RE: BIND exploited ? -UPDATE

To: "Thedore Knab" <tjk@annapolislinux.org>, <debian-isp@lists.debian.org>
Subject: RE: BIND exploited ? -UPDATE
From: "Jeremy L. Gaddis" <jlgaddis@blueriver.net>
Date: Sat, 5 Jan 2002 21:06:18 -0500
Message-id: <[🔎] DEEEKMDBPONAICGLFKHDAEAFCAAA.jeremy@home.lan>
In-reply-to: <[🔎] 20020105064324.GA5343@annapolislinux.org>
You dumbass.  Everybody knows you don't try to fix a compromised
machine.  You take it in stride, wipe the drives and start all
over from a clean install.

j.

--
Jeremy L. Gaddis     <jlgaddis@blueriver.net>

-----Original Message-----
From: Ted Knab [mailto:tjk@breezysolutions.com]On Behalf Of Thedore Knab
Sent: Saturday, January 05, 2002 1:43 AM
To: debian-isp@lists.debian.org
Subject: Re: BIND exploited ? -UPDATE


Thanks for your help.

This was not a debian box. Maybe the next one will be.

I think it was updated from an earilier version that was hacked.

I am under the assumption that this server was this way for over 1 year.

[ted@moe chkrootkit-0.34]$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)

I just started this .edu sys admin job last week. It is fun. I am
finding all types of crazy
stuff that would send most normal people to the nut house. It is an
adventure.

I don't think I will be able to rebuild this DNS for a few days. I have
some
other projects that need to be rolled out for .edu political reasons. It
has been rooted
for sometime, so I have a lot of fixing to do.

I told everyone that needs to be informed, but they just don't get the
gravity of the situation.

Since I won't be able to build another, I tried isolating the services.

It also seems more fun to try and fix the broken box.

I think I have most of the cracked services isolated.

Behind door number 1 - less services

A nmap scan from my laptop reveals:

Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ )
Interesting ports on dns1.mywork.edu :
(The 1540 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
23/tcp     open        telnet
53/tcp     open        domain
113/tcp    open        auth

This is an improvement over what it looked like this morning:

See your advice helped... :-)

Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ )
Interesting ports on dns1.mywork.edu :
(The 1533 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
23/tcp     open        telnet
53/tcp     open        domain
79/tcp     open        finger
98/tcp     open        linuxconf
111/tcp    open        sunrpc
113/tcp    open        auth
513/tcp    open        login
514/tcp    open        shell
943/tcp    open        unknown
1024/tcp   open        kdm


I found the startup location for the scripts.
The scripts were starting every reboot.

I guess the last time it started was:

[ted@moe chkrootkit-0.34]$ uptime
1:40am  up 154 days,  9:15,  1 user,  load average: 0.00, 0.00, 0.00

[root@moe /etc]# cat rc.d/rc.local
#!/bin/sh

# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

if [ -f /etc/redhat-release ]; then
    R=$(cat /etc/redhat-release)

... cut

fi
###
#The Little Bastards Startup scripts #not very complicated
#/etc/.../bindshell &
#/etc/.../bnc &
#/etc/.../snif &
#/etc/.../lsh  31333 v0idzz

checkroot kit did not seem to find anything except a snifer.
This maybe because I did a chmod 0 on a bunch of the binaries I didn't
want starting ever again.

[root@moe chkrootkit-0.34]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not infected
Checking `killall'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not found
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not infected
Checking `traceroute'... not infected
Checking `write'... not infected
Checking `aliens'...
/dev/.v0id/ptyq /dev/ptyp /dev/ptypr
Searching for sniffer's logs, it may take a while... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing
found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/linuxconf/install/gnome/.directory
/usr/lib/linuxconf/install/gnome/.order
/usr/lib/perl5/5.00503/i386-linux/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
/usr/lib/gopher-data/.Xdefaults /usr/lib/gopher-data/.bash_logout
/usr/lib/gopher-data/.bash_profile /usr/lib/gopher-data/.bashrc
/usr/lib/gopher-data/.kde /usr/lib/gopher-data/.kderc
/usr/lib/gopher-data/Desktop/.directory /usr/lib/gopher-data/.screenrc
/lib/modules/2.2.14-5.0/.rhkmvtag
/usr/lib/gopher-data/.kde
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is PROMISC
Checking `wted'... nothing deleted
Checking `z2'...
nothing deleted

I will keep you all up to date if I find any more new hacked machines.

-Ted



On Fri, Jan 04, 2002 at 01:43:16PM -0500, Andy Bastien wrote:
> On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> > On Fri, 4 Jan 2002 17:54, Andy Bastien wrote:
> > > On Fri Jan 04, a day that will live in infamy, Russell Coker
wrote:
> > > > On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> > > > > ?Where do I go from here ?
> > > >
> > > > Buy new hard drives, install them and install the latest version
of your
> > > > favourite distribution and configure it in a secure fashion.
Make sure
> > > > that all passwords are different.
> > >
> > > Is it really necessary to buy new hard drives?  Is there a reason
why
> > > he can't just reformat his current drives before reinstalling?
> >
> > Sure he can, if he wants to lose the evidence of what happened and
lose the
> > possibility to hand the drives over to law enforcement officials
(which may
> > be demanded of him even if he doesn't want it in the case that his
machine
> > was used to attack others).
>
> Good point!  Having never dealt with the fuzz after being compromised,
> I have to ask what you would do if your server is a file server with
> lots of big, expensive drives where a company might not be able to
> afford replacing them all?  Would they be happy with backups (keeping
> in mind that any tools used to backup the server might no longer be
> trustworthy)?  How about disk images (made with dd, or something
> similar) of the drives that contain the system stuff?
>
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>


--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to:
Follow-Ups:
- RE: BIND exploited ? -UPDATE
  - From: Martin WHEELER <mwheeler@startext.co.uk>
References:
- Re: BIND exploited ? -UPDATE
  - From: Thedore Knab <tjk@annapolislinux.org>
Prev by Date: Re: BIND exploited ?
Next by Date: Centralized ISP Admin Package
Previous by thread: Re: BIND exploited ? -UPDATE
Next by thread: RE: BIND exploited ? -UPDATE
Index(es):
- Date
- Thread