Seems a machine I used to admin now has become compromised.

I've been running a few tests, and I can't say I'm happy with what I've found, but beeing no linux expert, I figurd I'd get som help.

Ebay contacted us and said we had been hosting a fake ebay front for them. Not a fun thing, and we found the page on our machine and all.

I'm supposed to find out what went wrong and got the machine compromised, and this is what came out when I ran rootkithunter:

These files come out bad in the file check:

/bin/ls [ BAD ]
/bin/mount [ OK ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/su [ BAD ]

THe rootkit hunter comes out bad on two ocasions:

Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /var/log/rkhunter.log).
--------------------------------------------------------------------------------

Rootkit 'Sin Rootkit'... [ Warning! ]


After the rootkit check is done, it also reports this:

* Suspicious files and malware
Scanning for known rootkit strings [ BAD ]
Scanning for known rootkit files [ OK ]



* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/ttyoa: ASCII text
/dev/ttyof: ASCII text
/dev/ttyop: ASCII text
---------------------------------------------

This ain't so good, as when I check the dev files, they come up looking anything but clean:

/dev/ttyoa file contents:
2 213.233
2 217.10
2 193.231
2 80.97
3 6667
4 6667
3 7999
4 7999
3 31337
4 31337

/dev/ttyof file contents:
psbnc
smbd
iceconf.h
icekey.h
icepid.h
uptime
startwu
r00t

/dev/ttyop file contents:
3 swapd
3 psybnc
3 sl2
3 sl3
3 smbd
3 uptime
3 x2
3 startwu
3 scan
3 r00t

And when I do strings --all on the files mentioned as bad I see /dev/ttyop show up in /bin/ps (only one checked so far)


This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.

I have not beeing the one doing the updates on the machine, but was sent in to do the cleanup. Any sugestions on what to do next? I obviously should reinstall, and only keep the things most desperately needed, but is this most likely the work of a script-kiddy or something that has been configured wrong and allowed a hacker to take over?

First I would do as little as possible on the compromised machine, maybe get the output of lsof -i and then immediately take it offline. Immediately remove the drive and put it some place safe, then put a new drive in the system and do a reinstall.

Normally I'd suggest looking around the system and doing forensic analysis yourself, simply because most authorities won't really do much for the average hacked machine. In this case however, your system may contain info relevant to a phishing scam (fraud) and may be helpful in identifying the perpetrators. I'd contact ebay and ask them if they have any information regarding the use of your machine to commit fraud (the phishing scam). If so, you should contact your local authorities and report that you may have information regarding a phishing scam. If the fraud is involves significant financial losses, they may actually want the drive so that their own forensic specialists can examine it, so monkeying around on it is not a good idea.

Rootkit 'Dreams Rootkit'... [ Warning! ]
Only thing I read was 'Dreams' exploits a gzip buffer overflow.


/Unusual files:
/dev/ttyoa: ASCII text
The ttyo.* are config files for hiding stuff: A for netstat, P for ps.


This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.
Arbitrairy classification at least, as 'fairly protected' got the box compromised anyway. Take an older or unpatched version or insecure install and presto: root.


I'd make myself some disk images to work on if you care for that, for the rest I agree what CC wrote is the best approach.

I'd make myself a disk image to keep. Given the situation described, there is likely some serious liability for someone. I would make certain that I had a complete copy of the data that was on the system so that I could turn aside any attempt to make me the one liable.