Have I been hacked?

jax8 · 07-09-2010, 02:31 AM

I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following. If you need other information give me the command I should run and I will update, I am no expert in this area and use the server to host my website and SVN. I am the only person that has access to the server.

Code:

# lsof -u nobody

COMMAND  PID   USER   FD   TYPE     DEVICE   SIZE       NODE NAME
proftpd 1502 nobody  cwd    DIR       0,81   4096   27889180 /
proftpd 1502 nobody  rtd    DIR       0,81   4096   27889180 /
proftpd 1502 nobody  txt    REG       0,81 760920   28216141 /usr/sbin/proftpd
proftpd 1502 nobody  mem    REG        8,3          28639395 /lib/libssl.so.0.9.8g (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639374 /lib/libcrypt-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28478541 /usr/lib/libkrb5.so.3.3 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639371 /lib/libresolv-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639253 /lib/libkeyutils-1.2.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639449 /lib/libaudit.so.0.0.0 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639436 /lib/libselinux.so.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639455 /lib/libcrypto.so.0.9.8g (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639445 /lib/libpam.so.0.81.13 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639264 /lib/libc-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28477777 /usr/lib/libgssapi_krb5.so.2.2 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639384 /lib/libcap.so.2.10 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639444 /lib/ld-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639262 /lib/libcom_err.so.2.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639289 /lib/libpthread-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639377 /lib/libnss_dns-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639271 /lib/libdl-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639524 /lib/libattr.so.1.1.0 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639528 /lib/libacl.so.1.1.0 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28478247 /usr/lib/libk5crypto.so.3.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639406 /lib/libnss_files-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639294 /lib/libz.so.1.2.3 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28477856 /usr/lib/libkrb5support.so.0.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28216141 /usr/sbin/proftpd (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28509467 /usr/lib/locale/locale-archive (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28606782 /usr/lib/gconv/gconv-modules.cache (path dev=0,81)
proftpd 1502 nobody    0u  IPv6 1482671657               TCP *:ftp (LISTEN)
proftpd 1502 nobody    3u  unix 0xb12bfa40        1482671154 /var/run/proftpd/proftpd.sock
proftpd 1502 nobody    5r   REG       0,81   1764   27890370 /etc/passwd
proftpd 1502 nobody    6r   REG       0,81    801   27890286 /etc/group

should /etc/passwd and /etc/group really be accessible by nobody?

rkhunter showed the following warnings

Code:

# cat /var/log/rkhunter.log.old | grep Warning

[13:44:48] Warning: Checking for prerequisites               [ Warning ]
[13:44:48] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
[13:44:54] /usr/bin/ldd                                      [ Warning ]
[13:44:54] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[13:44:57] /usr/bin/whatis                                   [ Warning ]
[13:44:57] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
[13:44:58] /sbin/ifdown                                      [ Warning ]
[13:44:58] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[13:44:58] /sbin/ifup                                        [ Warning ]
[13:44:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[13:48:36]   Checking loaded kernel modules                  [ Warning ]
[13:48:36] Warning: No output found from the lsmod command or the /proc/modules file:
[13:48:37] Warning: The kernel modules directory '/lib/modules' is missing or empty.
[13:49:27]   Checking if SSH root access is allowed          [ Warning ]
[13:49:27] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
[13:49:33]   Checking for hidden files and directories       [ Warning ]
[13:49:33] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[13:50:13]   Checking version of GnuPG                       [ Warning ]
[13:50:13] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[13:50:13]   Checking version of Apache                      [ Warning ]
[13:50:14] Warning: Application 'httpd', version '2.2.11', is out of date, and possibly a security risk.
[13:50:14]   Checking version of Bind DNS                    [ Warning ]
[13:50:14] Warning: Application 'named', version '9.5.1-P3', is out of date, and possibly a security risk.
[13:50:14]   Checking version of OpenSSL                     [ Warning ]
[13:50:14] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[13:50:14]   Checking version of PHP                         [ Warning ]
[13:50:14] Warning: Application 'php', version '5.2.9', is out of date, and possibly a security risk.
[13:50:14]   Checking version of OpenSSH                     [ Warning ]
[13:50:14] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.

linuxlover.chaitanya · 07-09-2010, 05:04 AM

I am no expert myself but I think the rkhunter may suggest that you are using old packages and this may be because you are using an old unsupported version of Fedora. The latest is F13. Fedora release cycle is short and it attains end of life quite frequently. Not a good choice for server. Upgrading to F13 may remove the rkhunter warnings.

unSpawn · 07-10-2010, 04:09 AM

Quote:

Originally Posted by jax8

should /etc/passwd and /etc/group really be accessible by nobody?

Short answer: yes.

Quote:

Originally Posted by jax8

I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following.

As said F10 is deprecated so no more security updates. Bad. Who was the file owned by? What were the access rights? What does 'stat' return when you run it on the PHP-file-with-usernames-and-passwords. What software is it part of? Are you running the latest version? Did you check your system and web server logs ('Logwatch') for anomalies?

If you have the hunch (it's good to follow those) you've got a potential compromise on your hands please read the Intruder Detection Checklist (CERT, archived): http://web.archive.org/web/200801092...checklist.html).

Quote:

Originally Posted by jax8

has been replaced by a script

Download version 1.3.6 and read the documentation, search the rkhunter-users mailing list archives and see the rkhunter.conf script whitelisting option. The fact you're only showing this now means you never (re-)configured Rootkit Hunter completely.

Quote:

Originally Posted by jax8

Warning: The SSH configuration option 'PermitRootLogin' has not been set.

Well set it.

Quote:

Originally Posted by jax8

Warning: Hidden file found: /usr/share/man/man1/..1.gz

Read the documentation, search the rkhunter-users mailing list archives and see the rkhunter.conf dot-files whitelisting option.

Quote:

Originally Posted by jax8

Warning: Application X, version Y, is out of date, and possibly a security risk.

Read the documentation, search the rkhunter-users mailing list archives, see the rkhunter.conf application check version whitelisting option or disable the application version check.

unSpawn · 07-10-2010, 04:14 AM

Quote:

Originally Posted by linuxlover.chaitanya

I am no expert myself

This is the Linux Security forum. Members may post information about (potential) compromises here. Compromises are bad for the owner, bad for all connected to the same network (meaning all of us) and bad for the GNU/Linux image. This means it needs to be dealt with decisively, correctly and quick. So if you're not familiar with incident response then for you the best thing to do is to wait until somebody comes along who does. Because addressing secondary issues is makes the OP lose focus and is inefficient. If you want to post something then post the Intruder Detection Checklist link I posted in the previous reply. This enables the OP to at least gather more information.

Also upgrading to F13 will not remove the rkhunter warnings.

H_TeXMeX_H · 07-10-2010, 06:31 AM

Other useful commands:

Code:

netstat -a
nmap localhost

and look for open ports. In case it is using any ports.

clamav or other anti-virus is useful if you suspect a virus or trojan.