Quote:
Originally Posted by ShellPwn
A setuid file was brought to my attention, it however appears to be the same as bash and since bash drops privileges, it can't be used to gain root
|
Indeed, but the fact that 0) it was dropped in (root-owned) /sbin (recently), 1) has a filename starting with a dot, 2) the users shell history is missing and 3) login details not matching home directory MAC times is bad news.
Quote:
Originally Posted by ShellPwn
I considered leaving the server online and the user account in tack, just so I could watch the attacker. Is this a good idea?
|
No, it is a bad idea (in fact it is as bad as telling you to reinstall the OS w/o telling you to investigate) because as Internet user you are responsible for your machines not harming others: leaving the machine in an exploitable state should not be acceptable for you and is not for us.
Here's in short what you should do to help us help you determine what goes on.
* Bear in mind that since you indicated being responsible for multiple servers to check the others for possible compromises as well.
0. Start reading: it helps you focus on what is important and what is not. This makes things less error-prone and more efficient for you and us. Please read the CERT Steps for Recovering from a UNIX or NT System Compromise:
http://www.cert.org/tech_tips/win-UN...ompromise.html for an overview of the major steps we will go through (namely: "Regain control" and "Analyze the intrusion"). Please read the CERT Intruder Detection Checklist:
http://web.archive.org/web/200801092...checklist.html. (Note this is an archived copy as CERT in all their wisdom decided to take it down w/o providing proper replacement). Please consider the checklist as leading if you have no Incident Response procedure or work document to work with.
1. Notify users and (upstream) provider if necessary.
2. As root account user list open files (\lsof -P -w -n), process (\ps ax -o ppid,pid,uid,cmd --sort=uid) and network data (\netstat -anpe) listings to a location where you do not overwrite data or pipe data through ssh.
* It would be good to verify the integrity of your binaries before executing commands.
* You may need to prefix paths instead of using backslashes but be careful not to mix in common args used in aliases and such.
* Saving listings is obviously hampered by reboots. Let us know if that is the case.
3. Mitigate the situation. Regain control by shutting down all non-essential services and raising the firewall to only allow SSH traffic to and from your management IP (range). If the machine is local to you and you have any doubts power down the box and only boot with a Live CD unless you tell us the machine is remote.
- Tell us the servers OS and precise release version,
- Tell us if the server was properly kept up to date,
- Tell us when you first noticed this situation,
- Tell us if the server exhibited any odd behaviour in the past,
- Tell us (attach logs?) if you have recent logs from running Chkrootkit / Rootkit Hunter or Aide / Samhain (or Integrit, Osiris or even tripwire) (don't install anything),
- Tell us what services the server provides (exact versions please) and if it is a LAMP machine also what runs
on top of Perl/PHP/Ruby (forum, web log, stats) and their exact versions,
- Tell us (attach output?) what the /tmp, /var/tmp and webserver docroot directories hold (find /dirname -ls),
4. After you've answered those questions (do not install or delete anything) we'll move on to preparing backups for reference (not reuse) and investigate further using system authentication data (logrotated wtmp), IDS logs, filesystem integrity checkers, package manager (if good enough), all system, daemon and firewall logs, temp files, unusual (setuid root) files, user shell histories. When you report back include any information, hints, hunches or gut feelings you think would help. Please attach logs if possible, else please use BB code tags to preserve formatting and efficient reading. And please ask before doing things if you have any doubts.
* I have little time to spend but I also realize LQ is low on members with proper background knowledge and Incident Response capability (considering only those members who have demonstrated it and as I want to see it, namely: helpful, structured and of a certain quality). If you would like a second opinion you are invited to contact me by email to facilitate bulk exchange of logs et cetera.