Empty outputs of "w" and "who" command

unSpawn · 07-19-2014, 02:31 AM

Kind of depends. Start by reading, then telling us more about the system and then collecting some basic information.

0.) Before you start read the Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html (formerly: http://www.cert.org/tech_tips/intrud...checklist.html) as it contains basic checks and commands to run if you haven't got a clue where to look. (When we're done you may want to read parts of our LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261.)

1.) If used by others please notify other users the system was compromised and that they should change credentials (SSH keys, pass phrases, passwords) used to access that system and systems they access from the compromised machine.

2.) Run command #1 (see bottom of post) and then mitigate damage by disabling unnecessary services like webserver, any webservers on other ports included in web-based management panels, database, FTP, etc, etc.
*If you don't have Out of Band access (DRAC, IPMI, other type of remote console) you will need to keep SSH access.
**If unsure at least stop unnecessary services and limit access (using the firewall or where applicable) /etc/hosts.allow) to your (management) IP address or IP range.

3.) Only after stabilising prepare backups. Mark this and any previous backups as unfit for reuse, they'll only serve as reference.
* Any talk of repartitioning, reformatting and re-installing is off limits during the investigation. We'll get to that.

4.) Now lets build an understanding of the situation. Questions:
- What is the location (home, office, colocation, could, other) of the machine,
- does audit data (/var/log/audit, /var/log/secure or equivalent, AIDE, Samhian or even tripwire logs) exist?,
- does auth data (per service log files, /var/log/secure, /var/log/btmp*, /var/log/wtmp*) exist and does it go back to before command #0 (see bottom of post),
- do system and daemon logs exist and also go back to before a perceived date of compromise,
- which services the machine or machines provide (including web-based management panels, statistics, web log, forum, shopping cart, plugins, themes, addons and other software if any),
- was the software was kept up to date,
- have there been earlier breaches or anomalies,
- have you found setuid root files in /tmp or any other directory the ftp user, web server user or unprivileged users can write to,
- have you seen any "odd" commands in user shell histories,
- also if users connect via SSH using passwords or FTP do check, or have them virus scan, their systems.

5.) Post back results from the actions performed as per the CERT Intruder Detection Checklist. Then get your system and daemon logs and audit data off of the compromised server and onto a workstation you can trust. Run those log files through Logwatch (see command #2).

6.) Please compress the resulting logs from the commands I asked you to run. Contact me to discuss dropping them off.

*I know, that's a lot to answer but the more detailed you respond the better we start investigating.
Please ask specific questions before performing if necessary and please reply verbosely.
Please stay with the thread (subscribe?) until completion and reply as soon as possible when replies are posted.

Code:

# 0.: command to show modification dates. Select the earliest one. Your system logs should go back to before that date.

stat /usr/sbin/sshd /usr/bin/w /usr/bin/who|grep ^Mod|sort -k2' 


# 1.: commands to fetch volatile data before killing processes and closing off services:

( /bin/ps axfwwwe -opid,ppid,gid,uid,cmd 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/ls -al /var/spool/cron 2>&1; /bin/netstat -anTpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last -wai 2>&1; /usr/bin/who -a 2>&1; ) | tee /tmp/log0.txt


# 2.: Logwatch usage, using the "--detail High --service All --range All --archives --numeric" args.
#     (With perl-Date-Manip installed a range can also be expressed like "--range 'between 2012/11/26 and 2012/12/01'": see --range Help). 
#     If you can't find Logwatch prefix its whole path, should be something like "usr/share/logwatch/scripts/".

logwatch.pl --numeric --detail High --service All --range All --archives --print 2>&1 | tee /tmp/log1.txt


# 3.: Find MAC times: 

find / -printf "%T@ %A@ %C@ %u %g %m %y \"%p\"\n" 2>&1 | tee /tmp/log2.txt

agocs · 07-21-2014, 09:25 AM

OMG, thanks for the detailed scenario, I'll try to go through these questions as fast as I can, and reply.

agocs · 07-22-2014, 04:52 AM

So, after some investigation, I found some strange things. An unknown line in root crontab:

Code:

* * * * * /.../lib/update >/dev/null 2>&1

This /.../lib/ contains scripts and othoer files of an IRC proxy called "miau".
The Change time of sshd and who is the same day as this /.../ directory was created.

Only /usr/sbin/sshd and /aquota.user has the immutable flag in the filesystem. As far as I can tell, there are no suspicious root setuid files:

Quote:

/bin/mount
/bin/su
/bin/umount
/bin/ping6
/bin/ping
/bin/fusermount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/sudoedit
/usr/bin/traceroute6.iputils
/usr/bin/lppasswd
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/lib/apache2/suexec
/usr/lib/pt_chown
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/plesk-9.0/psa-sendmail
/usr/lib/authbind/helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/include/arpa/suid
/etc/sw/keys/restart/plesk-key-handler
/etc/sw/keys/restart/apskeyhandler
/opt/psa/bin/chrootsh
/opt/psa/handlers/hooks/sender_id
/opt/psa/admin/sbin/mod_wrapper
/opt/psa/admin/sbin/wrapper
/opt/libexec/ssh-keysign

/var/log/secure is empty, /var/log/{u,b,w}tmp exist and has up-to-date modification times.

I also found a key in root's authorized_keys which was not familiar to any users who have access to the server. But that could be a key which we used when we moved to this server from our previous one this year.

The auth.log for the day Jun 13 has unfortunately been purged already. The earliest day of auth.log.4.gz is Jun 22.

This host is a webserver.

unSpawn · 07-22-2014, 03:38 PM

Code:

stat /... /.../lib /.../lib/update /usr/sbin/sshd /aquota.user
strings -an1 /.../lib/update 
file /aquota.user; strings -an1 /aquota.user

agocs · 07-23-2014, 03:14 AM

Quote:

Originally Posted by unSpawn

Code:

stat /... /.../lib /.../lib/update /usr/sbin/sshd /aquota.user
strings -an1 /.../lib/update 
file /aquota.user; strings -an1 /aquota.user

Code:

# stat /... /.../lib /.../lib/update /usr/sbin/sshd /aquota.user
  File: `/...'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 804h/2052d      Inode: 12189703    Links: 3
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-21 16:33:14.357846216 +0200
Modify: 2014-07-13 11:58:44.995568262 +0200
Change: 2014-07-13 11:58:44.995568262 +0200
 Birth: -
  File: `/.../lib'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 804h/2052d      Inode: 12189705    Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-22 14:48:18.212901455 +0200
Modify: 2014-07-22 14:48:04.092901041 +0200
Change: 2014-07-22 14:48:04.092901041 +0200
 Birth: -
  File: `/.../lib/update'
  Size: 148             Blocks: 8          IO Block: 4096   regular file
Device: 804h/2052d      Inode: 12189715    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-22 12:05:01.016614179 +0200
Modify: 2014-07-13 12:02:55.779575616 +0200
Change: 2014-07-13 12:02:55.779575616 +0200
 Birth: -
  File: `/usr/sbin/sshd'
  Size: 300536          Blocks: 592        IO Block: 4096   regular file
Device: 804h/2052d      Inode: 8782883     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-22 11:24:40.984543217 +0200
Modify: 2013-10-11 02:16:28.000000000 +0200
Change: 2014-06-13 06:33:44.245951424 +0200
 Birth: -
  File: `/aquota.user'
  Size: 10240           Blocks: 24         IO Block: 4096   regular file
Device: 804h/2052d      Inode: 3957        Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-07 14:51:41.319086812 +0200
Modify: 2014-07-07 14:51:41.319086812 +0200
Change: 2014-07-07 14:51:41.319086812 +0200
 Birth: -

Code:

# strings -an1 /.../lib/update
#!/bin/sh
if test -r /.../lib/pid; then
pid=$(cat /.../lib/pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /.../lib
./r &>/dev/null

Code:

# file /aquota.user; strings -an1 /aquota.user
/aquota.user: data
:
:

\p
'
!

d
`
e
"
&

h
|
!

i

W
j
k
`
'
pQ
'
m
'
'
Z
n
v
@
'

:
o
%
P
'
0
p
'
l'
Y
p
'
+=
P~
'
1
50
p
'
@
'
0
'
x
`
'
ZJ
'
GO
t
'
Ms
'
1
 D
'

 '
b
!'

;
"'
-
O
#'
0

$'
Q
`
%'

&'
r
0:

And here is the "CRON" process, which does the dirty thing. This one is running since the date of the modifications in the system:

Code:

# lsof -p 19305
COMMAND   PID USER   FD   TYPE   DEVICE SIZE/OFF     NODE NAME
CRON    19305 root  cwd    DIR      8,4     4096 12189705 /.../lib
CRON    19305 root  rtd    DIR      8,4     4096        2 /
CRON    19305 root  txt    REG      8,4   197981 12189712 /.../lib/init
CRON    19305 root  mem    REG      8,4    83776  6819187 /lib/i386-linux-gnu/libresolv-2.15.so
CRON    19305 root  mem    REG      8,4    22080  6819195 /lib/i386-linux-gnu/libnss_dns-2.15.so
CRON    19305 root  mem    REG      8,4    47040  6819198 /lib/i386-linux-gnu/libnss_files-2.15.so
CRON    19305 root  mem    REG      8,4  1734120  6819201 /lib/i386-linux-gnu/libc-2.15.so
CRON    19305 root  mem    REG      8,4    34316  6815993 /lib/i386-linux-gnu/libcrypt-2.15.so
CRON    19305 root  mem    REG      8,4   134344  6819191 /lib/i386-linux-gnu/ld-2.15.so
CRON    19305 root    0u   CHR    136,0      0t0        3 /dev/pts/0 (deleted)
CRON    19305 root    1w   REG      8,4     2934 12189716 /.../lib/log
CRON    19305 root    2u   CHR    136,0      0t0        3 /dev/pts/0 (deleted)
CRON    19305 root    3u  IPv4 15510859      0t0      TCP *:11651 (LISTEN)
CRON    19305 root    4u   REG      8,4     1423 12189704 /.../lib/inbox
find / CRON    19305 root    5u  IPv4 17883808      0t0      TCP myserver:5186->91.236.182.1:6668 (ESTABLISHED)

I tried to find this CRON with capitals with find, but no match. It seems the ps output was manipulated with this "psf -- Process Stack Faker" which is also in the /.../lib/ directory. I've sent you the content of the whole dir by mail.

unSpawn · 07-24-2014, 01:03 AM

OK, let's see what we got so far:

- This host is a webserver. It runs unknown software of which we don't know if it was kept up to date. It does run Plesk.
- 383 files have MD5 hash mismatches, among which files you'd expect to change like Plesk php.ini but als files that should not like /usr/sbin/sshd.
- Additionally there's at least one setuid root file I don't recognize as such: /usr/include/arpa/suid.
- A potentially foreign SSH pubkey in root's authorized_keys (root shouldn't be accessed over the 'net anyway).
- Directories and files were created on July 13th.
- /var/log/secure is empty but there's no 'stat' data given.
- System logs like auth.log are insufficiently long rotated to allow for investigation.

As not all questions were answered this leaves insufficient clues to answer critical questions, and I'll cut this short by suggesting you change all credentials, mark backups as tainted, set up a new host, properly harden it, do not load data that wasn't inspected thoroughly and start anew.

agocs · 07-24-2014, 05:20 AM

Quote:

Originally Posted by unSpawn

OK, let's see what we got so far:

- This host is a webserver. It runs unknown software of which we don't know if it was kept up to date. It does run Plesk.
- 383 files have MD5 hash mismatches, among which files you'd expect to change like Plesk php.ini but als files that should not like /usr/sbin/sshd.
- Additionally there's at least one setuid root file I don't recognize as such: /usr/include/arpa/suid.
- A potentially foreign SSH pubkey in root's authorized_keys (root shouldn't be accessed over the 'net anyway).
- Directories and files were created on July 13th.
- /var/log/secure is empty but there's no 'stat' data given.
- System logs like auth.log are insufficiently long rotated to allow for investigation.

As not all questions were answered this leaves insufficient clues to answer critical questions, and I'll cut this short by suggesting you change all credentials, mark backups as tainted, set up a new host, properly harden it, do not load data that wasn't inspected thoroughly and start anew.

I could also get log0.txt (netstat gave error beacause of an unknown parameter "T") and log2.txt. (However these outputs have some sensitive data too, imho of my currently vulnerable host.) Logwatch was not installed, I did it now, but it does not know "--print" parameter, and without it, it gives no output, only running and does not give output. (Even it's default output is stdout.)

unSpawn · 07-25-2014, 01:45 AM

Quote:

Originally Posted by agocs

I could also get log0.txt (netstat gave error beacause of an unknown parameter "T")

Then you could have asked right there and then. In the "old" netstat I use as reference "-T" stands for "do not trim long lines".

Quote:

Originally Posted by agocs

and log2.txt. (However these outputs have some sensitive data too, imho of my currently vulnerable host.)

All I can say is any information you share is treated carefully and you alone decide to obfuscate details and share data (or not).

Quote:

Originally Posted by agocs

Logwatch was not installed, I did it now, but it does not know "--print" parameter, and without it, it gives no output, only running and does not give output. (Even it's default output is stdout.)

With all due respect I did not say "install Logwatch", I said: "Then get your system and daemon logs and audit data off of the compromised server and onto a workstation you can trust. Run those log files through Logwatch (see command #2)."

Apart from that please go over the questions again. You may find you haven't answered all and you may find you haven't replied as verbose as possible. For example you said "this is a web server" while I asked "which services the machine or machines provide (including web-based management panels, statistics, web log, forum, shopping cart, plugins, themes, addons and other software if any), was the software was kept up to date, have there been earlier breaches or anomalies,".

Also please indicate if you're working on setting up a new machine and if the victimized one is properly isolated by now.

agocs · 07-25-2014, 04:15 AM

The problem is, that I am not administering this server officially, I was only trying to help a friend to find out what happened. (I am not even a pro Linux administrator nor the owner is.) I also have two of my sites on this server so I only know anything about those. (They're Wordpress blogs.) I don't know what type of other sites are hosted on this (~ 20 sites), what services, shopping carts, plugins, etc. do they provide. This also means, that I do not have much time to spend on this investigation unfortunately, because I have to do my job too. I told your advice to the owner of the server, but right now, there's no resource to set up a new server from scratch, as it would take about 2 weeks with all the tasks. So, at least for now, we have to move on with this server. This server hosts only non-profit sites, and because of this, no professional support could be afforded. I know, it sounds scary, but that what we have now: limited resource (time and knowledge) to run this host.
The packages are updated only once or twice a year. The owner wants to do it now again, because it is timely now.
I am grateful for your help, but it can be seen that it's quite difficult to do this investigation because of our circumstances (limited resources, server services can't be shutted down, not being able to move to new one, etc.)
So right now, until there is time to set up a new server, we need to focus on patching this one as much as we can, and try to be alert for any alien activities, do any precautionary measure if possible to detect them.
Plus, both the owner and me are going on vacation now for a week. So we're trying to survive now until we're back.
Then, if you can give us any further tips/instructions to try to harden this host as we can, or about anything else, I'd be grateful. If you don't want to put any further effort to this intrusion, I totally understand. (This is like cooking a soup from water and and salt only...)

unSpawn · 07-26-2014, 03:54 AM

Quote:

Originally Posted by agocs

The packages are updated only once or twice a year. The owner wants to do it now again, because it is timely now.

Right now it appears this machine was compromised about forty days ago. It's not some "simple" breach confined to one single web site but a root compromise. So in my book "timely" isn't a word one should use in a case like this when throwing up hedges, making excuses and showing signs of procrastination.

Quote:

Originally Posted by agocs

This server hosts only non-profit sites, and because of this, no professional support could be afforded.

That simply is a misconception.

To start with, and regardless of where this server is hosted, somebody pays real money for the location, security (if any), electricity, lines, equipment and maintenance. Then setting up a server, installing, configuring and maintaining the OS requires knowledge, time and effort. Which equals money. Supporting clients with their applications, questions and troubleshooting requires knowledge, time and effort as well. Which equals money as well. Now running a non-profit may require all sorts of registration like with the Chamber of Commerce, the Tax Office, etc, etc and there'll be legal requirements like keeping the books. Which requires knowledge, time and effort as well. Which equals money too. So unless you're blithely living under a Rock you know damn well there is no such thing as "free money".

Secondly, and no matter what kind of business one is in, a web site is an efficient way to share information, attract potential customers and build a business. No matter what goods or services a business is selling, the basis for this all is building a trust relationship with clients. Do I need to explain what a lack of trust does for ones business and brand image? What's worse, do you have any idea what it takes to try and regain trust?

Third customers trusted this machines owner to take responsibility for hosting these businesses web sites and keep them from harm. If s/he judges her or his level of professionalism not to be up to par then s/he shouldn't have taken on the job IMHO. Now apart from combating hedges and misconceptions in the end there's only so much I can do to instil a sense of urgency. Remember Linux may be free to use but using it isn't free of responsibilities. Ultimately this machines owner has to take responsibility.

Quote:

Originally Posted by agocs

(..) I am not administering this server officially, (..) (I am not even a pro Linux administrator nor the owner is.) I also have two of my sites on this server so I only know anything about those. (They're Wordpress blogs.) I don't know what type of other sites are hosted (..) I do not have much time to spend on this investigation (..) right now, there's no resource to set up a new server from scratch, as it would take about 2 weeks with all the tasks. (..) it's quite difficult to do this investigation because of our circumstances (limited resources, server services can't be shutted down, not being able to move to new one, etc.) (..) So, at least for now, we have to move on with this server. (..) what we have now: limited resource (time and knowledge) to run this host. (..) So right now, until there is time to set up a new server, we need to focus on patching this one as much as we can, and try to be alert for any alien activities, do any precautionary measure if possible to detect them. (..) Plus, both the owner and me are going on vacation now for a week. (..)

You may say you're not administering this server officially but you're the one that alerted us to this case more than two weeks ago. Plus you clearly already have root access so there's no excuse not to find out. Plus I think I've outlined what you should do quite well so it's not like you have to figure out all things and all by yourself. And provided you are actually willing to put in the work a migration could have been done over the weekend.

In short: we're talking about an ongoing root compromise, so this server can not be kept in use and patched. Willingly allowing unsuspecting customers to have their credentials sniffed and data robbed is nothing short of criminal negligence. To drive the point home: wow would you feel if your Bank told you it sniffed and sold your data for the past year?