Re: My machine was hacked - possibly via sshd?

To: Brent Bates <bbrent@brentbates.com>
Cc: Malcolm_Ferguson@yahoo.com, debian-security@lists.debian.org
Subject: Re: My machine was hacked - possibly via sshd?
From: Steve Kemp <skx@debian.org>
Date: Wed, 20 Jul 2005 18:53:26 +0100
Message-id: <[🔎] 20050720175326.GA17096@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] Pine.LNX.4.33.0507200819410.10592-100000@sagan.virtualabs.com>
References: <[🔎] Pine.LNX.4.33.0507200819410.10592-100000@sagan.virtualabs.com>

On Wed, Jul 20, 2005 at 10:17:56AM -0700, Brent Bates wrote:
> This morning my machine was also compromised in a similar fashion as 
> described in your post here.
> 
> http://lists.debian.org/debian-security/2005/03/msg00112.html
> 
> Was the point of entry ever determined?

  That one seemed to be a fairly obvious weak password which was
 escalated into a root attack via a local kernel flaw.

> I just happened to log onto my machine while this was taking place.  I did
> a ps and killed everything except non essential processes and mounted a
> directory tree I had with known good binaries and used those to poke
> around the machine.
> 
> I have no idea how they got in, there were a lot of processes running as 
> nobody.  I really only run apache as nobody, so that could be the point of 
> entry.  

  What CGI / PHP / scripts are you running with Apache?

> root       955     1  0 Jan10 ?        00:00:11 /usr/local/apache/bin/httpd

  That's not a Debian package .

> root      1471     1  0 Jan10 ?        00:00:00 /usr/local/snmp/sbin/snmpd

  Neither is that.

  If you're going to run non-Debian packages you must keep track of
 them and make sure they are up to date.  Have you done so ..?

> bates    24862 24857  0 Jul11 ?        00:00:00 ./server_linux -PID=tsserver2.pi
> root     16095   955  0 Jul18 ?        00:00:00 /usr/local/sbin/cronolog --perio

  Don't recognise either of those.

> nobody    4824  4752  0 06:40 ?        00:00:00 ./ptr3
> nobody    4825  4824  0 06:40 ?        00:00:00 [ptr3 <defunct>]
> nobody    4826  4824  0 06:40 ?        00:00:00 [ptr3 <defunct>]

  Local kernel exploitation attempts ..?

> root      4920     1  0 06:41 ?        00:00:00 chmod 755 /usr/local/bin/ssh2
> root      4925  4920  0 06:41 ?        00:00:00 [chmod <defunct>]
> root      4927     1  0 06:41 ?        00:00:00 mv -f sshd /usr/sbin/sshd
> root      4929     1  0 06:41 ?        00:00:00 chown root.bin /usr/sbin/sshd

  Trojan installation ..?

> nobody    4967  4964  0 06:42 ?        00:00:00 perl clean 220.228.110.11 2025

  IP address of attacker ..?

> nobody    5030  5005  0 06:43 ?        00:00:00 ./traci
> nobody    5031  5030  0 06:43 ?        00:00:00 ./traci
> nobody    5032  5030  0 06:43 ?        00:00:00 [traci <defunct>]
> root      5033  5030  0 06:43 ?        00:00:00 [modprobe <defunct>]

  Kernel attempt again ..?

  Lots of detail there .. but it is a bit hard to understand without
 more knowlege of what is upon your system, etc.

  My immediate suggestion would be to disconnect the machine from the
 network, and proceed from there.  If you have a tripwire/aide/checksumming
 installation in place you can use that to detect binary modifications 
 by booting from a known-good media.

  If not your best option is to try to determine what route the attacker 
 used to get in, make sure you're comfortable you can close it, and then
 reinstall.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

Reply to:

Follow-Ups:
- Re: My machine was hacked - possibly via sshd?
  - From: Laradji nacer <n.laradji@ovea.com>

References:
- My machine was hacked - possibly via sshd?
  - From: Brent Bates <bbrent@brentbates.com>

Prev by Date: My machine was hacked - possibly via sshd?
Next by Date: Re: My machine was hacked - possibly via sshd?
Previous by thread: My machine was hacked - possibly via sshd?
Next by thread: Re: My machine was hacked - possibly via sshd?
Index(es):
- Date
- Thread