Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello community!
I have a serious security issue.
System: centos 6 fully updated
Software:
nginx version: nginx/0.8.54 (public IP)
httpd-2.2.15-5.el6.centos.x86_64 (127.0.0.1) + PHP
exim-4.72-2.el6.x86_64 (Public IP)
openssh-server-5.3p1-207.el6_9.38.x86_64 (Public ip non-standard port)
Percona-Server-server-51-5.1.58-rel12.9.271.rhel6.x86_64 (mysql-server) (127.0.0.1 + unix socket)
All these have SELinux policies. All packages are up to date.
One day I noticed thousands of mail rejects in my mailbox (root alias -> my email)
I found that mail wasn't send by apache but instead from root (can be found in /var/spool/exim/input/<file>). It was quite confusing for me and I've enabled additional auditing to /usr/sbin/sendmail which is alias to /usr/sbin/exim
notice uid in both outputs. In case of website uid is 1501. In case of spam source it's uid=0!!!
PID 27468 is not running for now. PPID 25264 also not running.
Notice the difference in the last line:
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
VS
subj=system_u:system_r:system_mail_t:s0 key=(null)
How do I find how this access was gained and how to investigate this incident further?
Any help appreciated
so you are running SELinux and GrSecurity? look through /var/log/message, /var/log/secure, and /var/log/maillog and look around the times that ausearch found for those. also it looks like you are running the MLS/MCS policy for selinux
Quote:
s0-s0:c0.c1023
the s is the "classification level" and the c is the "classification category". If you are running both i would recommend only running one or the other as 2 MAC systems are not going to play well together.
I use grsecurity only for PaX. I'm not using grsec MAC implementation.
I've forung nothing related to this time in logs. What I've forund is that according to ppid number it was one of exim processes who was parrent for process actually calling 'sendmail -t'
I removed exim and installed postfix. Any additional audit I can enable to find it?
And about MCS. I'm not using it of course.
The most interesting is how process got unconfined_t domain? The only way I know is through login process. But there is nothing in logs about ssh login. Any ideas?
Last edited by unSpawn; 09-13-2011 at 06:03 PM.
Reason: //Merge posts
Found in ps output
The parent is perl process running a file with blank name " " (without quotes)
I'm going to setup audit watch on perl call and trigger custom script to collect more details about process and it's parent.
Suggestions appreciated
I've replaced perl with bash script to log it's input to file.
But now I don't know how to catch real script callsr. Perl's ppid=1 which is unfortunately init
The strange thig is that according to audit.log auid of caller is auid=4294967295 which means user was never authenticated. Even apache when calling sendmail has auid=500
What auditd policy are you running? Your audit policy may not be catching everything it should.
Are you running GRsecurity without using the policy or are you just running pax?
What other hardening have you done to the system?
Are you running any type of host IDS. e.g. tripwire, aide, etc. If so have to checked it to see what all has changed?
Have you run rootkit hunter or chkrootkit? Any results?
1. auditd policy here
2. I'm running grsecurity patched kernel 2.6.34.45 without using grsecurity's MAC. Only for PaX + chroot hardening
3. Other hardening? Nothing special. ssh on non-standard post (didn't help). iptables permits only tcp 80, tcp 4422, tcp 21, tcp 25 incoming ports.
4. I'm not running any kond of IDS.
5. rkhuner showed only that there is something with perl (of cource I replaced perl with my bash script to get evil perl script content)
Other steps done:
sshd files are consistent, checksums are the same like on virgin centos 6 on my VM.
sshd_config explicitly denys root login.
I have no audit history about when this pid was burn. Only because I added rule to audit every run on sendmail and audit file limit was set to 5Mb with limit of 3 rotated files (already increased).
Now I killed this process and waiting to catch it again and check audit logs.
if you look in /usr/share/doc/audit-${version}/ there is a stig.rules that is pretty good. If you load that in it sets it to immutable so you have to reboot to change the rules or disable auditing. (for future, wont really help much for this incident).
From the initial read, I can think of three things to add:
1 - Since your running Centos, have you performed an RPM verify to see what binaries have been modified? You mentioned SSH verifying, but have you tried the others?
2 - In an early post, you mentioned the PERL with no file name and the /usr/bin/wget -q -O /tmp/a8dAmUYXNDE. I read this to mean that some files were uploaded to your system from some place. Can you confirm this. If so, what is the file? I would hazard a guess here that it would be safe to look at the file contents as I am sure that they have already been used to exploit you.
3 - your open ports are pretty sparse, but you have port 21 open, which is FTP. Are you running an (unencrypted) FTP site? Could this have been a possible intrusion vector?
Also, it looks pretty obvious that root was obtained. Does you SSH enable root login? If not, they would have had to use another path such as commandeer another process, such as apache, get a shell prompt, and then work away at getting root.
Noway2,
1. No. I'm looking for a solution to check file consistency by checksum. I don't know how to automate file consistency check.
2. root@notty called perl from bash and passed script to bash. You can download file on your own. It is encrypted in some way. I have to spend some time debugging the script to understand. I'll PM you the code of the script.
3. No. It's not FTP. I have fail2ban and ftp users are only allowed to login through ftp. + It's stable package from RedHat + I have Grsecurity kernel. It's unlikely that one can exploit something in proftpd
4. As I said in previous post Root login through ssh is denied. It's the most confusing part
I can see new trys to login as root from the same ip address. Does anybody know how to patch openssh-server sources to catch password which it sends? I want to know if root password was compromised somehow. I don't use root password as I have my account with sudo rights. I want to log data it sends somehow. It looks like it is some automated method to execute evil code since I see regular tries to login with root from the same IP:
The command to verify all of the packages would be: rpm -Va. See the following link from rpm.org. It also provides a nice description of what all the verify command does for you.
The first file that was uploaded to pastebin is obviously the mail script. I agree that the other file is encrypted some how. I can't recall the exact details off hand, but I remember something about using a rotate command to shift all the data to obfuscate the code. It is a reversible process and was a popular technique at one point. Another possibility would be base64 encoding.
Unfortunately, there is no way (that I know of) to record the SSH passwords. This was done by design. There is actually a whole thread on this subject in LQ-Sec from not too long ago. The IP address that is being used is a static ip from a hosting provider in California, called TVC.net (the virtual company). Undoubtedly, belonging to someone else compromised machine.
Your services look pretty well locked down and hopefully you have enough log information intact to give some good leads. Clearly they were able to upload and execute code, as root, so it is extremely important for you to find and plug this hole. My recommendation would be to verify the RPM packages to see if any have been altered, use the find command to locate any strange or unusual files in a location like /tmp. The CERT checklist has some really good examples of how to do this. Next, I would look at the output of the following commands: ps axfwwwwe, netstat -pane and lsof -Pwn. You will need to run these commands as root. I would verify the packages first as it is possible to alter the binaries to give incorrect information. Following this, would be a painstaking review of the logs. Running them through logwatch on high detail level can often times catch things that are hard for a human to see. On the other hand, scanning through the logs, and simply looking for unique visual patterns, as the logs repeat a lot), can catch things that the tools miss.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.