LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2006, 06:07 PM   #1
sauce
Member
 
Registered: Oct 2005
Distribution: Slackware, Ubuntu
Posts: 52

Rep: Reputation: 15
RealVNC has been compromised by an IRC channel, need help urgently


Slackware 10.2 (personal machine)

I was running a VNC server on a standard port, someone broke in. I wouldn't have known it unless I hit CTRL+V where the cracker left a URL that he copied to the clipboard. The URL pointed to this site which contains 2 Trojan files Trojan.BAT.Zapchast (win32 exe's). He definitely downloaded one of the files because it was marked as "visited" in Firefox but he then deleted it because its not there anymore. He may have hijacked my computer to scan for other computers for vulnerabilities.

http://www.promisance.co.uk/crawlers/

This may be the vuln he got in with: http://www.securityfocus.com/archive.../30/0/threaded

I have little to no experience with this type of stuff. What do I do now? I have taken the following steps:

1) I shut down VNC server
2) syslog shows nothing out of the ordinary (besides failed SSH attempts)
3) sudo log shows nothing out of the ordinary
4) netstat -A shows nothing out of the ordinary
5) ps -aux shows nothing out of the ordinary
6) My router shows many attempts to connect to my VNC server, by many different IPs. I have saved this info.
7) My SSHD server is set "deny : ALL" except for 4 IPs I will keep secret.
8) I ran find -mtime and I found this interesting. 8 day ago a file called winnt.exe was placed on a folder on my desktop. I did NOT download this file.
$ sudo find / -mtime 8 -print
/home/sean/Desktop/eek/winnt.exe
/home/sean/.mozilla/firefox/15pcn71n.default/extensions/{DDC359D1-844A-42a7-9AA1-88A850A938A8}/history.xml
/home/sean/.mozilla/firefox/15pcn71n.default/Cache/8E56ECEEd01
 
Old 07-12-2006, 06:08 PM   #2
sauce
Member
 
Registered: Oct 2005
Distribution: Slackware, Ubuntu
Posts: 52

Original Poster
Rep: Reputation: 15
*** UPDATE ***

Remember winnt.exe? It was a self executable file, I opened it with WinRAR and found some very interesting files. I got hijacked by an IRC group

___________________________________________
- = ] *~*~*~*~*WAREZ OWNS YOU*~*~*~*~* [ = -
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
!~!~ !~!~!~#MP3-WONDERLAND~!~!~!~!~!
 
Old 07-12-2006, 06:34 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
9) Make your router log and block all traffic to the box (services).
10) "find -mtime": well done. Make sure you check (again) all your logs up to that date.
11) Run any verification if your package manager supports it followed by checking against backups (just in case), followed by running Chkrootkit and Rootkit Hunter, preferably from a bootable Live CD.

With any output you can add to what you've already done (and well done, yes) we have a better idea what to do next, but basically it should amount to removing (Real?)VNC and installing TightVNC, changing all passwords and hardening the system (more).
 
Old 07-12-2006, 09:07 PM   #4
sauce
Member
 
Registered: Oct 2005
Distribution: Slackware, Ubuntu
Posts: 52

Original Poster
Rep: Reputation: 15
Thanks for the help. I used my router to deny the compromised machine WAN access while I investigate.

I have a feeling its not as bad as I think. The vulnerability for RealVNC runs on both Linux and Windows and hopefully the attackers thought that I had a Windows machine, which would explain the .exe files. Or maybe thats just what they want me to think. The only way to be safe is to backup the / partition and install a fresh copy.
 
Old 07-12-2006, 10:12 PM   #5
sauce
Member
 
Registered: Oct 2005
Distribution: Slackware, Ubuntu
Posts: 52

Original Poster
Rep: Reputation: 15
chkrootkit, everything OK
rkhunter, everything OK

A friend thought it would be a good idea to download slackware-current packages and use slapt-get to install them. That would restore all binaries to original in case I missed anything.

I don't want to reinstall Slackware 10.2 with version 11 being so close. Maybe I'll leave the machine offline until then.
 
Old 07-13-2006, 05:57 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
chkrootkit, everything OK
rkhunter, everything OK

Cool.


A friend thought it would be a good idea to download slackware-current packages and use slapt-get to install them. That would restore all binaries to original in case I missed anything.
If verification of binaries by say md5sum matches packaged versions my first concern would be restricting access, removing vulnerable software and changing all passwords.


I don't want to reinstall Slackware 10.2 with version 11 being so close. Maybe I'll leave the machine offline until then.
Leaving it powered off is definately the most efficient way.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
irc channel xushi Programming 3 06-23-2004 12:33 PM
lq irc channel? rafc LQ Suggestions & Feedback 9 05-31-2004 01:40 AM
IRC Channel leeman_s LQ Suggestions & Feedback 2 08-25-2003 02:07 PM
IRC channel NSKL General 3 10-06-2002 12:56 PM
best IRC channel? bluecadet Linux - General 1 01-17-2002 02:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration