Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

To: debian-security@lists.debian.org
Subject: Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
From: Thorsten Göllner <tg@ovm-group.com>
Date: Fri, 17 Dec 2010 14:15:43 +0100
Message-id: <[🔎] 4D0B627F.4070501@ovm-group.com>
In-reply-to: <201012171401.12219.vladislav.kurz@webstep.net>
References: <[🔎] 4D0B42C5.9040707@ovm-group.com> <201012171349.25795.vladislav.kurz@webstep.net> <4D0B5DC3.8090100@ovm-group.com> <201012171401.12219.vladislav.kurz@webstep.net>


Am 17.12.2010 14:01, schrieb Vladislav Kurz:

On Friday 17 of December 2010, you wrote:

Am 17.12.2010 13:49, schrieb Vladislav Kurz:

On Friday 17 of December 2010, you wrote:

Am 17.12.2010 13:17, schrieb Vladislav Kurz:

On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote:

On 12/17/2010 12:35 PM, Vladislav Kurz wrote:

On Friday 17 of December 2010, Thorsten Göllner wrote:

Hi,

The other point is that pstree reports a process "zinit" I never saw
in the past:

<snip>

But I do not have any idea what it is. And I can not see the process
with "ps":

If pstree shows zinit and ps does not, it might mean that you are
already rooted (owned, hacked, cracked, etc), and your ps binary was
modified to hide the presence of rootkit named zinit.

Good point.

Try to check the md5sum of ps:

# apt-get install debsums
# debsums procps

just for reference - md5sum of /bin/ps on i386/lenny
(checked from freshly downloaded package)

a6094706266c8ec3b068cf964824afee  /bin/ps

Thanks! My package matches.

Hmm, that's strange, cause if it's hacked, it shouldn't match.
Maybe even md5sum is hacked.

Please download procps, and md5sum on some clean computer, get them on
the problem machine, preferably on CD or some other non-writable media
and run those clean binaries.

Or if you can take your server down, reboot from any live-CD and check
md5sums again, using md5sum from live-cd.

Uh! OK, I now do not have really a chance to access the box (too far
away). Coudl you give me this from your box?
# shasum /bin/ps
234bba6212ca0cee9718bd74316d7c81e5e0b570  /bin/ps

its the same:
234bba6212ca0cee9718bd74316d7c81e5e0b570  /bin/ps

hmmmm, maybe the rootkit did not modify ps, but some system call that is used
by ps. Is it still so that "ps ax" does not show zinit and pstree does? what
about top?

I removed /sbin/zinit and did a reboot. The process is gone and I cannot find out more about it now, sorry.


So my "big" last ciritical question is "Shall I reinstall":
- /usr/bin/md5sum seems to be ok

- all installed packages are checked via debsums (maybe the localmd5-databse has been manipulated? Can I update this database via dpkg?)

- zinit is gone
- no suspicious listening process can be found. A portscan is fine.
- /etc/passwd is ok
- Passwords were changed
- iptables -L is fine
- chkrootkit is fine (running from running system NOT from LiveCD)

Hard to say ...

Reply to:

Follow-Ups:
- Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
  - From: Michael Cassano <mcassano@gmail.com>

References:
- exim4 router problems since 2 days / sucpicous process "zinit" is pstree
  - From: Thorsten Göllner <tg@ovm-group.com>

Prev by Date: RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Next by Date: Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Previous by thread: RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Next by thread: Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Index(es):
- Date
- Thread