LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-06-2011, 08:00 PM   #46
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86

Quote:
Originally Posted by slimm609 View Post
MartinM: would you please tar up the /usr/games/go directory and mail them to hangdog if he does not have a problem with that.


Hangdog: would you please forward the other stuff he sent to the group also. If you don't have a problem receiving the other files also forward those as well. There may be some useful info in there to help track this down and maybe something useful for future detection and maybe some info useful for Rkhunter. If you do not feel comfortable receiving the files just say so and I will get in contact with him to forward and see what is going on.
That would be great, but MartinM, please run the below command and post the output first or you will overwrite the last access timestamps.

ls -altuh /usr/games/go/backdor

That will tell if the file was accessed and one possibility of that happening is it was executed. Definitely other ways to tell when the rootkit was installed as well such as reading the setup script and looking at timestamps from new or modified files, but we might as well collect all the evidence we can, while we can.
 
Old 05-06-2011, 09:47 PM   #47
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Good call on that one OlRoy. I missed the fact there was another directory in there.

if you want to keep it all together you can do a

ls -altuhR /usr/games/go to capture all the directories recursively.
 
Old 05-07-2011, 02:32 AM   #48
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Goodmorning, I'm back behind the Mac, as you can see

I have made a tar (I hope ) by using this:
Code:
mmn001:/usr# tar cvzf games_go.tgz games
If that's correct, I will send it to hangdog asap.

Underneath are the results (from before making the tar) of the info-requests by OlRoy and slimm609:

Quote:
Originally Posted by OlRoy View Post
That would be great, but MartinM, please run the below command and post the output first or you will overwrite the last access timestamps.

ls -altuh /usr/games/go/backdor

That will tell if the file was accessed and one possibility of that happening is it was executed. Definitely other ways to tell when the rootkit was installed as well such as reading the setup script and looking at timestamps from new or modified files, but we might as well collect all the evidence we can, while we can.

Code:
mmn001:/# ls -altuh /usr/games/go/backdor
total 596K
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  7 09:28 .
drwxr-xr-x 3 root         root 4.0K May  7 00:25 ..
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup
-rwxr-xr-x 1 sw-cp-server 1000 491K May  5 01:32 bin.tgz
-rwxr-xr-x 1 sw-cp-server 1000  442 May  5 01:32 conf.tgz
-rwxr-xr-x 1 sw-cp-server 1000  29K May  5 01:32 lib.tgz
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup~
mmn001:/#

Quote:
Originally Posted by slimm609
ls -altuhR /usr/games/go to capture all the directories recursively.

Code:
mmn001:/# ls -altuh /usr/games/go/backdor
total 596K
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  7 09:28 .
drwxr-xr-x 3 root         root 4.0K May  7 00:25 ..
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup
-rwxr-xr-x 1 sw-cp-server 1000 491K May  5 01:32 bin.tgz
-rwxr-xr-x 1 sw-cp-server 1000  442 May  5 01:32 conf.tgz
-rwxr-xr-x 1 sw-cp-server 1000  29K May  5 01:32 lib.tgz
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup~
mmn001:/# ls -altuhR /usr/games/go
/usr/games/go:
total 2.5M
drwxr-xr-x 3 root         root 4.0K May  7 09:30 .
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  7 09:28 backdor
drwxr-xr-x 3 root         root 4.0K May  7 00:25 ..
-rwxr-xr-x 1 root         root  838 May  6 23:48 1
-rwxr-xr-x 1 root         root  956 May  6 23:48 10
-rwxr-xr-x 1 root         root  782 May  6 23:48 2
-rwxr-xr-x 1 root         root  889 May  6 23:48 3
-rwxr-xr-x 1 root         root  898 May  6 23:48 4
-rwxr-xr-x 1 root         root  836 May  6 23:48 5
-rwxr-xr-x 1 root         root  808 May  6 23:48 6
-rwxr-xr-x 1 root         root  897 May  6 23:48 7
-rwxr-xr-x 1 root         root  846 May  6 23:48 8
-rwxr-xr-x 1 root         root  845 May  6 23:48 9
-rwxr-xr-x 1 root         root 1.4K May  6 23:48 a
-rwxr-xr-x 1 root         root  22K May  6 23:48 common
-rwxr-xr-x 1 root         root  265 May  6 23:48 gen-pass.sh
-rwxr-xr-x 1 root         root   94 May  6 23:48 go
-rwxr-xr-x 1 root         root 1001 May  6 23:48 go.sh
-rw-r--r-- 1 root         root 1.1M May  6 23:48 mfu.txt
-rw-r--r-- 1 root         root 8.4K May  6 23:48 pass_file
-rwxr-xr-x 1 root         root  21K May  6 23:48 pscan2
-rwxr-xr-x 1 root         root 6.4K May  6 23:48 scam
-rwxr-xr-x 1 root         root  197 May  6 23:48 secure
-rwxr-xr-x 1 root         root 444K May  6 23:48 ss
-rwxr-xr-x 1 root         root 823K May  6 23:48 ssh-scan
-rw-r--r-- 1 root         root  20K May  6 23:48 vuln.txt

/usr/games/go/backdor:
total 596K
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  7 09:30 .
drwxr-xr-x 3 root         root 4.0K May  7 09:30 ..
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup
-rwxr-xr-x 1 sw-cp-server 1000 491K May  5 01:32 bin.tgz
-rwxr-xr-x 1 sw-cp-server 1000  442 May  5 01:32 conf.tgz
-rwxr-xr-x 1 sw-cp-server 1000  29K May  5 01:32 lib.tgz
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup~
mmn001:/#

Last edited by MartinM; 05-07-2011 at 02:48 AM. Reason: Addition
 
Old 05-07-2011, 03:57 AM   #49
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
dpkg -l psa

The above will apparently give you the Plesk version. It seems you were running FTP, and there was a Plesk/ProFTPD vulnerability here. Again, your logs are going to be your best shot at determining how this happened. Grep your logs for signs of a successful password guessing attack by searching for accepted password for root and also examine the logs for signs Plesk was exploited.
 
Old 05-07-2011, 04:13 AM   #50
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Code:
mmn001:/# dpkg -l psa
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                               Version                            Description
+++-==================================-==================================-====================================================================================
ii  psa                                10.1.1-debian5.0.build1010110120.1 Parallels Panel v10.1.1 core files
mmn001:/#
Afaik I was aware of the ProFTPD vulnerability and patched that the day after the patch was released. This was in Q4 2010.


In regards to the possible cause of this all and the questions about how the intruder entered, it is highly probable that it was simply a brute force on my ssh password.

The server had a complete reinstall 2 months ago and was "delivered" to me with a simple password, 8 positions, 3 letters - 1 number - 1 sign - 3 capitals, which according to KeePass is a 64bit password.

I think it is definitely my own fault that I have not changed that immediately, I only did this after receiving the first report of my server being involved in brute-forcing others. Once I received that report, I changed it to a 200bit password. But I think it is pretty clear to me now that this was too little, too late

Last edited by MartinM; 05-07-2011 at 04:17 AM.
 
Old 05-07-2011, 07:17 AM   #51
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Were you getting the Micro Updates for Plesk? Even if you were, you were running a number of other services.

Sounds like a fairly secure password, but I can't say for sure because I don't know how random it is. I don't even know if there was an SSH password guessing attack against your computer, let alone if it was successful. I don't have the logs and any data to go on.

The below should let you check for unauthorized root logins from computers you don't know. You can also pipe it into another grep to filter out IPs you know.
Code:
grep -i 'accepted password for root' auth.log
Code:
grep -i 'accepted password for root' auth.log | grep -v 'yourip'
This will let you see how many failed passwords there are:
Code:
grep -i 'failed password' auth.log | wc -l
This will do the same, but just for sshd
Code:
grep -i '.+sshd.+failed password' auth.log | wc -l
Replace suspiciousip with an actual suspicious IP that was doing a lot of password guessing to see if they got in.
Code:
grep -i 'accepted password for.+suspiciousip' auth.log
Will find all messages on the April 28th.

Code:
grep -P '^Apr\s+28' messages
You can find run same kind of grep searches through compressed logs, for example:

Code:
zcat messages.2.gz | grep -P '^Apr\s+28'
These commands mostly just cover SSH. I've written perl scripts to summarize and graph SSH logs, but don't have your logs. It's difficult to teach someone how to do log analysis for the first time with the CLI, when they aren't familiar with the CLI or log analysis.

Last edited by OlRoy; 05-07-2011 at 07:19 AM.
 
2 members found this post helpful.
Old 05-07-2011, 07:19 AM   #52
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 419Reputation: 419Reputation: 419Reputation: 419Reputation: 419
Quote:
Originally Posted by MartinM
it is highly probable that it was simply a brute force on my ssh password.
Not to discount your theory about passwords, but OlRoy noticed something that has been bugging me too, namely that the /etc/games/go/backdoor directory and files are owned by sw-cp-server, and not by root. If I understand this user correctly, that is the Plesk user, which raises the possibility that they compromised Plesk to gain access. I'm simply not familiar with Plesk so hopefully someone who is will chime in a bit.

That said, I think the general consensus is that the log files from around April 28th are going to be the next best bet for good information on what happened.
 
Old 05-07-2011, 07:45 AM   #53
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Hi Hangdog42 and OlRoy,

the tar with the complete contents of the directory and the complete log-files are available to Hangdog42 now, he knows where to find them .
I don't mind if he shares them to speed up pinpointing the cause of all this trouble.

Would it be sensible to say that this current server-setup is a no-go for the future and I will need to get a reinstall for sure?
And in that case, since I do have people waiting for me, would downloading everything necessary for restoring their domains be a solution to speed things up in that regard (of course after safeguarding everything else which is needed to track down this attack).

Or am I going to fast now?

Last edited by MartinM; 05-07-2011 at 07:49 AM.
 
Old 05-07-2011, 11:18 AM   #54
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
The attacker has had root for some time now and evidence suggests a rootkit was more than likely installed. I'd definitely say you're going need to reinstall, hopefully after someone finds evidence of how the attacker got in.. So sure, you can plan for reinstalling until Hangdog42 or someone can check out the logs you sent him.

In the mean time, if you have the time, you can post the output of:

Code:
ls -altuhR /usr/games
ls -althR /usr/games
ls -altchR /usr/games
You can also check out the contents of /root since the attacker was apparently in that directory at some point and may of created files there. Speaking of which, the below command should help find files changed around April 28th.

Code:
sudo find /etc /bin /sys /sbin /dev /boot /usr /tmp /lib /root -ctime 10 -type f -exec ls -alch {} \;
The setup script for the rootkit is a gold mine since it will show how it was installed or what it did, and the config file(s) will tell you what the attacker wanted to hide.

Doing the above will most likely just help you figure out what the attacker did. Which can be helpful, but probably won't tell you how they got in. That part will most likely come from log analysis.

Last edited by OlRoy; 05-07-2011 at 11:19 AM.
 
Old 05-07-2011, 11:41 AM   #55
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Code:
mmn001:/var/log# ls -altuhR /usr/games
/usr/games:
total 32K
drwxr-xr-x  3 root root 4.0K May  7 18:35 .
drwxr-xr-x 11 root root 4.0K May  7 09:39 ..
-rwxr-xr-x  1 root root  19K May  7 09:38 banner
drwxr-xr-x  3 root root 4.0K May  7 09:38 go

/usr/games/go:
total 2.5M
drwxr-xr-x 3 root         root 4.0K May  7 18:35 .
drwxr-xr-x 3 root         root 4.0K May  7 18:35 ..
-rwxr-xr-x 1 root         root  838 May  7 09:38 1
-rwxr-xr-x 1 root         root  956 May  7 09:38 10
-rwxr-xr-x 1 root         root  782 May  7 09:38 2
-rwxr-xr-x 1 root         root  889 May  7 09:38 3
-rwxr-xr-x 1 root         root  898 May  7 09:38 4
-rwxr-xr-x 1 root         root  836 May  7 09:38 5
-rwxr-xr-x 1 root         root  808 May  7 09:38 6
-rwxr-xr-x 1 root         root  897 May  7 09:38 7
-rwxr-xr-x 1 root         root  846 May  7 09:38 8
-rwxr-xr-x 1 root         root  845 May  7 09:38 9
-rwxr-xr-x 1 root         root 1.4K May  7 09:38 a
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  7 09:38 backdor
-rwxr-xr-x 1 root         root  22K May  7 09:38 common
-rwxr-xr-x 1 root         root  265 May  7 09:38 gen-pass.sh
-rwxr-xr-x 1 root         root   94 May  7 09:38 go
-rwxr-xr-x 1 root         root 1001 May  7 09:38 go.sh
-rw-r--r-- 1 root         root 1.1M May  7 09:38 mfu.txt
-rw-r--r-- 1 root         root 8.4K May  7 09:38 pass_file
-rwxr-xr-x 1 root         root  21K May  7 09:38 pscan2
-rwxr-xr-x 1 root         root 6.4K May  7 09:38 scam
-rwxr-xr-x 1 root         root  197 May  7 09:38 secure
-rwxr-xr-x 1 root         root 444K May  7 09:38 ss
-rwxr-xr-x 1 root         root 823K May  7 09:38 ssh-scan
-rw-r--r-- 1 root         root  20K May  7 09:38 vuln.txt

/usr/games/go/backdor:
total 596K
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  7 18:35 .
drwxr-xr-x 3 root         root 4.0K May  7 18:35 ..
-rwxr-xr-x 1 sw-cp-server 1000 491K May  7 09:38 bin.tgz
-rwxr-xr-x 1 sw-cp-server 1000  442 May  7 09:38 conf.tgz
-rwxr-xr-x 1 sw-cp-server 1000  29K May  7 09:38 lib.tgz
-rwxr-xr-x 1 sw-cp-server 1000  25K May  7 09:38 setup
-rwxr-xr-x 1 sw-cp-server 1000  25K May  7 09:38 setup~
mmn001:/var/log#
Code:
mmn001:/var/log# ls -althR /usr/games
/usr/games:
total 32K
drwxr-xr-x 11 root root 4.0K May  7 09:38 ..
drwxr-xr-x  3 root root 4.0K May  6 19:36 go
drwxr-xr-x  3 root root 4.0K Apr 28 23:55 .
-rwxr-xr-x  1 root root  19K Nov 20  2007 banner

/usr/games/go:
total 2.5M
drwxr-xr-x 3 root         root 4.0K May  6 19:36 .
-rw-r--r-- 1 root         root  20K May  6 17:59 vuln.txt
-rw-r--r-- 1 root         root 1.1M May  6 06:57 mfu.txt
-rw-r--r-- 1 root         root 8.4K May  4 22:40 pass_file
-rwxr-xr-x 1 root         root 1001 May  2 12:32 go.sh
drwxr-xr-x 3 root         root 4.0K Apr 28 23:55 ..
-rwxr-xr-x 1 root         root  956 Apr 28 23:07 10
-rwxr-xr-x 1 root         root  845 Apr 28 23:06 9
-rwxr-xr-x 1 root         root  846 Apr 28 23:06 8
-rwxr-xr-x 1 root         root  897 Apr 28 23:05 7
-rwxr-xr-x 1 root         root  808 Apr 28 23:05 6
-rwxr-xr-x 1 root         root  836 Apr 28 23:04 5
-rwxr-xr-x 1 root         root  889 Apr 28 23:04 3
-rwxr-xr-x 1 root         root  898 Apr 28 23:03 4
-rwxr-xr-x 1 root         root  782 Apr 28 23:02 2
-rwxr-xr-x 1 root         root  838 Apr 28 23:01 1
-rwxr-xr-x 1 root         root 1.4K Mar 28 01:52 a
drwxr-xr-x 2 sw-cp-server 1000 4.0K Dec 23  2009 backdor
-rwxr-xr-x 1 root         root 6.4K Oct 25  2009 scam
-rwxr-xr-x 1 root         root   94 Jul 26  2008 go
-rwxr-xr-x 1 root         root  197 Aug 23  2005 secure
-rwxr-xr-x 1 root         root  22K Dec  2  2004 common
-rwxr-xr-x 1 root         root  265 Nov 25  2004 gen-pass.sh
-rwxr-xr-x 1 root         root 823K Nov 24  2004 ssh-scan
-rwxr-xr-x 1 root         root  21K Jul 21  2004 pscan2
-rwxr-xr-x 1 root         root 444K Jul 12  2004 ss

/usr/games/go/backdor:
total 596K
drwxr-xr-x 3 root         root 4.0K May  6 19:36 ..
-rwxr-xr-x 1 sw-cp-server 1000  25K Mar 12  2010 setup
-rwxr-xr-x 1 sw-cp-server 1000  25K Mar 12  2010 setup~
drwxr-xr-x 2 sw-cp-server 1000 4.0K Dec 23  2009 .
-rwxr-xr-x 1 sw-cp-server 1000 491K May  1  2003 bin.tgz
-rwxr-xr-x 1 sw-cp-server 1000  442 Apr 18  2003 conf.tgz
-rwxr-xr-x 1 sw-cp-server 1000  29K Apr 15  2003 lib.tgz
mmn001:/var/log#

Code:
mmn001:/var/log# ls -altchR /usr/games
/usr/games:
total 32K
drwxr-xr-x 11 root root 4.0K May  7 09:38 ..
drwxr-xr-x  3 root root 4.0K May  6 19:36 go
drwxr-xr-x  3 root root 4.0K Apr 28 23:55 .
-rwxr-xr-x  1 root root  19K Jan 31 19:12 banner

/usr/games/go:
total 2.5M
drwxr-xr-x 3 root         root 4.0K May  6 19:36 .
-rw-r--r-- 1 root         root  20K May  6 17:59 vuln.txt
-rw-r--r-- 1 root         root 1.1M May  6 06:57 mfu.txt
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  5 01:32 backdor
-rw-r--r-- 1 root         root 8.4K May  4 22:40 pass_file
-rwxr-xr-x 1 root         root 1001 May  2 12:32 go.sh
-rwxr-xr-x 1 root         root  838 Apr 29 00:09 1
-rwxr-xr-x 1 root         root  956 Apr 29 00:09 10
-rwxr-xr-x 1 root         root  782 Apr 29 00:09 2
-rwxr-xr-x 1 root         root  889 Apr 29 00:09 3
-rwxr-xr-x 1 root         root  898 Apr 29 00:09 4
-rwxr-xr-x 1 root         root  836 Apr 29 00:09 5
-rwxr-xr-x 1 root         root  808 Apr 29 00:09 6
-rwxr-xr-x 1 root         root  897 Apr 29 00:09 7
-rwxr-xr-x 1 root         root  846 Apr 29 00:09 8
-rwxr-xr-x 1 root         root  845 Apr 29 00:09 9
-rwxr-xr-x 1 root         root 1.4K Apr 29 00:09 a
-rwxr-xr-x 1 root         root  22K Apr 29 00:09 common
-rwxr-xr-x 1 root         root  265 Apr 29 00:09 gen-pass.sh
-rwxr-xr-x 1 root         root   94 Apr 29 00:09 go
-rwxr-xr-x 1 root         root  21K Apr 29 00:09 pscan2
-rwxr-xr-x 1 root         root 6.4K Apr 29 00:09 scam
-rwxr-xr-x 1 root         root  197 Apr 29 00:09 secure
-rwxr-xr-x 1 root         root 444K Apr 29 00:09 ss
-rwxr-xr-x 1 root         root 823K Apr 29 00:09 ssh-scan
drwxr-xr-x 3 root         root 4.0K Apr 28 23:55 ..

/usr/games/go/backdor:
total 596K
drwxr-xr-x 3 root         root 4.0K May  6 19:36 ..
drwxr-xr-x 2 sw-cp-server 1000 4.0K May  5 01:32 .
-rwxr-xr-x 1 sw-cp-server 1000 491K May  5 01:32 bin.tgz
-rwxr-xr-x 1 sw-cp-server 1000  442 May  5 01:32 conf.tgz
-rwxr-xr-x 1 sw-cp-server 1000  29K May  5 01:32 lib.tgz
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup
-rwxr-xr-x 1 sw-cp-server 1000  25K May  5 01:32 setup~
mmn001:/var/log#
The last command returned nothing:
Code:
sudo find /etc /bin /sys /sbin /dev /boot /usr /tmp /lib /root -ctime 10 -type f -exec ls -alch {} \;
With sudo I got an error (seems logical to me, I'm logged in as root now) and without sudo I just returned to the prompt after about 5 seconds.
 
Old 05-07-2011, 11:46 AM   #56
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 5,272

Rep: Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918
Quote:
Would it be sensible to say that this current server-setup is a no-go for the future and I will need to get a reinstall for sure?
There is no doubt that the intruder gained root and has endeavoured to cover their tracks. I note the "HISTFILE=/dev/null" option in PID 4269 as well as the files in /usr/games/go/backdor which probably contain hacked binaries of system files (although the file dates suggest they are old).
It becomes a judgment call on the skill of the intruder and their intent. You may simply be able to replace any hacked system binaries with known good versions.
I note that there are more exploit modules in the contents of /usr/games/go than were logged in third example here http://blog.macuyiko.com/2011/03/run...ippo-lets.html
This could be interpreted as the intruder having access to recent exploits and so a high level of knowledge.

To be sure, you reinstall. You have no other way of being certain that all traces of the intrusion have been removed.

There is still the question of how your system was exploited. Two obvious options are:
1. Brute force SSH password attack.
2. A ProFTPD exploit, which may explain the curious Plesk username.

You can close the door to the first, but if the second then a reinstall will leave you vulnerable to a repeat incursion.
 
Old 05-07-2011, 12:14 PM   #57
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Not sure why the find command didn't return anything. It works fine for me. Maybe you could try changing the -ctime 10 to -ctime 9 But I would think find would of returned *something* if it was working properly. Someone else might know what is wrong.

The /usr/games/banner is a new file we missed earlier. You can type:

Code:
file /usr/games/banner
If it's a shell script or text file you can post the contents with

Code:
cat /usr/games/banner
You may get lucky and find a file .gz .jpg or some other suspicious file that contained an archive of all the files in the /usr/games directory with this command.
Code:
ls -altuh /usr
If you do, you could google for that file name and who knows, you might find someone else who is dealing with the same attacker(s) on some other forum.
 
Old 05-07-2011, 12:29 PM   #58
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Code:
mmn001:/# file /usr/games/banner
/usr/games/banner: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, stripped
mmn001:/#

Code:
mmn001:~# ls -altuh /usr
total 1.5M
drwxr-xr-x  11 root root  4.0K May  7 19:27 .
lrwxrwxrwx   1 root root    24 May  7 19:26 lib32 -> /emul/ia32-linux/usr/lib
lrwxrwxrwx   1 root root     3 May  7 19:26 lib64 -> lib
drwxr-xr-x   3 root root  4.0K May  7 18:42 games
drwxr-xr-x   2 root root  4.0K May  7 18:41 X11R6
drwxr-xr-x   2 root root   20K May  7 18:41 bin
drwxr-xr-x  32 root root  4.0K May  7 18:41 include
drwxr-xr-x  52 root root   20K May  7 18:41 lib
drwxrwsr-x  11 root staff 4.0K May  7 18:41 local
drwxr-xr-x   2 root root   12K May  7 18:41 sbin
drwxr-xr-x 113 root root  4.0K May  7 18:41 share
drwxrwsr-x   2 root src   4.0K May  7 18:41 src
drwxr-xr-x  22 root root  4.0K May  7 14:39 ..
-rw-r--r--   1 root root  1.4M May  7 11:45 games_go.tgz
mmn001:~#
games_go.tgz is the tar I made of the complete games/go directory

No luck with
Code:
cat /usr/games/banner
 
Old 05-07-2011, 12:45 PM   #59
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Sometimes you can get an idea for what a program does by its strings. Unfortunately it won't work well if the binary is packed, and sometimes an attacker will insert bogus strings to through off a malware analyst.

Code:
strings -a /usr/games/banner
You could also submit the file to a site like www.virustotal.com, but you'd have to be very careful you don't somehow run the malware.

The above is just a couple of very easy things to do and is a an extremely small part of malware analysis; a field I'm still learning and it's mostly with Windows malware.
 
Old 05-07-2011, 01:05 PM   #60
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Code:
mmn001:~# strings -a /usr/games/banner
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
strcpy
exit
_IO_putc
optind
puts
warnx
putchar
stdin
printf
fgets
strlen
getopt
stdout
__strtol_internal
malloc
strcat
optarg
stderr
fwrite
errx
__libc_start_main
free
GLIBC_2.2.5
%z8 
%r8 
%j8 
%b8 
%Z8 
%R8 
=Q8 
=W5 
AUATU
dt1H
=U7 
~6E1
=W6 
=>6 
=93 
582 
5,2 
=+1 
fffff.
l$ L
t$(L
|$0H
illegal argument for -w option
usage: banner [-d] [-t] [-w width] message ...
const unsigned char data_table[NBYTES] = {
the character '%c' is not in my character set
pc=%d, term=%d, max=%d, linen=%d, x=%d
w:td
malloc
Message: 
const int asc_ptr[NCHARS] = {
%4d,   
/*          
 %3d  
/* %4d */  
 %3d, 
Message '%s' is OK
Char #%d: %c
bad pc: %d
x=%d, y=%d, max=%d
 	I	
!	m	
!	m	
!,T 
 	M	t
C	P$
!/U 
A	n	
!	m	
Q	o	
Q	o	
.	Y 
	4	D
 	I	
 	I	
 	I	
.shstrtab
.interp
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.ctors
.dtors
.jcr
.dynamic
.got
.got.plt
.data
.bss
mmn001:~#
I sent the tar to virustotal.com, the result-screenshot has been attached to this post.
Attached Thumbnails
Click image for larger version

Name:	virustotalresult.jpg
Views:	14
Size:	213.6 KB
ID:	6969  

Last edited by MartinM; 05-07-2011 at 01:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[iptables] How to block brute force attacks? littlebigman Linux - Software 2 04-05-2011 04:48 AM
[SOLVED] Server receiving a lot of brute force SSH attacks the182guy Linux - Newbie 6 10-16-2009 08:27 AM
[SOLVED] MySql-ban brute force attacks? qwertyjjj Linux - Software 3 08-10-2009 05:28 AM
Does anyone know if guardian can be set to block brute force attacks and only brute f abefroman Linux - Software 2 06-05-2008 10:55 AM
Question on Brute Force Attacks Mad Mike Linux - Security 4 10-16-2006 10:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration