Re: BIND exploited ?
I would also strongly suggest getting chkrootkit.
chkrootkit - Checks for signs of rootkits on the local system
chkrootkit identifies whether the target computer is infected with a
rootkit. It can currently identify the following root kits:
1. lrk3, lrk4, lrk5, lrk6 (and some variants);
2. Solaris rootkit;
3. FreeBSD rootkit;
4. t0rn (including latest variant);
5. Ambient's Rootkit for Linux (ARK);
6. Ramen Worm;
7. rh[67]-shaper;
8. RSHA;
9. Romanian rootkit;
10. RK17;
11. Lion Worm;
12. Adore Worm.
Please note that this is not a definitive test, it does not ensure that
the
target has not been cracked. In addition to running chkrootkit, one should
perform more specific tests.
Hope that helps. What we did was install new hard disks, restore from
backups to the new hard disks, immediately find out how they got in by
analysing the old hard disks, patch/fix/whatever the new hard disks so the
kiddies can't get back in, and slowly and carefully go through the old
hard disks and find out what they did and such (if you are interested).
Good for a learning experience. Trace their actions, what they
did/changed/installed/etc.
----- Original Message -----
From: "Thedore Knab" <tjk@annapolislinux.org>
To: <debian-isp@lists.debian.org>
Sent: Friday, January 04, 2002 10:16 AM
Subject: BIND exploited ?
> I recently inherited a machine that I think has been exploited.
>
> It seems to have a stupid root kit installed unless this is a decoy.
>
> What does it look like to you professionals?
>
> [root@moe ...]# uname -a
> Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
> unknown
>
> [root@moe ...]# ps auxww
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3]
> root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd]
> root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate]
> root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod]
> root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd]
> root 6 0.0 0.0 0 0 ? SW< 2001 0:00
> [mdrecoveryd]
> root 154 0.0 0.3 1104 392 ? S 2001 0:00
> /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r
> /etc/sysconfig/apm-scripts/resume
> bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap
> root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd]
> root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod]
> root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd
> nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> daemon 432 0.0 0.2 1144 296 ? S 2001 0:00
> /usr/sbin/atd
> root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond
> root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd
> root 478 0.0 1.6 3160 2120 ? S 2001 14:00
> /usr/sbin/snmpd
> root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t
> imps2
> xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs
> -droppriv -daemon -port -1
> root 645 0.0 0.0 852 100 ? S 2001 0:00
> /etc/.../bindshell
> root 646 0.0 0.0 864 124 ? S 2001 0:00
> /etc/.../bnc
> root 650 0.0 0.3 1092 408 tty2 S 2001 0:00
> /sbin/mingetty tty2
> root 651 0.0 0.3 1092 408 tty3 S 2001 0:00
> /sbin/mingetty tty3
> root 652 0.0 0.3 1092 408 tty4 S 2001 0:00
> /sbin/mingetty tty4
> root 653 0.0 0.3 1092 408 tty5 S 2001 0:00
> /sbin/mingetty tty5
> root 654 0.0 0.3 1092 408 tty6 S 2001 0:00
> /sbin/mingetty tty6
> root 655 0.0 0.0 856 104 ? S 2001 0:00
> /etc/.../lsh 31333 v0idzz
> named 9928 0.0 4.9 7268 6356 ? S 2001 6:48 named -u
> named
> root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00
> /sbin/mingetty tty1
> root 3574 0.0 0.5 1464 760 ? S 20:28 0:00
> in.telnetd: calendar-spaces.
> root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login --
> ted
> ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash
> root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su -
> root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash
> root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd
> -m 0
> root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd
> root 3817 0.0 0.5 2332 704 pts/0 R 20:43 0:00 ps auxww
>
> [root@moe ...]# cd /etc/...
> [root@moe ...]# ls -la
>
> [root@moe ...]# chmod 0 /etc/rc.d/init.d/apmd
> [root@moe ...]# chmod 0 /etc/rc.d/init.d/atd
>
> Processess running after making a few kills:
>
> [root@moe /root]# ps aux
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3]
> root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd]
> root 3 0.0 0.0 0 0 ? SW 2001 0:28 [kupdate]
> root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod]
> root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd]
> root 6 0.0 0.0 0 0 ? SW< 2001 0:00
> [mdrecoveryd]
> bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap
> root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd]
> root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod]
> root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd
> nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond
> root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd
> root 478 0.0 1.6 3160 2120 ? S 2001 14:00
> /usr/sbin/snmpd
> xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs
> -droppriv -daemon -port -1
> root 650 0.0 0.3 1092 408 tty2 S 2001 0:00
> /sbin/mingetty tty2
> root 651 0.0 0.3 1092 408 tty3 S 2001 0:00
> /sbin/mingetty tty3
> root 652 0.0 0.3 1092 408 tty4 S 2001 0:00
> /sbin/mingetty tty4
> root 653 0.0 0.3 1092 408 tty5 S 2001 0:00
> /sbin/mingetty tty5
> root 654 0.0 0.3 1092 408 tty6 S 2001 0:00
> /sbin/mingetty tty6
> named 9928 0.0 4.9 7268 6356 ? S 2001 6:50 named -u
> named
> root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00
> /sbin/mingetty tty1
> root 3574 0.0 0.5 1464 760 ? S 20:28 0:00
> in.telnetd: calendar-spaces.
> root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login --
> ted
> ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash
> root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su -
> root 3600 0.0 0.7 1748 996 pts/0 S 20:29 0:00 -bash
> root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd
> -m 0
> root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd
> root 3926 0.0 0.5 2332 700 pts/0 R 21:13 0:00 ps aux
> total 237
> drwxr-xr-x 2 root root 1024 Jan 31 2000 .
> drwxr-xr-x 34 root root 3072 Jan 3 20:38 ..
> -rwxr-xr-x 1 root root 5717 Apr 5 1997 bindshell
> -rwxr-xr-x 1 root root 11552 Apr 5 1997 bnc
> -rw-r--r-- 1 root root 31 Apr 13 1997 bnc.conf
> -rws--x--x 1 root root 26218 Sep 28 1999 in.pop3d
> -rwxr-xr-x 1 root root 158300 Sep 28 1999 inetd
> -rwxr-xr-x 1 root root 7544 Sep 2 1999 lsh
> -rwxr-xr-x 1 root root 5528 Mar 8 1999 searchsniff
> -rwxr-xr-x 1 root root 8155 Mar 13 1999 snif
> -rwxr-xr-x 1 root root 8779 Mar 8 1999 sniff
>
>
> root@moe ...]# cat bnc.conf
> pt:102938
> ps:rewt
> mu:5
> dp:6667
>
>
> Although mostly binary code this text appeared:
>
> root@moe ...]# cat bnc.conf
>
> :Bnc!system@bnc.com NOTICE %s :You need to say /quote PASS <password>
> PASS :Bnc!system@bnc.com NOTICE %s :Level two, lets connect to something
> real now
> :Bnc!system@bnc.com NOTICE %s :type /quote conn [server] <port> <pass>
> to connect
> vip:Bnc!system@bnc.com NOTICE %s :Your Vhost is now %s
> conn:Bnc!system@bnc.com NOTICE %s :Making reality through %s port %i
> PASS %s
> NICK %s
> rbnc.conf***Ack! No config file (bnc.conf).
> #:
> ptmudppsvhConfig line %i rejected-what weirdo told you '%s' goes in my
> config file?
> -NONE-
> Irc Proxy v2.2.4 GNU project (C) 1997-98
> Coded by James Seter bugs-> (noonie@toledolink.com)
> ***Using defaults(Not recommended)
> --Configuration:
> Daemon port......:%u
> Password.........:%s
> Maxusers.........:%u
> Default conn port:%u
>
> [root@moe ...]# ./bnc
>
> Irc Proxy v2.2.4 GNU project (C) 1997-98
> Coded by James Seter bugs-> (noonie@toledolink.com)
>
> --Configuration:
> Daemon port......:102938
> Password.........:rewt
> Maxusers.........:5
> Default conn port:6667
>
> [root@moe ...]# ps aux
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 1 0.0 0.3 1120 476 ? S 2001 0:06 init [3]
> root 2 0.0 0.0 0 0 ? SW 2001 0:00 [kflushd]
> root 3 0.0 0.0 0 0 ? SW 2001 0:27 [kupdate]
> root 4 0.0 0.0 0 0 ? SW 2001 0:00 [kpiod]
> root 5 0.0 0.0 0 0 ? SW 2001 0:01 [kswapd]
> root 6 0.0 0.0 0 0 ? SW< 2001 0:00
> [mdrecoveryd]
> root 154 0.0 0.3 1104 392 ? S 2001 0:00
> /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r
> /etc/sysconfig/apm-scripts/resume
> bin 315 0.0 0.3 1216 404 ? S 2001 0:00 portmap
> root 330 0.0 0.0 0 0 ? SW 2001 0:00 [lockd]
> root 331 0.0 0.0 0 0 ? SW 2001 0:00 [rpciod]
> root 340 0.0 0.4 1164 516 ? S 2001 0:00 rpc.statd
> nobody 414 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 415 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 416 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 420 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> nobody 421 0.0 0.4 1308 544 ? S 2001 0:00 identd -e
> -o
> daemon 432 0.0 0.2 1144 296 ? S 2001 0:00
> /usr/sbin/atd
> root 446 0.0 0.4 1328 572 ? S 2001 0:00 crond
> root 464 0.0 0.3 1168 468 ? S 2001 0:00 inetd
> root 478 0.0 1.6 3160 2120 ? S 2001 14:00
> /usr/sbin/snmpd
> root 543 0.0 0.3 1156 400 ? S 2001 0:00 gpm -t
> imps2
> xfs 604 0.0 0.6 1920 876 ? S 2001 0:00 xfs
> -droppriv -daemon -port -1
> root 645 0.0 0.0 852 100 ? S 2001 0:00
> /etc/.../bindshell
> root 646 0.0 0.0 864 124 ? S 2001 0:00
> /etc/.../bnc
> root 650 0.0 0.3 1092 408 tty2 S 2001 0:00
> /sbin/mingetty tty2
> root 651 0.0 0.3 1092 408 tty3 S 2001 0:00
> /sbin/mingetty tty3
> root 652 0.0 0.3 1092 408 tty4 S 2001 0:00
> /sbin/mingetty tty4
> root 653 0.0 0.3 1092 408 tty5 S 2001 0:00
> /sbin/mingetty tty5
> root 654 0.0 0.3 1092 408 tty6 S 2001 0:00
> /sbin/mingetty tty6
> root 655 0.0 0.0 856 104 ? S 2001 0:00
> /etc/.../lsh 31333 v0idzz
> named 9928 0.0 4.9 7268 6356 ? S 2001 6:49 named -u
> named
> root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00
> /sbin/mingetty tty1
> root 3574 0.0 0.5 1464 760 ? S 20:28 0:00
> root 3575 0.0 0.9 2312 1196 pts/0 S 20:28 0:00 login --
> ted
> ted 3576 0.0 0.7 1696 940 pts/0 S 20:28 0:00 -bash
> root 3599 0.0 0.7 2008 900 pts/0 S 20:28 0:00 su -
> root 3600 0.0 0.7 1748 996 pts/0 S 20:28 0:00 -bash
> root 3719 0.0 0.4 1172 540 ? S 20:38 0:00 syslogd
> -m 0
> root 3728 0.0 0.6 1440 768 ? S 20:38 0:00 klogd
> root 3826 0.0 0.2 864 292 ? S 20:47 0:00 ./bnc
> root 3831 0.0 0.5 2332 700 pts/0 R 20:48 0:00 ps aux
> [root@moe ...]# date
> Thu Jan 3 20:48:36 EST 2002
> [root@moe ...]# kill -9 3826
>
> When I typed irc tab, these binaries came up:
> [root@moe ...]# irpd
> bindshell bnc bnc.conf in.pop3d inetd lsh
> searchsniff snif sniff
>
> I started to turn off these processes:
>
> 1068 kill -9 645
> 1069 ps aux
> 1070 kill -9 646
> 1071 kill -9 655
> 1072 ps aux
> 1073 ls -la
> 1074 chmod 0 *
> 1075 ps aux
>
> 1076 vi /etc/hosts.deny
> ALL: 6667
>
> 1079 kill -9 543
>
> 1080 kill 154
>
> 1086 crontab -l
> 1087 chmod 0 /etc/rc.d/init.d/ampd
> 1088 chmod 0 /etc/rc.d/init.d/apmd
> 1089 chmod 0 /etc/rc.d/init.d/atd
>
> [root@moe ...]# netstat -p
> (Not all processes could be identified, non-owned process info
> will not be shown, you would have to be root to see it all.)
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 144 moe.:telnet calendar-spaces.w:32888
> ESTABLISHED 3574/in.telnetd: ca
> Active UNIX domain sockets (w/o servers)
> Proto RefCnt Flags Type State I-Node PID/Program
> name Path
> unix 2 [ ] DGRAM 802437 3719/syslogd
> /dev/log
> unix 0 [ ] STREAM CONNECTED 159 1/init [3]
> @00000016
> unix 0 [ ] DGRAM 802456 9928/named
> unix 0 [ ] DGRAM 802448 3728/klogd
> unix 0 [ ] DGRAM 802245 3575/login --
> ted
> unix 0 [ ] DGRAM 623 604/xfs
> unix 0 [ ] DGRAM 429 414/identd
>
> Where do I go from here ?
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> http://www.zentek-international.com
> http://www.zentek.biz
Reply to: