LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-12-2004, 11:48 AM   #1
kloppster
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Rep: Reputation: 15
System possibly compromised


Hello all,

This morning I have awoken to our system having telnet running, pings out to yahoo and a program called zbind running. I ended up killing the telnet, zbind and pings and found that zbind was hiding in the folder: "/var/tmp/ /"

Also inside of that folder was the following files:

do_brk_exp
socklist
tshdc
za.tgz
za\contty
za\sxp
za\zbind
za\zero

I have deleted this folder but have kept the files backed up in a tar file.

Can anyone tell me what this was, how I can prevent it from happening again, and the best way of tracking who did this?

Thanks,

Stefan
 
Old 07-12-2004, 12:18 PM   #2
kloppster
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Original Poster
Rep: Reputation: 15
After further investigation I found another empty folder in:

"/usr/info/ /deny"

After looking a little more I have found that in this folder is a program called SucKIT. From looking around it looks like this just happened this morning at 4am. I think they compromised our openssl as our log files show around that time a heavy attack from a specific IP. I have run '/sbin/init u' but am now not sure what to do. How do we secure our box again?

Stefan
 
Old 07-12-2004, 12:30 PM   #3
kloppster
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Original Poster
Rep: Reputation: 15
I just ran chkrootkit and this is the only thing it found:

Searching for Suckit rootkit ... Warning: /sbin/init INFECTED
 
Old 07-12-2004, 01:30 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
do_brk_exp is likely a local privelige escalation exploit of the do_brk vulnerability that was identified in december. This exploit allows someone with local access to gain root level access (full system compromise). Suckit is a non-lkm rootkit used to hide the presence of an intruder, including their processes and activities. Not sure what everything else is, but likely various modifed tools and daemons.

If do_brk was used to take over your system, I'd guess that your system was not fully patch and probably had multiple applications that were vulnerable to remote attack (there was a recent ssl vulnerability) which would allow a hacker/cracker to gain user level access and upload a number of tools, including the rootkit and do_brk exploit. From there root acccess could be gained by exploiting the do_brk hole. However, that's an educated guess based on the files you've listed. If you would like to learn more about how the actual exloitation occured, you'll need to boot the system with a cd-rom (or "live") distro and mount the drive with the compromised system as read-only. Then you can feel free to checkout the file system, logs, config files free of any obfuscation the rootkit might normally do. If you'd like to get the system backup and running, you can either image the compromised drive for analysis purposes or just replace the drive altogether.

The rootkit itself can technically be un-installed, however once your security has been compromised, it's fairly difficult to verify that the system is free of other backdoors/rootkits/tools. The only real option is to format and re-install from trusted media (not a backup). You can backup human readable files that you can visually verify are clean, but binaries should not be trusted. You can also chaeckout a number of docs on recovering from compromise in the LQ security references thread. You can also checkout info on the original version of suckit at phrack
 
Old 07-12-2004, 01:59 PM   #5
kloppster
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks for your reply. I believe you are right about it coming from an openssl attack. We have checked our ssl logs and it looks like there was an attack around 4am (lots of traffic in the log and some errors reported) which coincides with the time the telnet processes were started. After that point there was also several attempts to flush our iptables (we use a hardware firewall which could be why he couldn't stop the firewall) as well as a huge list of module loading errors...
 
Old 07-12-2004, 03:07 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Again, that's just a guess. On an unpatched system, there would likely be a significant number of ways to gain remote user-level access. For a reasonably capable cracker, the whole attack (remote exploitation, priviledge escalation, rootkit insertion, starting up a remote telnet backdoor) might only take a short period of time and would be very difficult to stop unless you caught it instantaneously. If you'd like, you can do some forensic analysis on the compromised system to see how successful the hack attempt was, but you will absolutely need to take the machine offline and re-install.

Not to chastise you, but if the machine was vulnerable to do_brk, you (or whoever is in charge of the systems security) really needs to re-evaluate the security policy and figure out why machines aren't getting fully updated with the most recent security patches. It's argueably *THE* most efffective way to keep from getting cracked.
 
Old 07-12-2004, 03:20 PM   #7
kloppster
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Original Poster
Rep: Reputation: 15
Hey no problem... I am not the sys admin of the box, we actually have a managed box, however I thought I would investigate myself. We just talked to the sysadmin now and he tells us we need to upgrade from redhat 7.3 before any updates can be applied. What is funny is that we pay (quite a lot) for our managed services yet they never notified us once that we should possibly upgrade to a new kernel or OS... Again thanks for your comments!
 
Old 07-12-2004, 03:30 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
the sysadmin now and he tells us we need to upgrade from redhat 7.3 before any updates can be applied.
Not really. You can run old, unsupported distros like RH7.3, you just have to manually patch them. Sounds like they're just being lazy. Upgrading to a recent version just allows you to automate the patching process (using something like up2date or yum) or get official Redhat RPMs.

What is funny is that we pay (quite a lot) for our managed services yet they never notified us once that we should possibly upgrade to a new kernel or OS.
Sounds like you might want to find someone more reliable. Having 7+ month old vulnerabilities (especially critical vulns like do_brk) is pretty un-excusable if you're paying them to manage the systems.

Again thanks for your comments!
Sure. Sorry your box got hacked

Last edited by Capt_Caveman; 07-12-2004 at 03:31 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
possibly compromised - what to do? TreeHugger Linux - Security 4 02-04-2005 11:03 PM
do these symptoms mean my system is compromised? jimlaur Linux - Security 10 03-18-2004 12:20 PM
System compromised BruceCadieux Linux - Security 20 09-29-2003 08:24 PM
System compromised? Comatose51 Linux - Security 3 07-11-2003 08:28 AM
Help: I think my system has been compromised! Comatose51 Linux - General 2 06-29-2003 05:00 PM


All times are GMT -5. The time now is 01:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration