LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-10-2005, 08:57 AM   #1
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Think I've been had... how did they get in?


For the second time in a week, my tripwire has found many signifigant differences in one of our servers:
Code:
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/server.domain.com-20050810-000502.twr


Tripwire(R) 2.3.0 Integrity Check Report

Report generated by:          root
Report created on:            Wed Aug 10 00:05:02 2005
Database last updated on:     Mon Aug  8 13:02:33 2005

===============================================================================
Report Summary:
===============================================================================

Host name:                    server.domain.com
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/server.domain.com.twd
Command line used:            /usr/sbin/tripwire --check 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Invariant Directories           66                0        0        0        
  Temporary directories           33                0        0        0        
  Tripwire Data Files             100               0        0        0        
  Critical devices                100               0        0        0        
* User binaries                   66                0        0        134      
* Tripwire Binaries               100               0        0        4        
* Libraries                       66                0        0        15       
* Shell Binaries                  100               0        0        1        
* File System and Disk Administraton Programs
                                  100               0        0        6        
* Kernel Administration Programs  100               0        0        2        
  Networking Programs             100               0        0        0        
* System Administration Programs  100               0        0        2        
* Hardware and Device Control Programs
                                  100               0        0        2        
  System Information Programs     100               0        0        0        
  Application Information Programs
                                  100               0        0        0        
  Shell Releated Programs         100               0        0        0        
  (/sbin/getkey)
  Critical Utility Sym-Links      100               0        0        0        
  Critical system boot files      100               0        0        0        
* Security Control                100               0        0        2        
  System boot changes             100               0        0        0        
* OS executables and libraries    100               0        0        6        
  Login Scripts                   100               0        0        0        
  Critical configuration files    100               0        0        0        
* User Applications               66                0        0        1        
* Operating System Utilities      100               0        0        7        
* Root config files               100               1        0        3        

Total objects scanned:  46967
Total violations found:  186

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/sbin"
"/usr/sbin/callback"
"/usr/sbin/diskdumpctl_proc"
"/usr/sbin/diskdumpfmt"
"/usr/sbin/iptstate"
"/usr/sbin/plainrsa-gen"
"/usr/sbin/racoon"
"/usr/sbin/rdev"
"/usr/sbin/readprofile"
"/usr/sbin/rpc.gssd"
"/usr/sbin/rpc.idmapd"
"/usr/sbin/sasl2-static-mechlist"
"/usr/sbin/saslauthd"
"/usr/sbin/savecore"
"/usr/sbin/sshd"
"/usr/sbin/stunnel"
"/usr/sbin/tunelp"
"/usr/sbin/vipw"

-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/siggen)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/usr/sbin/siggen"

-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/usr/sbin/tripwire"

-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/twadmin)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/usr/sbin/twadmin"

-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/twprint)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/usr/sbin/twprint"

-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/lib"
"/usr/lib/autofs"
"/usr/lib/autofs/autofs-ldap-auto-master"
"/usr/lib/libaspell.so.15.0.3"
"/usr/lib/libdes425.so.3.0"
"/usr/lib/libgssapi_krb5.so.2.2"
"/usr/lib/libk5crypto.so.3.0"
"/usr/lib/libkrb4.so.2.0"
"/usr/lib/libkrb5.so.3.2"
"/usr/lib/libldap-2.2.so.7.0.6"
"/usr/lib/libstdc++.so.6.0.3"
"/usr/lib/libwvstreams.so.3.75"
"/usr/lib/libwvutils.so.3.75"
"/usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE"
"/usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE/libperl.so"

-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/bin"
"/usr/bin/a2p"
"/usr/bin/addftinfo"
"/usr/bin/aspell"
"/usr/bin/c++"
"/usr/bin/c++filt"
"/usr/bin/cal"
"/usr/bin/chfn"
"/usr/bin/chsh"
"/usr/bin/col"
"/usr/bin/colcrt"
"/usr/bin/colrm"
"/usr/bin/column"
"/usr/bin/cpp"
"/usr/bin/crontab"
"/usr/bin/cvs"
"/usr/bin/cytune"
"/usr/bin/ddate"
"/usr/bin/doxygen"
"/usr/bin/doxytag"
"/usr/bin/eqn"
"/usr/bin/fdformat"
"/usr/bin/floppy"
"/usr/bin/free"
"/usr/bin/g++"
"/usr/bin/g77"
"/usr/bin/gcc"
"/usr/bin/gcov"
"/usr/bin/getopt"
"/usr/bin/grn"
"/usr/bin/grodvi"
"/usr/bin/groff"
"/usr/bin/grolbp"
"/usr/bin/grolj4"
"/usr/bin/grops"
"/usr/bin/grotty"
"/usr/bin/hexdump"
"/usr/bin/hpftodit"
"/usr/bin/i386-redhat-linux-c++"
"/usr/bin/i386-redhat-linux-g++"
"/usr/bin/i386-redhat-linux-gcc"
"/usr/bin/indxbib"
"/usr/bin/ipcrm"
"/usr/bin/ipcs"
"/usr/bin/isosize"
"/usr/bin/lftp"
"/usr/bin/lkbib"
"/usr/bin/logger"
"/usr/bin/look"
"/usr/bin/lookbib"
"/usr/bin/lynx"
"/usr/bin/mcookie"
"/usr/bin/namei"
"/usr/bin/newgrp"
"/usr/bin/perl"
"/usr/bin/perl5.8.5"
"/usr/bin/pfbtops"
"/usr/bin/pgrep"
"/usr/bin/pic"
"/usr/bin/pkill"
"/usr/bin/pmap"
"/usr/bin/post-grohtml"
"/usr/bin/pre-grohtml"
"/usr/bin/protoize"
"/usr/bin/refer"
"/usr/bin/rename"
"/usr/bin/renice"
"/usr/bin/rev"
"/usr/bin/scp"
"/usr/bin/script"
"/usr/bin/setfdprm"
"/usr/bin/setsid"
"/usr/bin/setterm"
"/usr/bin/sftp"
"/usr/bin/skill"
"/usr/bin/slabtop"
"/usr/bin/snice"
"/usr/bin/soelim"
"/usr/bin/ssh"
"/usr/bin/ssh-add"
"/usr/bin/ssh-agent"
"/usr/bin/ssh-keygen"
"/usr/bin/ssh-keyscan"
"/usr/bin/swig"
"/usr/bin/tailf"
"/usr/bin/tbl"
"/usr/bin/tfmtodit"
"/usr/bin/tload"
"/usr/bin/top"
"/usr/bin/troff"
"/usr/bin/ul"
"/usr/bin/unprotoize"
"/usr/bin/uptime"
"/usr/bin/vim"
"/usr/bin/vmstat"
"/usr/bin/w"
"/usr/bin/watch"
"/usr/bin/wget"
"/usr/bin/whereis"
"/usr/bin/write"
"/usr/bin/wvdial"
"/usr/bin/wvdialconf"

-------------------------------------------------------------------------------
Rule Name: Shell Binaries (/usr/libexec/sftp-server)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/usr/libexec/sftp-server"

-------------------------------------------------------------------------------
Rule Name: User binaries (/sbin)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/sbin"
"/sbin/addpart"
"/sbin/agetty"
"/sbin/blockdev"
"/sbin/delpart"
"/sbin/dhcp6c"
"/sbin/elvtune"
"/sbin/fsck.cramfs"
"/sbin/grubby"
"/sbin/mgetty"
"/sbin/mkfs.cramfs"
"/sbin/nologin"
"/sbin/partx"
"/sbin/pivot_root"

-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/fdisk)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/fdisk"

-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/mkfs)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/mkfs"

-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/mkswap)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/mkswap"

-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/sfdisk)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/sfdisk"

-------------------------------------------------------------------------------
Rule Name: Kernel Administration Programs (/sbin/ctrlaltdel)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/ctrlaltdel"

-------------------------------------------------------------------------------
Rule Name: Kernel Administration Programs (/sbin/sysctl)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/sysctl"

-------------------------------------------------------------------------------
Rule Name: System Administration Programs (/sbin/rescuept)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/rescuept"

-------------------------------------------------------------------------------
Rule Name: System Administration Programs (/sbin/swapon)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/swapon"

-------------------------------------------------------------------------------
Rule Name: Hardware and Device Control Programs (/sbin/hwclock)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/hwclock"

-------------------------------------------------------------------------------
Rule Name: Hardware and Device Control Programs (/sbin/losetup)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/losetup"

-------------------------------------------------------------------------------
Rule Name: Security Control (/var/spool/cron)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/var/spool/cron"
"/var/spool/cron/sbrown"

-------------------------------------------------------------------------------
Rule Name: OS executables and libraries (/lib)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/lib"
"/lib/libcrypto.so.0.9.7a"
"/lib/libgcc_s-3.4.4-20050721.so.1"
"/lib/libproc-3.2.3.so"
"/lib/libssl.so.0.9.7a"

-------------------------------------------------------------------------------
Rule Name: User Applications (/home/php/a3d/lib.php)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/home/php/a3d/lib.php"

-------------------------------------------------------------------------------
Rule Name: OS executables and libraries (/bin)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin"

-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/bin/mount)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/mount"

-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/bin/umount)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/umount"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/arch)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/arch"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/dmesg)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/dmesg"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/kill)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/kill"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/login)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/login"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/more)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/more"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/ps)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/ps"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/tar)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin/tar"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/root/.gnupg/.#lk0x80f8f60.server.domain.com.15824"

Modified:
"/root"
"/root/.gnupg"
"/root/.gnupg/random_seed"

===============================================================================
Error Report: 
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
The thing is that I can't find any obvious signs of how they got in. The only services that are running are Apache 2.0.54 w/ SSL (OpenSSL 0.9.8), PHP 4.3.11, OpenSSH 4.1p1 and MySQL 4.1.11 (kernel = 2.6.11). Known issues with these versions only impact environments that aren't applicable here. I d/led a known good version of rkhunter and all the binary sigs checked out. No unusual entries on ~/.bash_history for root or local users. Nothing unusual in any tmp directories. Nothing unusual in the logs. No unusual logins. Obviously, I know this doesn't mean anything since a good one will cover his tracks, but I would really like to know WTF happened before I just nuke the thing.

Obviously, I will be doing more reading in this forum today, but quick tips are appreciated.
 
Old 08-10-2005, 10:43 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If the md5sums are the same, then it looks like just the file modification timestamps have changed. Double check md5sums against known good versions and take a look at file attributes of the modified files using the 'stat' command. Check to see if they've changed since your last tripwire db update. Btw, what distro and version are you using?

Last edited by Capt_Caveman; 08-10-2005 at 10:44 AM.
 
Old 08-10-2005, 11:30 AM   #3
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by Capt_Caveman
If the md5sums are the same, then it looks like just the file modification timestamps have changed.
md5's aren't the same according to tripwire. In fact, they have even changed since yesterday's tripwire report, which indicates to me that this guy has been back in the last 24 hours. On some files, inodes are different, CRCs, size, md5s, etc... But there are sitll no (obvious) signs of an RK or anything like that.
Quote:
Originally posted by Capt_Caveman
Btw, what distro and version are you using?
FC3

I'm going through some of the CERT docs recommended in the security references thread and I'm not turning up anything. No other box on the network seems to be compromised (they are also monitored w/ tripwire), which is strange since all of our servers trust eachother w/ SSH keys (obviously, the trust of this box has been revoked on the others). No new services are running on this box (nmap'ed it from another server that hasn't been compromised). No odd SUID, SGID, or hidden files found. I am the only local user on this box. Starting to look like this guy is really good at covering his tracks...

All of the files that had a mod time changed were all changed at 4:02AM. I've had an issue before where yum updated some packages via cron and that took place @ 4:02AM (I've since disabled this automatic update). I've checked for unusual cron entries and didn't find anything there either.

Last edited by TruckStuff; 08-10-2005 at 11:36 AM.
 
Old 08-10-2005, 04:53 PM   #4
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
Well I'm really stuck on this one. Nothing I've been reading gives me any indication as to how the attacker got in. I'm hesitant to simply reformat and reinstall for fear of creating the exact same environment and getting backdoored again. Any advice is appreciated.
 
Old 08-10-2005, 06:13 PM   #5
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Rep: Reputation: 42
Does anyone else have physical access to this machine or any other network device on your network?

Are you using Cisco routers by chance?
 
Old 08-10-2005, 06:19 PM   #6
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by thorn168
Does anyone else have physical access to this machine or any other network device on your network?

Are you using Cisco routers by chance?
Nope and Nope. SSH is locked down so that only I can log in, so no one got in there. Strong passwords have been used for myself and root. Just doesn't make any sense to me...

Does anyone have tripwire installed that wouldn't mind posting the md5sums of tripwire, twadmin, twprint and siggen?
 
Old 08-10-2005, 08:16 PM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
I, for one, am not quite ready to brand this as a genuine report... a genuine intrusion. Tripwire is not fail-safe, and some of these 'modifications' make no sense. (Why would someone modify "mcookie," for instance?)

Do you happen to have a CD-ROM with a known-good copy of the material that's on your system? Or can you, from another system, make one? If so, you could boot from CD-ROM and do some comparisons .. taking care to use the cp command from the CD-ROM. You might also use it to copy the files to a removable disk if your CD happens to include the requisite drivers.

While such a Tripwire report properly demands to be explained, I'm not yet ready to jump to the conclusion that it's genuinely an intrusion. Others may dissent...?
 
Old 08-10-2005, 10:49 PM   #8
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Are you certain no updates took place? What do logfiles show for the times the files were (apparently) modified? I saw you run rkhunter, but have you tried chkrootkit?
 
Old 08-10-2005, 11:06 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I'm not sold yet either. The yum update times (4:02AM) seem coincidental and I did notice some of the odd files flagged by tripwire also.

Just to clarify, when you run tripwire in a verbose mode like:
(twprint -m r -t 4 -r /path/to/recent/tripwire-report.twr), it shows md5sum differences?

But a scan with rkhunter shows all files coming back clean?

And the /var/log/yum.log file shows no recent updates?
 
Old 08-10-2005, 11:09 PM   #10
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
hwclock? dhcp6c? Most of the /usr/bin files... they all seem... rather unusable for security reason. You might try running "strings" on some of the supposedly-compromised binaries to see if there's anything notably suspicious in there.
 
Old 08-11-2005, 12:27 AM   #11
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
What about the integrity of the tripwire database itself?
Is it signed? It's not supposed to be stored on your hard disk (not even the binaries).
I don't know, maybe the cracker tried to patch it and made a mess of it

On redhat systems, you may run "rpm -Va" to find any modified files installed with rpm

Have you run a program like statifier that converts dynamically linked programs into static ones, or upx to compress them, or any other program that may modify binaries?
Run file(1) on these

It's very strange to find a possibly cracked gcc and such list of libraries

One last possibility is some new & ultra-sophisticated Unix virus that install itself via kernel modules and infects all binaries loaded.


Anyway, you may setup the system to catch the cracker the next time while monitoring what's being done.


Last edited by primo; 08-11-2005 at 12:33 AM.
 
Old 08-11-2005, 09:23 AM   #12
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
I'm running some more stuff today, but here is what I have answers to thus far:
Quote:
Tripwire is not fail-safe, and some of these 'modifications' make no sense. (Why would someone modify "mcookie," for instance?)
That was my first thought also. There aren't any seemingly "normal" files that have been modified in the event of an attack (e.g. ls, ps, etc...). Now, the fact that the tripwire binaries seem to have been modified could mean that they have been altered to ignore changes to those files, but as someone else pointed out, why would another (known-good) checker like rkhunter find these files OK?
Quote:
Do you happen to have a CD-ROM with a known-good copy of the material that's on your system?
Nope.
Quote:
Are you certain no updates took place? What do logfiles show for the times the files were (apparently) modified? I saw you run rkhunter, but have you tried chkrootkit?
/var/log/yum.log does not indicate any packages were updated. The only thing I can find in any logs during the times tripwire indicates are cron jobs, e.g.
Code:
Aug  9 04:00:01 server crond(pam_unix)[20461]: session opened for user me by (uid=0)
Aug  9 04:00:01 server crond(pam_unix)[20463]: session opened for user me by (uid=0)
Aug  9 04:00:01 server crond(pam_unix)[20465]: session opened for user root by (uid=0)
Aug  9 04:00:02 server crond(pam_unix)[20465]: session closed for user root
Aug  9 04:00:07 server crond(pam_unix)[20463]: session closed for user me
Aug  9 04:01:01 server crond(pam_unix)[20475]: session opened for user root by (uid=0)
Aug  9 04:01:01 server crond(pam_unix)[20475]: session closed for user root
Aug  9 04:02:01 server crond(pam_unix)[20477]: session opened for user root by (uid=0)
Aug  9 04:03:30 server crond(pam_unix)[20477]: session closed for user root
I also just dl'ed a good copy of chkrootkit and everything checked out there also.
Quote:
Originally posted by Capt_Caveman
Just to clarify, when you run tripwire in a verbose mode like:
(twprint -m r -t 4 -r /path/to/recent/tripwire-report.twr), it shows md5sum differences?

But a scan with rkhunter shows all files coming back clean?

And the /var/log/yum.log file shows no recent updates?
Correct.
Quote:
You might try running "strings" on some of the supposedly-compromised binaries to see if there's anything notably suspicious in there.
Doing that now. I'm spot-checking a few binaries that tripwire thinks were modified to check for anything obvious. Will post if that finds anything.
Quote:
On redhat systems, you may run "rpm -Va" to find any modified files installed with rpm
It found some missing dependencies (all packges that I removed and replaced with the same package compiled from source). Some missing man pages, which I already knew about. Other than that, nothing significant to report there.
Quote:
Have you run a program like statifier that converts dynamically linked programs into static ones, or upx to compress them, or any other program that may modify binaries?
Nope.
Quote:
Anyway, you may setup the system to catch the cracker the next time while monitoring what's being done.
I also thought about leaving this server up as a "honeypot." I've been meaning to set up Snort on one of our other servers for a while now and haven't gotten around to it. My concerns with doing this are 1) Snort seems to me like something that takes a while to get setup correctly and I don't want to knee-jerk it and 2) This is a production server and all apps would have to be moved to another server which doesn't happen overnight.
Quote:
While such a Tripwire report properly demands to be explained, I'm not yet ready to jump to the conclusion that it's genuinely an intrusion.
And that's where I stand right now also.

Last edited by TruckStuff; 08-11-2005 at 09:25 AM.
 
Old 08-11-2005, 09:54 AM   #13
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
If you have a spare desktop or anything like that, you could try installing a dedicated sniffer in front of this machine. Basically, you set up a computer with two NICs as an ethernet bridge (NOT forwarding), and then you could use ettercap/ethereal to see what goes on the line. Or better, log with tcpdump then analyze with ethereal later.
 
Old 08-11-2005, 10:07 AM   #14
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
I've already got the setup:
Code:
WAN--->T1 Modem--->HUB---->Switch-------->Firewall---> LAN
                    |        |        |
               eth1 |        |eth0    |
                    |        |        |
              Another Server-|        |--> Server in Question
I'm going to setup Snort ASAP to keep an eye on the network and see what comes up.

Last edited by TruckStuff; 08-11-2005 at 10:09 AM.
 
Old 08-11-2005, 11:19 AM   #15
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The only thing I can find in any logs during the times tripwire indicates are cron jobs, e.g.
What was the specific cron job run at that time? /var/log/cron should give you a listing. Assuming it's cron.daily or cron.hourly what are the various cron jobs that could be run at those times? (check /etc/cron.daily/ or /etc/cron.hourly/ for anything relevent)

Along the lines of Matirs string idea, it might be useful to compare the execution of one of the flagged binaries that's likely to be trojaned. For example, try running 'strace w' on that system and another and compare the output. It won't be identical, but look for any abnormal calls.

There is also some kind of conflict as to whether the md5sums match. If you have a good copy of tar (tar was flagged too) I'd save a copy of /proc with the command 'tar zcvf /destination.tgz /proc'. Then take the system offline and reboot with a live cd distro, mount the hd readonly and check the md5sums of the binaries in question and see if the match.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration