LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-03-2007, 01:38 AM   #1
samosamo
LQ Newbie
 
Registered: Feb 2006
Posts: 2

Rep: Reputation: 0
Trojan horse/rootkit


Hello,

Need some help please.
From last Friday, it looks like someone did not like us.
We got attacked with trojan horse and rootkit.

Commands like top,du,ls(only if you do a ls on infected file) .. do not work or they produce errors.
Example:
[root@home:~]# top
top: error while loading shared libraries: libproc.so.2.0.6: cannot open shared object file: No such file or directory

Used antivir and it found this.
/usr/bin/md5sum
Date: 16.12.2001 Time: 21:21:51 Size: 31452
ALERT: [TR/RKit.Agent.Q.3] /usr/bin/md5sum <<< Is the Trojan horse TR/RKit.Agent.Q.3

/usr/bin/du
Date: 04.09.2005 Time: 03:32:34 Size: 114848
ALERT: [TR/RKit.Agent.T.7] /usr/bin/du <<< Is the Trojan horse TR/RKit.Agent.T.7

/usr/bin/find
Date: 06.01.2006 Time: 17:53:29 Size: 59536
ALERT: [RKIT/Agent.R] /usr/bin/find <<< Contains signature of the rootkit RKIT/Agent.R

/usr/bin/top
Date: 27.01.2005 Time: 01:17:17 Size: 33992
ALERT: [TR/Linux.Hacktop.1] /usr/bin/top <<< Is the Trojan horse TR/Linux.Hacktop.1

/usr/bin/killall
Date: 12.01.2006 Time: 09:05:42 Size: 21306
ALERT: [TR/Rkit.Linux.A.T.9] /usr/bin/killall <<< Is the Trojan horse TR/Rkit.Linux.A.T.9

/usr/bin/pstree
Date: 12.01.2006 Time: 09:05:42 Size: 12340
ALERT: [TR/RKit.Agent.Q.6] /usr/bin/pstree <<< Is the Trojan horse TR/RKit.Agent.Q.6

/usr/bin/dir
Date: 16.12.2001 Time: 21:21:51 Size: 39696
ALERT: [RKIT/Agent.q] /usr/bin/dir <<< Contains signature of the rootkit RKIT/Agent.q

/usr/bin/vdir
Date: 16.12.2001 Time: 21:39:58 Size: 155464
ALERT: [TR/Rkit.Linux.A.T.6] /usr/bin/vdir <<< Is the Trojan horse TR/Rkit.Linux.A.T.6

/usr/bin/slocate
Date: 29.11.2000 Time: 22:54:24 Size: 23560
ALERT: [TR/RKit.Agent.Q.5] /usr/bin/slocate <<< Is the Trojan horse TR/RKit.Agent.Q.5

/usr/sbin/lsof
Date: 16.12.2001 Time: 21:21:51 Size: 82628
ALERT: [TR/RKit.Agent.Q.8] /usr/sbin/lsof <<< Is the Trojan horse TR/RKit.Agent.Q.8

/usr/sbin/xntps
Date: 01.09.2007 Time: 05:39:32 Size: 97093
ALERT: [RKIT/Agent.Q] /usr/sbin/xntps <<< Contains signature of the rootkit RKIT/Agent.Q

Also for this is not OK i think

[root@home:~]# ls -la /usr/bin/top
ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable
-rwxr-xr-x 1 1676 mysql 33992 Jan 27 2005 /usr/bin/top

That mysql is an owner or top. When I try to chown I get this
[root@home:/usr/bin]# chown root:root top
chown: changing ownership of `top': Operation not permitted
[root@home:/usr/bin]#

Please help me, what can I do.
This is a game server that our clan uses for games like (ET,ET;QW,CSS,Q3).

Any kind of help would be appricated.

Samo
 
Old 09-03-2007, 01:55 AM   #2
AceofSpades19
Senior Member
 
Registered: Feb 2007
Location: Chilliwack,BC.Canada
Distribution: Slackware64 -current
Posts: 2,079

Rep: Reputation: 58
reformat and reinstall
 
Old 09-03-2007, 01:58 AM   #3
tajamari
Member
 
Registered: Jul 2007
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252

Rep: Reputation: 32
best is to regen the unit. you dont know if there are things that were placed on your server.

//Moderator.note: please don't quote whole posts unnecessarily.

Last edited by unSpawn; 09-03-2007 at 12:19 PM.
 
Old 09-03-2007, 02:03 AM   #4
samosamo
LQ Newbie
 
Registered: Feb 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Hi,

Hmm well there are two things here.
1.) We are renting this server to other clans.
2.) This server is located in some datacenter. We are renting it as a root server.

Is there no other way ?


Samo
 
Old 09-03-2007, 02:22 AM   #5
AceofSpades19
Senior Member
 
Registered: Feb 2007
Location: Chilliwack,BC.Canada
Distribution: Slackware64 -current
Posts: 2,079

Rep: Reputation: 58
the only to garuntee the server isn't compromised, is to reformat and reinstall
 
Old 09-03-2007, 10:38 AM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Before reinstalling, try to get an understanding of how you were compromised...that way you can close any holes that you didn't know about that the attacker took advantage of. Reinstalling should be done only after you've fully investigated. I've seen people reinstall only to be immediately compromised again!
 
Old 09-03-2007, 12:18 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by samosamo View Post
/usr/bin/vdir
Date: 16.12.2001 Time: 21:39:58 Size: 155464
ALERT: [TR/Rkit.Linux.A.T.6] /usr/bin/vdir <<< Is the Trojan horse TR/Rkit.Linux.A.T.6

(..)

/usr/sbin/xntps
Date: 01.09.2007 Time: 05:39:32 Size: 97093
ALERT: [RKIT/Agent.Q] /usr/sbin/xntps <<< Contains signature of the rootkit RKIT/Agent.Q
Belong to the SHv4 or Tuxtendo rootkits.


Quote:
Originally Posted by samosamo View Post
[root@home:~]# ls -la /usr/bin/top
ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable
Hmm. That's the t0rn rootkit.


Quote:
Originally Posted by samosamo View Post
-rwxr-xr-x 1 1676 mysql 33992 Jan 27 2005 /usr/bin/top
That mysql is an owner or top. When I try to chown I get this
[root@home:/usr/bin]# chown root:root top
chown: changing ownership of `top': Operation not permitted
Could be made immutable with 'chattr' and the fact its GID is mysql could be telling, not that it matters much now. The cracker has root and you have root. If she's a bit careful she has already seen you snooping around. That could lead to anything from denying you access to the box to deleting everything.


Before I get to the details let's set one thing straight. This is a root compromise. This means the cracker can use the box for any purpose she has in mind. You could say your box turned into a "weapon". Your task is to regain control by any means you can. This means you'll have to make decisions that will cost you money. There are no, I repeat, no valid reasons to stall or not execute these steps. Here's your priorities.

1. Before doing anything else read this:
- Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html

2. What to do:
- Take a deep breath,
- Copy over safe binaries and list (and save) all connections (netstat -anp), processes (ps axf) and open files (lsof -w -n),
- Immediately after that raise the firewall to only allow traffic from and to your management IP. If you think somebody is looking over your shoulder prepare the script off-site, scp it over and execute.
- Bring all services except SSH down.
- Start making backups of the key area's of your box: /var, /etc, /home for investigative purposes only.

3. To build an understanding of the situation we should like to see these (use the CERT checklist):
- distro+release+kernel,
- audit data from your distro's package manager, Chkrootkit, Rootkit Hunter (any file integrity tools like AIde or Samhain),
- auth data (login records and bad logins),
- any IDS (Snort)
- Anomalies from system, daemon and firewall logs,
- A list of installed SW and versions,
- A list of running services,
- any setuid root files
- LAMP piggybacking
- user shell histories
The more information the better we can advice tailored to your situation.



Quote:
Originally Posted by AceofSpades19 View Post
reformat and reinstall
Next time please first check this forum for posts that handle incidents so you know what to do or please refrain from posting. This is WAY to terse for a reply to be helpful by any standard. I'm not chiding you but you have to understand your fellow LQ members deserve qualitatively "better" help than that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Anti-Virus Firms Warn of Trojan Horse Mozilla Firefox Extension LXer Syndicated Linux News 1 07-28-2006 06:48 AM
Trojan Horse on my Linux Box? Tons of Fun Linux - Security 3 09-24-2005 01:58 PM
Trojan Horse Hugh Jass LinuxQuestions.org Member Intro 4 02-13-2005 09:58 AM
Microsoft's Trojan horse Psycho General 6 05-03-2002 12:30 PM
Help..... !! a Trojan horse raz Linux - Security 1 04-27-2001 04:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration