Debian Stable server hacked

[Thijs Welman <thijs@balpol.tudelft.nl>]

Hi,

Last sunday, August 3rd 2003, one of my servers was hacked which i, by
coincidence, was able to catch 'in progress'.

My loganalyzer showed four "Did not receive identification string from
w.x.y.z" logentries from sshd. This happens all the time and i certainly
don't check all of them out, but i happen to do so this time.
I noticed suspicious network connections with netstat[1]. Shortly
thereafter i noticed i had two init processes and multiple syslogd 
processes. I killed the syslogd processes immediately, as the 
networktraffic appeared to be IRC-traffic. Then i practically sealed the 
machine from outside with my firewall, allowing me to do some further 
research.

I found the following:
- The extra init process was somehow spawned, but the originally binary
seems to have been deleted [2].
- All base system programs where ok, including init and syslogd. Md5s 
matched.
- in / there was "rpm-4.0.4.i386.tar.gz". I found that the content
was installed. It matches the archive on ftp.rpm.org (md5)
- I didn't find any other out-of-the-ordinary files
- chkrootkit didn't find anything but the extra init proces running.

I'm puzzled about how they managed to get those processes running (as
root). There are no local accounts, other than some accounts for the
sysadmins. Does anyone have any idea how they might have done this? 
Anyone seen similar hacks recently? I'd sure like to solve this problem, 
but at this moment i wouldn't know how, so suggestions are more than 
welcome.

Unfortunately i don't have the resources to get an IDS system up and
running...

regards and tia,

Thijs Welman
Delft University of Technology
the Netherlands
-----
[0] My server is running Debian stable with:
- linux-2.4.21-ac4 custom compiled kernel without LKM-support
- sshd
- apache
- apache-ssl
- php4
- smbd/nmbd (firewalled at the university network border)
- postfix (not accessible from outside)
- bind9 (not accessible from outside)
- mysql (firewalled)
- proftpd (firewalled)
- snmpd (firewalled)
- amanda-client from inetd (firewalled)

All packages are unmodified releases from Debian stable and, yes, i do
update packes from security.debian.org as soon as there are any updates. :)

[1] netstat -anp at that time:
tcp      0    0 MYIP:36789  IP#1:21    ESTABLISHED 12642/wget
tcp   1448    0 MYIP:36790  IP#1:20    ESTABLISHED 12642/wget
tcp      0    0 MYIP:44367  IP#2:60666 ESTABLISHED 10051/syslogd
tcp      0    0 MYIP:33397  IP#2:60666 ESTABLISHED 10051/syslogd
tcp      0   80 MYIP:53731  IP#3:59780 ESTABLISHED 10764/init

Note: i found out 'init' and 'syslogd' where 'extra' processes. My
normal init and syslogd were running normally (seemed untouched)

[2] lsof output:
init      1 root  cwd    DIR    3,3    4096      2 /
init      1 root  rtd    DIR    3,3    4096      2 /
init      1 root  txt    REG    3,3   27844 312195 /sbin/init
init      1 root  mem    REG    3,3   90210 179291 /lib/ld-2.2.5.so
init      1 root  mem    REG    3,3 1153784 179294 /lib/libc-2.2.5.so
init      1 root   10u  FIFO    3,3          49116 /dev/initctl
init      9 root  cwd    DIR    3,3    4096      2 /
init      9 root  rtd    DIR    3,3    4096      2 /
init      9 root  txt    REG    3,3   29304 312205 /sbin/init (deleted)
init      9 root    0u   CHR    1,3          49079 /dev/null
init      9 root    1u   CHR    1,3          49079 /dev/null
init      9 root    2u   CHR    1,3          49079 /dev/null
init      9 root    3u   CHR    1,2          49078 /dev/kmem
init      9 root    4u  sock    0,0             19 can't identify protocol