, which seemed to imply that it had launched fairly soon after my system booted up, which really makes me wonder. Oh, and yes, I did kill that 2704 process, and it returned as this 13839. 2704 also had those same IRC connections present in lsof.

Any ideas on where I might start with this? This kind of hacker crap really stresses me out.

Web31337 02-04-2010 08:53 AM

use these commands:
Code:

lsof -Pwn
netstat -anpe
ps -axfwwwe

to check what's going on. posting of outputs is welcome.
it looks like you're rooted.
IRC is the most used bot control proto.
when you find that malicious app creating connections let us know. Perhaps it's that "bash". Check where it is located. Run rkhunter and other rootkit-checkers.

carbonfiber 02-04-2010 09:39 AM

IIWY I'd also inspect the binary to see if I can find out some details regarding (at least) the IRC connection it's making. Perhaps, if it's joining any particular channel - I'd drop by and say "Hello". Also, what distribution are you using, and where do you stand as far as up-to-date...-ness goes?

mrkorb 02-04-2010 08:30 PM

The outputs clocked in at about 280k so I've attached them as text files since I was way over the 30k character limit otherwise. As for what I'm running, it's Fedora Core 6. I honestly couldn't tell you how up to date I am on everything since this system is used as a webserver and so I'm not frequently logging into it and tinkering with it's stuff.

mrkorb 02-04-2010 09:22 PM

Ah ha! Got it.

The lsof output showed

Code:

bash      13839 root  txt    REG      253,0  492135    6750341 /etc/crond/bash
So I headed over to /etc/crond and found this nice little eggdrop bot running. I stop crond, kill the fake bash process, chmod'd all the script files they had in there to -x, and moved all that crap out. Started crond again, and guess what didn't start running again almost immediately like it had before.

I think I'll leave the system unplugged from the network for a few more hours, making sure that the process doesn't start up again somehow, but I'm feeling pretty confident about this.

jschiwal 02-04-2010 09:50 PM

You haven't determined how you were compromised. This link should help you get started.

http://web.archive.org/web/200801092...checklist.html

I don't think that FC 6 is supported any more. You should probably re-install after you conclude your investigation, and determine what changes need to be made.

Also, given you are running a webserver and mysql database, I'm wondering if you disabled se-linux protection.
This may help you learn how to make sense of what log files is produces:
http://docs.fedoraproject.org/selinu...nced_Linux.pdf

mrkorb 02-04-2010 10:27 PM

Oh, I know how I was compromised. It was about 3 months ago, they got in using a phpMyAdmin exploit, which I promptly took down. At the time I also had the default insecure sshd configuration, which I tightened up to the point where even I have problems logging in on occasion. This IRC bot was likely left over from that intursion and I just hadn't caught it until now. If they manage to reestablish themselves, then I'll certainly start thinking about installing a newer OS, but I'm pretty confident that it's much harder now then it was 3 months ago to get into my box.

jschiwal 02-04-2010 11:39 PM

An unsupported OS can lead to more compromises. You also want to verify that your binaries and kernel weren't altered.

They could have created their own back doors in the time they controlled your server.

mrkorb 02-05-2010 12:57 AM

Quote:

Originally Posted by jschiwal (Post 3853414)
An unsupported OS can lead to more compromises. You also want to verify that your binaries and kernel weren't altered.

They could have created their own back doors in the time they controlled your server.

There are a lot of things they could have done, yes, I agree. They just haven't. Does it make sense for nothing else to have happened in the last 3 months? I'm completely open to the possibility that this IRC bot was put on the box sometime since I shored up security in November, but it seems improbable to me that a measly IRC bot is all they did with it. They haven't taken over root (which they did the first time), they haven't added users (which they did the first time), they haven't touched the Apache installation (which they did the first time), they haven't done anything vaguely useful with it. This leads me to believe that they have been shut out, and this bot was a leftover from that initial break in. Just because I believe it doesn't make it fact, I'll agree with you, but until there is any evidence to the contrary (and I still have yet to run a rootkit detection program), I have no reason to believe that a problem still exists. I appreciate your concern, but I'm feeling pretty safe about things. Believe me, if something else happens, nobody's gonna be pointing fingers at myself for being too lax more than I will be.

Web31337 02-05-2010 01:49 AM

any chance to see that bot? did you remove it?
i'd like to see what it is and try to run it at my virtual machine, to investigate what is it. i'm always curious about such things.
If you didn't remove it, can you mail it to me(use the menu on my nickname on the post)?

unSpawn 02-08-2010 04:39 PM

Quote:

Originally Posted by Web31337 (Post 3853509)
i'd like to see what it is and try to run it at my virtual machine, to investigate what is it.

Looking at your current track record (indicating you are not willing to follow proper incident response procedure) please do not ask fellow LQ members for malicious binaries.

unSpawn 02-08-2010 04:50 PM

Quote:

Originally Posted by mrkorb (Post 3853473)
Does it make sense (..) it seems improbable (..) They haven't taken over root (..) This leads me to believe that (..) (..) I'm feeling pretty safe about things.

You run a deprecated release, you run insecure SW, admit to having your machine cracked months ago, and you patched it up. At this point you really should consider doing the right thing and not drag things on: arguing doesn't make sense, ensuring integrity does. Given the machines security was breached that means starting from scratch (as I'm pretty sure you are not able to verify machine integrity the right way), not patching things up as you go. You may think it is OK to hold a certain a risk for you, but it also is a risk to other Internet users, meaning us all. However if you still want to have a go at verifying machine state let us know, OK?

Web31337 02-09-2010 02:01 AM

Marked that for myself, I knew I'm probably wrong here. Sorry.


All times are GMT -5. The time now is 02:56 AM.