Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-05-2005, 12:47 PM   #1
LQ Newbie
Registered: Jun 2003
Location: Dunedin NZ
Distribution: RedHat
Posts: 5

Rep: Reputation: 0
Unhappy Compromised machine

Seems a machine I used to admin now has become compromised.

I've been running a few tests, and I can't say I'm happy with what I've found, but beeing no linux expert, I figurd I'd get som help.

Ebay contacted us and said we had been hosting a fake ebay front for them. Not a fun thing, and we found the page on our machine and all.

I'm supposed to find out what went wrong and got the machine compromised, and this is what came out when I ran rootkithunter:

These files come out bad in the file check:

/bin/ls [ BAD ]
/bin/mount [ OK ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/su [ BAD ]

THe rootkit hunter comes out bad on two ocasions:

Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ Warning! ]

Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /var/log/rkhunter.log).

Rootkit 'Sin Rootkit'... [ Warning! ]

After the rootkit check is done, it also reports this:

* Suspicious files and malware
Scanning for known rootkit strings [ BAD ]
Scanning for known rootkit files [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
Unusual files:
/dev/ttyoa: ASCII text
/dev/ttyof: ASCII text
/dev/ttyop: ASCII text

This ain't so good, as when I check the dev files, they come up looking anything but clean:

/dev/ttyoa file contents:
2 213.233
2 217.10
2 193.231
2 80.97
3 6667
4 6667
3 7999
4 7999
3 31337
4 31337

/dev/ttyof file contents:

/dev/ttyop file contents:
3 swapd
3 psybnc
3 sl2
3 sl3
3 smbd
3 uptime
3 x2
3 startwu
3 scan
3 r00t

And when I do strings --all on the files mentioned as bad I see /dev/ttyop show up in /bin/ps (only one checked so far)

This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.

I have not beeing the one doing the updates on the machine, but was sent in to do the cleanup. Any sugestions on what to do next? I obviously should reinstall, and only keep the things most desperately needed, but is this most likely the work of a script-kiddy or something that has been configured wrong and allowed a hacker to take over?
Old 04-05-2005, 02:24 PM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
First I would do as little as possible on the compromised machine, maybe get the output of lsof -i and then immediately take it offline. Immediately remove the drive and put it some place safe, then put a new drive in the system and do a reinstall.

Normally I'd suggest looking around the system and doing forensic analysis yourself, simply because most authorities won't really do much for the average hacked machine. In this case however, your system may contain info relevant to a phishing scam (fraud) and may be helpful in identifying the perpetrators. I'd contact ebay and ask them if they have any information regarding the use of your machine to commit fraud (the phishing scam). If so, you should contact your local authorities and report that you may have information regarding a phishing scam. If the fraud is involves significant financial losses, they may actually want the drive so that their own forensic specialists can examine it, so monkeying around on it is not a good idea.

Last edited by Capt_Caveman; 04-05-2005 at 02:52 PM.
Old 04-05-2005, 02:38 PM   #3
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Rootkit 'Dreams Rootkit'... [ Warning! ]
Only thing I read was 'Dreams' exploits a gzip buffer overflow.

/Unusual files:
/dev/ttyoa: ASCII text

The ttyo.* are config files for hiding stuff: A for netstat, P for ps.

This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.
Arbitrairy classification at least, as 'fairly protected' got the box compromised anyway. Take an older or unpatched version or insecure install and presto: root.

I'd make myself some disk images to work on if you care for that, for the rest I agree what CC wrote is the best approach.
Old 04-05-2005, 11:20 PM   #4
Senior Member
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
I'd make myself a disk image to keep. Given the situation described, there is likely some serious liability for someone. I would make certain that I had a complete copy of the data that was on the system so that I could turn aside any attempt to make me the one liable.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Machine compromised, now have ports opened tvn Linux - Security 4 09-21-2005 04:04 AM
Machine compromised, now have ports opened tvn Fedora 1 09-13-2005 06:30 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 08:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 01:31 AM
If I had a compromised machine... TheIrish Linux - Security 9 11-28-2003 02:31 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration