Re: Advice Needed On Recent Rootings
On Sun, May 25, 2003 at 02:25:28PM -0400, John Keimel wrote:
> Here's one major thing to consider. If all of your servers within your
> network are nearly the same, security wise, then you should consider
> that ALL of them are hacked. Until you've rebuilt every single one with
> trustable sources, your network is not safe. While you may not realize
> it, this Evil entity could still be gathering information on all your
> new systems, right as you put them online, which would really suck.
That's the disturbing part. They aren't on the same network (unless you
count the Internet) and they are *NOT* the same. One wasn't running
Apache, all were running SSH, they were running different mail servers
(one postfix, two sendmail, a few courier-mta even!). The kernels range
from 2.4.17-2.4.20 (depending on maintenance contracts :). SSH is the
only commonality I can see and that disturbs me. I've got a pretty good
handle on this guy's rootkits.
He appears to modify the kernel image in memory via /dev/kmem (a
next-generation LKM attack). I've considered removing /dev/kmem (does
anything use it?) but I don't know about any side effects (and it
doesn't prevent him mknod'ing it). It appears he actually has some sort
of kernel-level TTY logger *AND* a kernel-hack to hide files and
processes. The only comfort in this is that some of our kernels are
apparently so exotic that his meddling crashes the machine during the
break-in (instead of leaving a more compromized system). In general,
all of the rootkits are the same flavor (and seem unrelated to the LKM
stuff).
He uses a number of rootkits, but they all seem to be littered with his
handle (Kapitan). At first I thought it was the guy who made the
rootkit, but later he appears to have customer configured it to e-mail
his e-mail address at yahoo (also includes kapitan). It's also obvious
that he's aspiring to script-kiddie-dom. Later hacks show progressively
more hacking of the same rootkit to strip off some other poor sap's name
and plaster his everywhere.
> If you're THAT infested, you NEED to clean house. Take a weekend, or a
> couple days, call in all the technical people who can build systems and
> order in for Pizza. Take the entire network offline and rebuild it.
> Until you can track all of the machine that are hacked or ensure that
> they are all, in fact, clean, you can assume no level of safety.
Uhhh, that's me. Trust me when I say I'm as technical as it gets (short
of the Gods like Linus). It's not a single machine, it's a whole bunch
of them. It's not a password problem either. He seems to have hacked
multiple of them within an hour of each other (his rootkit files aren't
very clever about covering up mtime). I just can't tell how he got in.
I've got some process accouting logs to go through, but they're ...
verbose.
> I hope that some folks will assist you in finding what hole has been
> exploited on your network, but as for right now, you need to seriously
> consider whether boxes that you think are clean, are in fact, clean.
Got a good handle on that. I was primarly trying to gauge if this is an
epidemic or something I've done. Right now, it looks like an Apache
hole (there are logs of odd Apache requests before the crack and a few
machines that weren't cracked show web hits from the other machines),
but that could be wrong.
This guy's methods are crude once he gets in (hell, the only
applications I've even seen are sniffers and an IRC relay: psybnc).
Doesn't seem much more than your standard punk, script-kiddie. But he's
got a *VERY* slick way of getting in. Not sure how...
Thanks,
Jayson
Reply to: