[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Long Exim break-in analysis

This is a me too email.

I found one overlooked machine that was compromised on 16th of December.

The usual process related things replaced:

free  pgrep  pmap  skill    snice   tload  uptime  w
kill  pkill  ps    slabtop  sysctl  top    vmstat  watch

All of these were chattr +ai, as if that was going to stop someone who
knows what's going on :-)

One process hidden, called dropbear. It was easy to find when
comparing the output of the hacked ps with the actual content of
/proc, and then checking the /proc/pid/exe symlink. Since kill was
also replaced, I quickly wrote a wrapper in C for the kill() system
call, and sent it a KILL signal.

The rest of the machine appears untouched, but I'll probably reinstall anyway.


Reply to: