Re: Rootkit?

To: "Domainbox, Tim Abenath" <ta@domainbox.de>, <debian-isp@lists.debian.org>
Subject: Re: Rootkit?
From: "Jason Lim" <maillist@jasonlim.com>
Date: Fri, 11 Jul 2003 23:40:52 +1000
Message-id: <[🔎] 009b01c347b2$14f8b420$0200a8c0@mailfilter>
Reply-to: "Jason Lim" <maillist@jasonlim.com>
References: <[🔎] 002a01c3478a$dfa4bc00$2820a8c0@paul>

Okay, I hate to say it... but this is EXACTLY what I found. Hope te
following helps a bit from my recent experience....

Search the archives for my discussion on Debian.ISP regarding this.

I remember VERY DISTINCTLY the gzip problem... because i thought "WTF...
invalid option -d????".

The files had different names... but they were basically the same thing
(ie. replacing the same files).

I also remember the gzip problem because when I tried to run dpkg, apt-get
and stuff like that, it couldn't extract the compressed files either...
which lead me to running gzip -d.... and hence the reason I remember this
distinctly.


I DOUBT this is a virus. The reason is because after close inspection, it
couldn't be self replicating as the box appeared to be getting more rooted
the more I looked around, indicating either someone was still logged in,
or something strange.

Plus if you run "strace somecommand"... with somecommand as one of the
rooted files, I remmeber the strace output to be really short (abnormally
short) compared with the real, regular, untained output.

My solution? I did mv /bin /bin.hacked  ; mv /sbin /sbin.hacked and so
forth (for later inspection and discovery), then copied backup files from
other server to that one.

How? I put in a clean 80Gb hard disk into one of the un-rooted servers,
mounted it, cp -a /bin /mnt/freshdrive/  (and so forth), then plugged it
into the rooted server and copied all the files over. Ensure you boot from
a bootfloppy or something to ensure the kernel is untained and stuff.

Also, make sure you upgrade your kernel to 2.4.21. I SUSPECT one of the
reasons we were rooted is because we were waiting for Debian to come out
with either a patched kernel source or a new one, and in the mean time it
was rooted. Debian was STRANGELY slow to release this... usually Debian is
pretty fast at releasing security updates, but anyway. For your reference,
that is the ptrace bug (lots of coverage on this... affects 2.4.18).

Check your config files too. I did NOT find any /etc files and similar to
be tainted, but you may want to make sure.

Also, Russell Coker recommended SE LINUX and some others recommended the
other anti-hack kernel mods. I am investigating these and 99% will start
using one, just need to find one that offers additional protection WITHOUT
needing a whole bunch of new config files to make and set, because we roll
each kernel to a bunch of servers, and each server is a bit different, and
it's a headache to have to customize the policy settings and stuff for
each. Reaching a compromise between security and easy-of-use is the goal
(haha want max security, enable nothing but ssh... but then again, even
ssh was rooted... maybe netBSD or openBSD would offer the best protection
of any OS).

And btw... the way our Debian server got hacked, and now another Debian
server... is there a rootkit that is SPECIALIZED in hacking Debian servers
now? I know there are lots for Redhat (7.3, 8, 9) but not for Debian...
maybe this is a new hole/rootkit targetted at us all?

(btw. sorry for top posting... just wanted to help this guy out quickly,
as I remember the frustration I had when it happened to me)

----- Original Message ----- 
From: "Domainbox, Tim Abenath" <ta@domainbox.de>
To: <debian-isp@lists.debian.org>
Sent: Friday, July 11, 2003 7:00 PM
Subject: Rootkit?


> Hello,
>
> In our Serverfarm i found different Machines not working properly. They
show
> up complaining:
>
> webbox:/chkrootkit# gzip -d
> gzip: invalid option -- d
> Segmentation fault
>
> The binarys running are take a look at /proc/uptime, what they are not
> supposed to do:
>
> webbox:/chkrootkit# strace -eopen ls
> open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/librt.so.1", O_RDONLY)       = 3
> open("/lib/libc.so.6", O_RDONLY)        = 3
> open("/lib/libpthread.so.0", O_RDONLY)  = 3
> open("/proc/uptime", O_RDONLY)          = 3
> open("/proc/4215/exe", O_RDONLY)        = 3
> --- SIGCHLD (Child exited) ---
> open("/dev/null", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOTDIR (Not a
> directory)
> open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 5
> open("/etc/mtab", O_RDONLY)             = 5
> open("/proc/meminfo", O_RDONLY)         = 5
> ACKNOWLEDGMENTS  README             check_wtmpx    chkdirs.c     chkpro
> chkrootkit      chkwtmp.c    strings
> COPYRIGHT        README.chklastlog  check_wtmpx.c  chklastlog    chkproc
> chkrootkit.lsm  ifpromisc    strings.c
> Makefile         README.chkwtmp     chkdirs        chklastlog.c
chkproc.c
> chkwtmp         ifpromisc.c
> webbox:/chkrootkit#
>
> Is this an rootkit installed, has someone experienced stuff like this?
The
> machine's are running debian 3.0 with differents kernel's
> 2.4.18-bf2.4 or an static 2.4.20
>
> ta@domainbox.de
> the countless lonely voices, like whispers in the dark...
>
>
> -- 
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: Rootkit?
  - From: "Domainbox, Tim Abenath" <ta@domainbox.de>

References:
- Rootkit?
  - From: "Domainbox, Tim Abenath" <ta@domainbox.de>

Prev by Date: Re: woody + proftpd + ldap = segfault
Next by Date: Re: Rootkit?
Previous by thread: Rootkit?
Next by thread: Re: Rootkit?
Index(es):
- Date
- Thread