Re: Possible security exploit: debian-unstable
On Tue, 12 Jul 2005 15:25:11 +0100
Jose Barroca <jose.barroca@netcabo.pt> wrote:
> Hello all,
>
> likely as it is for the unstable branch to have such gaps in the
> fabric, I'd like to post this experience of mine. I didn't find any
> match in this list, though it might have slipped me.
>
> My machine showed signs of corruption in my /usr/bin directory (EXT3
> partition) last friday. The TOP, FREE, a series of DPKG-* commands and
> a few others had their ownerid=32, considerably larger file size and
> responded with "segmentation fault" or "attempt to access beyond end
> of device" when called. I do have another machine running the same
> configuration (the difference is the processor, but the architecture
> is still the same).
This was one of our first clues that a server at work had been cracked.
Several key binaries, such as ps, top, etc. were showing segfaults
whenever we tried to run them. I would do a "ls -a /tmp" to see if you
can spot anything strange there.
Look for hidden directories and files. If you see a filename you
don't recognize - especially a hidden file/directory, do a google
search on it. I've seen some malicious files that start with '.x0',
for example. I've also seen a directory that was simply named '...' - so
it looked like one of the usual links to the current directory or parent
directory (except that it had one too many periods).
> Now, upon posting at gmane.linux.kernelnewbies (I thought the FS had
> been corrupted through some improperly configured kernel of mine), I
> got replies indicating two possible directions:
>
> 1) since SMARTMONTOOLS smartctl showed a huge value of
> REALLOCATED_SECTOR_Ct, my disk was about to fail;
Either way, I would do a complete format and re-install as segfaults
from key binaries is no small problem. But first try to do all the
forensics you can.
> 2) my machine had been compromised and the binaries changed. Well, but
> would an hacked version of TOP show "segmentation fault"? If so, why?
> Upon friendly suggestion I went through the logs, and did find some
> peculiar things. I'm not completely certain the machine has been
> compromised, though:
It certainly could. Most cracks are done by script kiddies that are
using pre-compiled programs and tools to do the exploit for them. If it
was compiled for different libraries or something similar, it may not
work as intended. Bad for them, good for you - as it can give them away.
<snip>
> I'm still learning the ropes, and sys-forensics is not that easy..
> Now, would anyone be so kind as to give me some feedback, on whether
> this is a security issue (or an hardware thing), and whether it is
> worth letting the people doing the debian security know about? I'm
> most willing to help anyone with the expertise (especially since I'll
> be on summer break for two whole weeks, and am usually tinkering with
> my debian box on the breaks from my summer break)
I would download the Fire cd, or a similar cd and do some probing around
on the filesystem. You can get it from here: http://fire.dmzs.com/ . I
would try to run chkrootkit from the cd. You can also do a port scan of
the problem computer from your good computer, to see if there are any
ports open that you don't know about. I normally use something like
"nmap -sS -O -P0 ip.add.re.ss | less".
HTH,
Jacob
Reply to: