LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-10-2010, 01:42 PM   #1
vielmaj
LQ Newbie
 
Registered: Jun 2009
Posts: 24
Blog Entries: 1

Rep: Reputation: 0
hacked /dev/shm/ /.access.log/y2kupdate


My server was hacked and we found it by noticing large amounts of bandwidth. A user had a common name and easy password. I disabled the user and installed denyhosts. The only item that I couldn't clean up was a cronjob found in the /var/spool/cron/crontabs directory listed as

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Wed Dec 8 09:12:22 2010)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * /dev/shm/ /.access.log/y2kupdate >/dev/null 2>&1

Could someone tell me where to find this file or what is going on?

Thanks,

Jason
 
Old 12-10-2010, 04:02 PM   #2
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,266

Rep: Reputation: 53
You don't see it in /dev/shm? That is a common directory where hackers put stuff because its writeable.

That space after shm/ and /.access looks a little strange though.
 
Old 12-10-2010, 04:13 PM   #3
vielmaj
LQ Newbie
 
Registered: Jun 2009
Posts: 24
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Yes, everything is gone in that directory. It looks like the hacker cleaned everything up except the .bash_history of the user they hacked. The computer was rebooted. Is it like the /tmp directory and everything is deleted on shutdown?

Jason
 
Old 12-10-2010, 06:43 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Please run '( /bin/ps axfwwwe; lsof -Pwln; netstat -antupe; who )| /tmp/result.log', shut down all 'net-facing services except SSH, make the firewall block IRC traffic, check any 'net-facing users crontab in /var/spool/cron and perform tasks as per the CERT Intruder Detection Checklist: http://web.archive.org/web/200801092...checklist.html ('tis an oldy BTW) and post feedback.
 
Old 12-11-2010, 04:48 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
unSpawn,

Was the '|' a typo? In other words did you mean '( /bin/ps axfwwwe; lsof -Pwln; netstat -antupe; who ) > /tmp/result.log'?
 
Old 12-11-2010, 04:56 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Yes, thanks, either ')|tee /file' or ') >/file'.
 
Old 12-11-2010, 07:42 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Apart from vulnerabilities exploited in the OS due to lack of updates or severely misconfigured machines the most common infection vector would be in running outdated, vulnerable software in the web stack. While other languages are equally prone to this it's commonly PHP-based software. And while I don't know the exact contents of the kit that contains y2kupdate accounts here and elsewehere suggest it is used to deliver and run an IRC bouncer (usually PsyBNC). So if the application is active you should see any process ("httpd -DSSL"?) making connections to IRC servers.

Quote:
Originally Posted by unSpawn View Post
check any 'net-facing users crontab in /var/spool/cron
On second thought it would be better to run 'mv -f /etc/cron.deny /etc/cron.deny_; echo root > /etc/cron.allow' as this would only allow the root user to use cron. If you however suspect a root compromise then that's not going to help and you should bring the machine down fast to avoid it being used against other systems. Also note that "fixing" one hole like you did does not automagically mean you should trust the machine: you have to ensure integrity by checking it, not just assume it's "OK".
 
1 members found this post helpful.
  


Reply

Tags
access, cron, shm


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Issues with /dev/pts & /dev/shm, when LFS boots zer0signal Linux From Scratch 2 12-21-2010 07:14 AM
/dev/shm not mounted /dev busy compgenius999 Linux - Newbie 1 03-03-2010 11:12 AM
Sizes of /dev /dev/shm /lib/init/rw jmoschetti45 Linux - Server 0 01-25-2010 11:20 AM
LiveZone/y2kupdate in /var/log/messages jc materi Linux - Security 1 03-26-2005 07:15 PM
What is /dev/pts, /dev/shm? mrpc_cambodia Red Hat 1 10-18-2004 03:27 AM


All times are GMT -5. The time now is 12:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration