Re: My machine was hacked - possibly via sshd?
On Wed, Jul 20, 2005 at 10:17:56AM -0700, Brent Bates wrote:
> This morning my machine was also compromised in a similar fashion as
> described in your post here.
>
> http://lists.debian.org/debian-security/2005/03/msg00112.html
>
> Was the point of entry ever determined?
That one seemed to be a fairly obvious weak password which was
escalated into a root attack via a local kernel flaw.
> I just happened to log onto my machine while this was taking place. I did
> a ps and killed everything except non essential processes and mounted a
> directory tree I had with known good binaries and used those to poke
> around the machine.
>
> I have no idea how they got in, there were a lot of processes running as
> nobody. I really only run apache as nobody, so that could be the point of
> entry.
What CGI / PHP / scripts are you running with Apache?
> root 955 1 0 Jan10 ? 00:00:11 /usr/local/apache/bin/httpd
That's not a Debian package .
> root 1471 1 0 Jan10 ? 00:00:00 /usr/local/snmp/sbin/snmpd
Neither is that.
If you're going to run non-Debian packages you must keep track of
them and make sure they are up to date. Have you done so ..?
> bates 24862 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi
> root 16095 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio
Don't recognise either of those.
> nobody 4824 4752 0 06:40 ? 00:00:00 ./ptr3
> nobody 4825 4824 0 06:40 ? 00:00:00 [ptr3 <defunct>]
> nobody 4826 4824 0 06:40 ? 00:00:00 [ptr3 <defunct>]
Local kernel exploitation attempts ..?
> root 4920 1 0 06:41 ? 00:00:00 chmod 755 /usr/local/bin/ssh2
> root 4925 4920 0 06:41 ? 00:00:00 [chmod <defunct>]
> root 4927 1 0 06:41 ? 00:00:00 mv -f sshd /usr/sbin/sshd
> root 4929 1 0 06:41 ? 00:00:00 chown root.bin /usr/sbin/sshd
Trojan installation ..?
> nobody 4967 4964 0 06:42 ? 00:00:00 perl clean 220.228.110.11 2025
IP address of attacker ..?
> nobody 5030 5005 0 06:43 ? 00:00:00 ./traci
> nobody 5031 5030 0 06:43 ? 00:00:00 ./traci
> nobody 5032 5030 0 06:43 ? 00:00:00 [traci <defunct>]
> root 5033 5030 0 06:43 ? 00:00:00 [modprobe <defunct>]
Kernel attempt again ..?
Lots of detail there .. but it is a bit hard to understand without
more knowlege of what is upon your system, etc.
My immediate suggestion would be to disconnect the machine from the
network, and proceed from there. If you have a tripwire/aide/checksumming
installation in place you can use that to detect binary modifications
by booting from a known-good media.
If not your best option is to try to determine what route the attacker
used to get in, make sure you're comfortable you can close it, and then
reinstall.
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Reply to: