Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hopefully I'm in the correct forum, other please move this thread.
I'm nearly new in using LINUX and now I recognized a "problem" on my Debian server.
If I open TOP, I can see that the process ttymon (command ttymon tymon) uses more than 50% of the CPU. Any idea what happened or what should I do?
In the past I never recognized this process and I have no clue why it uses so much CPU-time.
Any help would be appreciated
UPDATE:
I just recognized another strange thing:
I see that also perl have a high CPU-load and that several commans are running like:
./nn
./nnn
./nnu
./nni
I'm nearly new in using LINUX and now I recognized a "problem" on my Debian server. If I open TOP, I can see that the process ttymon (command ttymon tymon) uses more than 50% of the CPU. Any idea what happened or what should I do? In the past I never recognized this process and I have no clue why it uses so much CPU-time.
UPDATE:
I just recognized another strange thing:
I see that also perl have a high CPU-load and that several commans are running like:
./nn
./nnn
./nnu
./nni
By default ttymon should be a terminal port monitor. However in your case it may be collateral from a compromise. We'll help you find out if it is, to what point they've gotten and what the damage is. But before doing anything it is crucial you read the CERT Intruder Detection Checklist (old): http://web.archive.org/web/200801092...checklist.html.
I'll outline in short what we need to do:
- You need to read the Intruder Detection Checklist so you know what to do later on,
- Save open files (\lsof -P -w -n), process (\ps ax -o ppid,pid,uid,cmd --sort=uid) and network data (\netstat -anpe) listings to a location where you do not overwrite data or pipe through ssh,
- Gain control by shutting down all non-essential services and raising the firewall to only allow SSH traffic to and from your management IP (range). If the machine is local to you and you have any doubts power down the box and only boot with a Live CD unless you tell us the machine is remote (tell us),
- Tell us when you first encountered this situation,
- Tell us if the server exhibited any odd behaviour in the past,
- Tell us (attach logs?) if you have recent logs from running Chkrootkit / Rootkit Hunter or Aide / Samhain (or Integrit, Osiris or even tripwire) (don't install anything),
- Tell us what services the server runs and if it is a LAMP machine also what runs on top of Perl/PHP/Ruby (forum, web log, awstats) and possibly their versions,
- Tell us (attach output?) what the /tmp, /var/tmp and webserver docroot directories hold (find /dirname -ls),
After you've answered those question (don't install or delete anything) we'll move on to preparing backups for reference (not reuse) and investigate further (if necessary) using (changes in or logged reports about) system authentication data, any IDS logs (Snort, Prelude, router logs, filesystem integrity checkers, package manager if good enough), all system, daemon and firewall logs, temp files, unusual (setuid root) files, user shell histories. When you report back include any information, hints, hunches or gut feelings you think would help. Please attach logs if possible, else please use BB code tags to preserve formatting and efficient reading. And please ask before doing things if you have any doubts.
// Please note this thread will be moved to the Linux Security forum RSN.
As far as I know, nothing from this (Chkrootkit / Rootkit Hunter or Aide / Samhain (or Integrit, Osiris or even tripwire)) is installed.
I recognized this problem today the first time and have it on two different servers. Both server are used for HLDS-Counterstrike, one runs also a VPN,BNC and Eggdrop-bots - both run also apache2, mysql and PHP.
One server is located in Nuremberg and the other in Frankfurt, so I do not have direct access.
The shhd port is moved to a non-standard-port and only ports are allowed in the firewall, that belong to specific programs (hlds, bnc and so on).
After a reboot of both servers, the "./nn" tasks and perl run fine - I could not see any problem with them anymore but ttymon is still using 50% of the CPU load on one of the servers (the one with VPN, BNC, eggdrop bots, apache2, mysql & php).
Last edited by unSpawn; 09-07-2009 at 09:40 AM.
Reason: //sanitized IP addresses
I also checked , as mentioned in the link, the passwd file and could not find any new account nor an account that has the same access/grouplevel as root.
I just read the CERT Intruder Detection Checklist.
Read and executed it, by the looks of it.
Quote:
Originally Posted by SoX|OK
"\lsof -P -w -n" <- does not work
Find out if it is installed. Only if the installed binary matches the packages checksum execute 'lsof' (might need to prefix the path).
Quote:
Originally Posted by SoX|OK
Code:
debian31m:/home/joerg# \netstat -anpe
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 0 7050 3157/ttymon
Notice how in 'netstat' output the protocol is "raw" and the UID is "root". Notice how in 'ps' output the parent PID is 1 (init) and again the UID is "root". ttyload in combination with ttymon leads me to believe we're looking at evidence of the SHV4 (or 5) rootkit. This means you have a root compromise on your hands, so at this point all bets are off. If you have off-site backups, assess if they are tainted or not.
Quote:
Originally Posted by SoX|OK
After a reboot of both servers, the "./nn" tasks and perl run fine
I asked you not to perform anything other than list details. By rebooting you have permanently destroyed "evidence" of the intruder like open network connections and process details.
I'd like to point out that root compromises are one of the worst things that can happen to a GNU/Linux server. You will now have the opportunity to (re-)prioritize tasks, and in this order: mitigate, collect "evidence" (all logs and auth data), shut down servers, reinstall from scratch. At this point the first thing you must do is mitigate the situation by shutting down all non-essential services and raising the firewall to only allow SSH traffic to and from your management IP.
- I also must point out that deliberately not mitigating the situation is a hostile act towards other Internet users.
- Be aware that if you skip the evidence collecting stage you loose the opportunity to find out how the intruder gained entrance.
- To properly manage your expectations: for root compromises there will be no "cleanup" stage to "restore" your server, even if we do find the point(s) of entry and even if your backups are not tainted.
A login via root and ssh is not possible as far as I know, because for sshd root login is denied.
All services running on that host (vpn, hlds, apache, ftp, ZNC, eggdrop,...) are now stopped and all ports closed.
I also checked the logfiles (syslog, lastlog, apache-logs,authlog,...) and could not find anything strange, except in the authlog there are several entries like:
Quote:
Sep 7 18:15:01 debian31m CRON[4372]: pam_unix(cron:session): session opened for user munin by (uid=0)
Sep 7 18:15:01 debian31m CRON[4372]: pam_unix(cron:session): session closed for user munin
Sep 7 18:15:01 debian31m CRON[4371]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 7 18:15:01 debian31m CRON[4371]: pam_unix(cron:session): session closed for user root
Sep 7 18:15:01 debian31m CRON[4375]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 7 18:15:01 debian31m CRON[4375]: pam_unix(cron:session): session closed for user root
Sep 7 18:17:01 debian31m CRON[4414]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 7 18:17:01 debian31m CRON[4414]: pam_unix(cron:session): session closed for user root
Sep 7 18:20:01 debian31m CRON[4541]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 7 18:20:01 debian31m CRON[4541]: pam_unix(cron:session): session closed for user root
So if I understand you correct, the way to fix it is a reinstall of the server?
A login via root and ssh is not possible as far as I know, because for sshd root login is denied. All services running on that host (vpn, hlds, apache, ftp, ZNC, eggdrop,...) are now stopped and all ports closed.
OK. Are there any other users with admin access to the machine? Are there any other users who can access the machine right now? Did you also kill the ttyload and ttymon processes?
Quote:
Originally Posted by SoX|OK
I also checked the logfiles (syslog, lastlog, apache-logs,authlog,...) and could not find anything strange,
How far do the logs go back? Do you know what to look for? If you would want a second opinion you're invited to tarball all your logs, compress 'em, (host them or upload it to some free host) and email me the D/L location (else contact me by email).
Quote:
Originally Posted by SoX|OK
except in the authlog there are several entries like
Checked /etc/crontab and the user crontabs in /var/spool/cron?
Quote:
Originally Posted by SoX|OK
So if I understand you correct, the way to fix it is a reinstall of the server?
In the end, yes. I understand that setting up and maintaining a server represents an investment in terms of money and time but a root compromise means you can no longer trust the machine, and irrepairably so. However it would be good to find out how they got in. Else you might reinstall from scratch allowing the same vulnerability to reappear.
There is no other account that have admin-rights. Only root and only I use the root-account, no one else should know the password.
All other accounts are personalized and only these can access the server via ssh or ftp and the ssh port is moved to another port.
ttyload and ttymon are still active, should I kill them?
All logfiles have a minimum of 7 days - some much longer.
Sent a download link via mail to unSpawn.
Code:
debian31m:/var/log# cat /etc/crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
All user-crontabs look fine, as I set them up with no change.
Absolutly confirmed, makes more sense to find out how the came in instead of setting up the server again and run into the same mistake
Another thing, do you think that my server is compromised because of the ttymon and ttyload thing or because of the perl and ./nn thing? Because I recognized that also on my second server but there is everything working fine a reboot and I haven't recognized the ttymon/ttyload before the reboot. So I'm a littl frightend that maybe both servers were compromised
There is no other account that have admin-rights. Only root and only I use the root-account, no one else should know the password.
SHV5 means (among others) a trojaned /bin/login so yes, somebody else will know the root account password.
Quote:
Originally Posted by SoX|OK
ttyload and ttymon are still active, should I kill them?
Yes, but remove the ttyload and ttymon lines first from/etc/inittab.
I'll wait for the log link.
Quote:
Originally Posted by SoX|OK
auth.log.6: Jul 22 06:25:01 debian31m su[19327]: Successful su for nobody by root
Yes, that does not look right. Auth data may be tampered with, does 'last' show data about this login as well?
Quote:
Originally Posted by SoX|OK
passwd: nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
65534 is the as the port where ttymon/ttyload is listening, right?
Right. And 'ttyload' is a SSH daemon.
Quote:
Originally Posted by SoX|OK
nobody is also in /etc/passwd but as far as I know, I never setup an account like "nobody" - could that be my "problem"?
Each GNU/Linux system will have an inert (meaning it doesn't have a login shell) "nobody" system account but as far as I know it should have an UID way below 500.
Killed 2 processes (ttymon and ttyload) and removed ttyload from the inittab.
I sent the link via this page, no idea if you recieve an email or a message here on the page
Yes, also the actual logfiles show the login for nobody and always at 06:25:01 am.
I searched "nobody" with google and bing, and someone recognized that this is normal and should tell that root granted su for user nobody, normally a cronjob (e.g. exim4-base) - could that be?
Also the config in passwd would be normal for a debian etch installation.
Checked my workstation here with a nearly fresh install and no internet-connection - found the same entry for user nobody.
OK. I have gotten your tarball and I only had time for a quick look at the Apache logs which proved to be quite interesting. If believed not tampered with then access.log starts on 2008/Sep/07 and error.log starts on 2008/Aug/31. Having loads of logs helps reconstruct timelines and it is nice to have.
If you decompress and collate all Apache error.logs and run
on it then on 2009/Jul/06 a successful attack is started ("200 OK" response) downloading an unknown script to "/tmp/90.txt", likely a perl backdoor, and at later dates a prefab vmsplice exploit, some C code and a host of perl-based backdoor scripts. While crackers still obfuscate files by using seemingly innocuous (and therefore unblocked) extensions like ".jpg" they show here they openly download "c" code. Also the failures to find results "(cracked.txt|/tmp/cracker/find.txt): No such file or directory" and compilation errors ('nou.c:') shows some toolkits aren't working properly and provide at least some form of "early warning" if logs are actually read.
showing HTTP "/phpmyadmin/config.inc.php?c=" GET requests which AFAIK points to PMASA-2009-3 of 2009/Mar/24 / CVE-2009-1151 of 2009/Mar/26 aka the PhpMyAdmin remote code execution exploit. (And at least one unconfirmed source showed that on 2009/Jul/29 Debian Etch phpmyadmin 2.9.* still was unpatched.)
And there you have it: publicly accessable toolage that should not be (it does have "admin" in the name for a reason) and a vulnerable version to boot. I'll have a more thorough look at things since I haven't found the SHV5 rootkit entries but I'd say the ability to bring in compiled exploits, compiling code and executing tools undetected for over a month wraps things up pretty much.
HTH
Last edited by unSpawn; 09-07-2009 at 08:05 PM.
Reason: //more *is* more
so if I understand everything correct, then my problem was the outdated phpmyadmin. The attacker used a bug in the installed version to run some script, right?
Any idea if this is my only failure? Or should we look into something else as well?
Normally I check for updates regulaly, I have no clue why phpmyadmin wasn't updated
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.