RE: a compromised machine
Perharps debsums could be useful to detect the corrupted command ?
But rebuilding the machine is a sure solution I think.
++
-----Message d'origine-----
De : fra-dsec-no-spam@tourde.org [mailto:fra-dsec-no-spam@tourde.org]
Envoyé : lundi 25 juillet 2005 01:12
À : debian-security@lists.debian.org
Objet : Re: a compromised machine
Le 12989ième jour après Epoch,
Nejc Novak écrivait:
> i checked crontabs and i haven't found anything. but new processess
started
>
> www-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00
> /tmp/dlciiqlno x
> www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh]
> <defunct>
> www-data 6770 0.0 0.1 1624 608 ? S 22:10 0:00 [bdflu
>
> and new connections were opened
>
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 193.77.81.144:33276 210.169.91.66:5454
> ESTABLISHED
> tcp 0 0 193.77.81.144:33281 193.201.53.88:6667
> ESTABLISHED
>
> Once again, /tmp/dcliiqlno doesn't exist... where is this exec file,
> because i would really like to know what exactly it does.. and what is
> bdflu?
Easy to do. The exec prog remove himself.
Try "lsof -p <hackprocessid>" and you probably see a "deleted" file.
The process probably restarted because of a corrupted command. For
example, ls or ps are corrupted, so they create /tmp/xxxx, run it and
delete it.
> I still haven't managed to find out how exactly this happened. And
> probably reinstall will be needed? What do you think?
First of all, you must unplug the machine. Second, reinstall it.
If you have important data, just backup it, but *only* data!
Reply to: