Re: Long Exim break-in analysis

To: Vladislav Kurz <vladislav.kurz@webstep.net>
Cc: debian-security@lists.debian.org
Subject: Re: Long Exim break-in analysis
From: Izak Burger <isburger@gmail.com>
Date: Wed, 22 Dec 2010 13:42:03 +0200
Message-id: <[🔎] AANLkTi=XOTx6CowzQzjhy-X1M+Mae6RJazeKQWGrvFy7@mail.gmail.com>
In-reply-to: <[🔎] 201012212307.37241.vladislav.kurz@webstep.net>
References: <[🔎] 201012212307.37241.vladislav.kurz@webstep.net>

This is a me too email.

I found one overlooked machine that was compromised on 16th of December.

The usual process related things replaced:

free  pgrep  pmap  skill    snice   tload  uptime  w
kill  pkill  ps    slabtop  sysctl  top    vmstat  watch

All of these were chattr +ai, as if that was going to stop someone who
knows what's going on :-)

One process hidden, called dropbear. It was easy to find when
comparing the output of the hacked ps with the actual content of
/proc, and then checking the /proc/pid/exe symlink. Since kill was
also replaced, I quickly wrote a wrapper in C for the kill() system
call, and sent it a KILL signal.

The rest of the machine appears untouched, but I'll probably reinstall anyway.

Cheers,
Izak

Reply to:

Follow-Ups:
- Re: Long Exim break-in analysis
  - From: Bastian Blank <waldi@debian.org>

References:
- Long Exim break-in analysis
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>

Prev by Date: Re: Long Exim break-in analysis
Next by Date: Re: Long Exim break-in analysis
Previous by thread: Re: Long Exim break-in analysis
Next by thread: Re: Long Exim break-in analysis
Index(es):
- Date
- Thread