[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: BIND exploited ?

rooted by some script kiddies,perhaps..
rpc.statd or bind exploited,some say its better to reinstall the box,personally i like diggin' :-)) first,disconnect,kick out all aliens,or save them somewhere,quarantined to check them out later, then,get some new packages on cds,or floppies or from the lan,update the daemons,after assuring they're not trojanized,also,search for traces of adore,get the kstat program to detect it,( sorry no url at hand), check your logs,email the attackers isp addresses if you can find something, and always be aware :) 
good luck..



At 09:16 PM 1/3/02 -0500, Thedore Knab wrote:

I recently inherited a machine that I think has been exploited.

It seems to have a stupid root kit installed unless this is a decoy.

What does it look like to you professionals?

[root@moe ...]# uname -a
Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknown

[root@moe ...]# ps auxww
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3  1120  476 ?        S     2001   0:06 init [3]
root         2  0.0  0.0     0    0 ?        SW    2001   0:00 [kflushd]
root         3  0.0  0.0     0    0 ?        SW    2001   0:27 [kupdate]
root         4  0.0  0.0     0    0 ?        SW    2001   0:00 [kpiod]
root         5  0.0  0.0     0    0 ?        SW    2001   0:01 [kswapd]
root         6  0.0  0.0     0    0 ?        SW<   2001   0:00
[mdrecoveryd]
root       154  0.0  0.3  1104  392 ?        S     2001   0:00
/usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r
/etc/sysconfig/apm-scripts/resume
bin        315  0.0  0.3  1216  404 ?        S     2001   0:00 portmap
root       330  0.0  0.0     0    0 ?        SW    2001   0:00 [lockd]
root       331  0.0  0.0     0    0 ?        SW    2001   0:00 [rpciod]
root       340  0.0  0.4  1164  516 ?        S     2001   0:00 rpc.statd
nobody     414  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     415  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     416  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     420  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     421  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
daemon     432  0.0  0.2  1144  296 ?        S     2001   0:00
/usr/sbin/atd
root       446  0.0  0.4  1328  572 ?        S     2001   0:00 crond
root       464  0.0  0.3  1168  468 ?        S     2001   0:00 inetd
root       478  0.0  1.6  3160 2120 ?        S     2001  14:00
/usr/sbin/snmpd
root       543  0.0  0.3  1156  400 ?        S     2001   0:00 gpm -t
imps2
xfs        604  0.0  0.6  1920  876 ?        S     2001   0:00 xfs
-droppriv -daemon -port -1
root       645  0.0  0.0   852  100 ?        S     2001   0:00
/etc/.../bindshell
root       646  0.0  0.0   864  124 ?        S     2001   0:00
/etc/.../bnc
root       650  0.0  0.3  1092  408 tty2     S     2001   0:00
/sbin/mingetty tty2
root       651  0.0  0.3  1092  408 tty3     S     2001   0:00
/sbin/mingetty tty3
root       652  0.0  0.3  1092  408 tty4     S     2001   0:00
/sbin/mingetty tty4
root       653  0.0  0.3  1092  408 tty5     S     2001   0:00
/sbin/mingetty tty5
root       654  0.0  0.3  1092  408 tty6     S     2001   0:00
/sbin/mingetty tty6
root       655  0.0  0.0   856  104 ?        S     2001   0:00
/etc/.../lsh 31333 v0idzz
named     9928  0.0  4.9  7268 6356 ?        S     2001   6:48 named -u
named
root     11369  0.0  0.3  1092  408 tty1     S     2001   0:00
/sbin/mingetty tty1
root      3574  0.0  0.5  1464  760 ?        S    20:28   0:00
in.telnetd: calendar-spaces. 
root      3575  0.0  0.9  2312 1196 pts/0    S    20:28   0:00 login --
ted
ted       3576  0.0  0.7  1696  940 pts/0    S    20:28   0:00 -bash
root      3599  0.0  0.7  2008  900 pts/0    S    20:28   0:00 su -
root      3600  0.0  0.7  1748  996 pts/0    S    20:29   0:00 -bash
root      3719  0.0  0.4  1172  540 ?        S    20:38   0:00 syslogd
-m 0
root      3728  0.0  0.6  1440  768 ?        S    20:38   0:00 klogd
root      3817  0.0  0.5  2332  704 pts/0    R    20:43   0:00 ps auxww

[root@moe ...]# cd /etc/...
[root@moe ...]# ls -la

[root@moe ...]# chmod 0 /etc/rc.d/init.d/apmd
[root@moe ...]# chmod 0 /etc/rc.d/init.d/atd

Processess running after making a few kills:

[root@moe /root]# ps aux
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3  1120  476 ?        S     2001   0:06 init [3]
root         2  0.0  0.0     0    0 ?        SW    2001   0:00 [kflushd]
root         3  0.0  0.0     0    0 ?        SW    2001   0:28 [kupdate]
root         4  0.0  0.0     0    0 ?        SW    2001   0:00 [kpiod]
root         5  0.0  0.0     0    0 ?        SW    2001   0:01 [kswapd]
root         6  0.0  0.0     0    0 ?        SW<   2001   0:00
[mdrecoveryd]
bin        315  0.0  0.3  1216  404 ?        S     2001   0:00 portmap
root       330  0.0  0.0     0    0 ?        SW    2001   0:00 [lockd]
root       331  0.0  0.0     0    0 ?        SW    2001   0:00 [rpciod]
root       340  0.0  0.4  1164  516 ?        S     2001   0:00 rpc.statd
nobody     414  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     415  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     416  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     420  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     421  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
root       446  0.0  0.4  1328  572 ?        S     2001   0:00 crond
root       464  0.0  0.3  1168  468 ?        S     2001   0:00 inetd
root       478  0.0  1.6  3160 2120 ?        S     2001  14:00
/usr/sbin/snmpd
xfs        604  0.0  0.6  1920  876 ?        S     2001   0:00 xfs
-droppriv -daemon -port -1
root       650  0.0  0.3  1092  408 tty2     S     2001   0:00
/sbin/mingetty tty2
root       651  0.0  0.3  1092  408 tty3     S     2001   0:00
/sbin/mingetty tty3
root       652  0.0  0.3  1092  408 tty4     S     2001   0:00
/sbin/mingetty tty4
root       653  0.0  0.3  1092  408 tty5     S     2001   0:00
/sbin/mingetty tty5
root       654  0.0  0.3  1092  408 tty6     S     2001   0:00
/sbin/mingetty tty6
named     9928  0.0  4.9  7268 6356 ?        S     2001   6:50 named -u
named
root     11369  0.0  0.3  1092  408 tty1     S     2001   0:00
/sbin/mingetty tty1
root      3574  0.0  0.5  1464  760 ?        S    20:28   0:00
in.telnetd: calendar-spaces.
root      3575  0.0  0.9  2312 1196 pts/0    S    20:28   0:00 login --
ted
ted       3576  0.0  0.7  1696  940 pts/0    S    20:28   0:00 -bash
root      3599  0.0  0.7  2008  900 pts/0    S    20:28   0:00 su -
root      3600  0.0  0.7  1748  996 pts/0    S    20:29   0:00 -bash
root      3719  0.0  0.4  1172  540 ?        S    20:38   0:00 syslogd
-m 0
root      3728  0.0  0.6  1440  768 ?        S    20:38   0:00 klogd
root      3926  0.0  0.5  2332  700 pts/0    R    21:13   0:00 ps aux
total 237
drwxr-xr-x    2 root     root         1024 Jan 31  2000 .
drwxr-xr-x   34 root     root         3072 Jan  3 20:38 ..
-rwxr-xr-x    1 root     root         5717 Apr  5  1997 bindshell
-rwxr-xr-x    1 root     root        11552 Apr  5  1997 bnc
-rw-r--r--    1 root     root           31 Apr 13  1997 bnc.conf
-rws--x--x    1 root     root        26218 Sep 28  1999 in.pop3d
-rwxr-xr-x    1 root     root       158300 Sep 28  1999 inetd
-rwxr-xr-x    1 root     root         7544 Sep  2  1999 lsh
-rwxr-xr-x    1 root     root         5528 Mar  8  1999 searchsniff
-rwxr-xr-x    1 root     root         8155 Mar 13  1999 snif
-rwxr-xr-x    1 root     root         8779 Mar  8  1999 sniff


root@moe ...]# cat bnc.conf
pt:102938
ps:rewt
mu:5
dp:6667


Although mostly binary code this text appeared:

root@moe ...]# cat bnc.conf

:Bnc!system@bnc.com NOTICE %s :You need to say /quote PASS <password>
PASS :Bnc!system@bnc.com NOTICE %s :Level two, lets connect to something
real now
:Bnc!system@bnc.com NOTICE %s :type /quote conn [server] <port> <pass>
to connect
vip:Bnc!system@bnc.com NOTICE %s :Your Vhost is now %s
conn:Bnc!system@bnc.com NOTICE %s :Making reality through %s port %i
PASS %s
NICK %s
rbnc.conf***Ack! No config file (bnc.conf).
#:
ptmudppsvhConfig line %i rejected-what weirdo told you '%s' goes in my
config file?
-NONE-
Irc Proxy v2.2.4 GNU project (C) 1997-98
Coded by James Seter bugs-> (noonie@toledolink.com)
***Using defaults(Not recommended)
--Configuration:
    Daemon port......:%u
    Password.........:%s
    Maxusers.........:%u
    Default conn port:%u

[root@moe ...]# ./bnc

Irc Proxy v2.2.4 GNU project (C) 1997-98
Coded by James Seter bugs-> (noonie@toledolink.com)

--Configuration:
Daemon port......:102938
Password.........:rewt
Maxusers.........:5
Default conn port:6667

[root@moe ...]# ps aux
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3  1120  476 ?        S     2001   0:06 init [3]
root         2  0.0  0.0     0    0 ?        SW    2001   0:00 [kflushd]
root         3  0.0  0.0     0    0 ?        SW    2001   0:27 [kupdate]
root         4  0.0  0.0     0    0 ?        SW    2001   0:00 [kpiod]
root         5  0.0  0.0     0    0 ?        SW    2001   0:01 [kswapd]
root         6  0.0  0.0     0    0 ?        SW<   2001   0:00
[mdrecoveryd]
root       154  0.0  0.3  1104  392 ?        S     2001   0:00
/usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r
/etc/sysconfig/apm-scripts/resume
bin        315  0.0  0.3  1216  404 ?        S     2001   0:00 portmap
root       330  0.0  0.0     0    0 ?        SW    2001   0:00 [lockd]
root       331  0.0  0.0     0    0 ?        SW    2001   0:00 [rpciod]
root       340  0.0  0.4  1164  516 ?        S     2001   0:00 rpc.statd
nobody     414  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     415  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     416  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     420  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
nobody     421  0.0  0.4  1308  544 ?        S     2001   0:00 identd -e
-o
daemon     432  0.0  0.2  1144  296 ?        S     2001   0:00
/usr/sbin/atd
root       446  0.0  0.4  1328  572 ?        S     2001   0:00 crond
root       464  0.0  0.3  1168  468 ?        S     2001   0:00 inetd
root       478  0.0  1.6  3160 2120 ?        S     2001  14:00
/usr/sbin/snmpd
root       543  0.0  0.3  1156  400 ?        S     2001   0:00 gpm -t
imps2
xfs        604  0.0  0.6  1920  876 ?        S     2001   0:00 xfs
-droppriv -daemon -port -1
root       645  0.0  0.0   852  100 ?        S     2001   0:00
/etc/.../bindshell
root       646  0.0  0.0   864  124 ?        S     2001   0:00
/etc/.../bnc
root       650  0.0  0.3  1092  408 tty2     S     2001   0:00
/sbin/mingetty tty2
root       651  0.0  0.3  1092  408 tty3     S     2001   0:00
/sbin/mingetty tty3
root       652  0.0  0.3  1092  408 tty4     S     2001   0:00
/sbin/mingetty tty4
root       653  0.0  0.3  1092  408 tty5     S     2001   0:00
/sbin/mingetty tty5
root       654  0.0  0.3  1092  408 tty6     S     2001   0:00
/sbin/mingetty tty6
root       655  0.0  0.0   856  104 ?        S     2001   0:00
/etc/.../lsh 31333 v0idzz
named     9928  0.0  4.9  7268 6356 ?        S     2001   6:49 named -u
named
root     11369  0.0  0.3  1092  408 tty1     S     2001   0:00
/sbin/mingetty tty1
root      3574  0.0  0.5  1464  760 ?        S    20:28   0:00
root      3575  0.0  0.9  2312 1196 pts/0    S    20:28   0:00 login --
ted
ted       3576  0.0  0.7  1696  940 pts/0    S    20:28   0:00 -bash
root      3599  0.0  0.7  2008  900 pts/0    S    20:28   0:00 su -
root      3600  0.0  0.7  1748  996 pts/0    S    20:28   0:00 -bash
root      3719  0.0  0.4  1172  540 ?        S    20:38   0:00 syslogd
-m 0
root      3728  0.0  0.6  1440  768 ?        S    20:38   0:00 klogd
root      3826  0.0  0.2   864  292 ?        S    20:47   0:00 ./bnc
root      3831  0.0  0.5  2332  700 pts/0    R    20:48   0:00 ps aux
[root@moe ...]# date
Thu Jan  3 20:48:36 EST 2002
[root@moe ...]# kill -9 3826

When I typed irc tab, these binaries came up:
[root@moe ...]# irpd
bindshell    bnc          bnc.conf     in.pop3d     inetd        lsh
searchsniff  snif         sniff

I started to turn off these processes:

 1068  kill -9 645
 1069  ps aux
 1070  kill -9 646
 1071  kill -9 655
 1072  ps aux
 1073  ls -la
 1074  chmod 0 *
 1075  ps aux

 1076  vi /etc/hosts.deny
        ALL: 6667

 1079  kill -9  543

 1080  kill 154

  1086  crontab -l
  1087  chmod 0 /etc/rc.d/init.d/ampd
  1088  chmod 0 /etc/rc.d/init.d/apmd
  1089  chmod 0 /etc/rc.d/init.d/atd

[root@moe ...]# netstat -p
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
 Active Internet connections (w/o servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address
 State       PID/Program name
 tcp        0    144 moe.:telnet calendar-spaces.w:32888
 ESTABLISHED 3574/in.telnetd: ca
 Active UNIX domain sockets (w/o servers)
 Proto RefCnt Flags       Type       State         I-Node PID/Program
 name    Path
 unix  2      [ ]         DGRAM                    802437 3719/syslogd
 /dev/log
 unix  0      [ ]         STREAM     CONNECTED     159    1/init [3]
 @00000016
unix 0 [ ] DGRAM 802456 9928/named unix 0 [ ] DGRAM 802448 3728/klogd 
 unix  0      [ ]         DGRAM                    802245 3575/login --
 ted
unix 0 [ ] DGRAM 623 604/xfs 
 unix  0      [ ]         DGRAM                    429    414/identd

 Where do I go from here ?




--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Petre L. Daniel,System Administrator
Canad Systems Pitesti Romania,
http://www.cyber.ro email:office@cyber.ro
tel:+4048220044 +4048206200
Reply to: