Hello,
I have posted this user group with a similar
problem in the past and have had great help, but this one seems to be a new
problem:
It looks like the affected machine has been rooted
by a t0rn roootkit and then used to install a mail relay running on port 9020.
This guy was pretty bold and rather cheeky, even creating a directory in his
name in the root home directory. In this directory he seems to also have
left a file which seems to contain his hotmail address. This is only by the way.
The REAL problem I am having is this:
chkrootkit has given the following:
Searching for suspicious files and dirs, it may
take a while...
/usr/lib/libsh/.bashrc /usr/lib/libsh/.backup
/usr/lib/libsh/.sniff /usr/lib/libsh/.bash_history /usr/lib/libsh/.owned
/lib/security/.config
/usr/lib/libsh/.backup /usr/lib/libsh/.sniff
/usr/lib/libsh/.owned /lib/security/.config
Now the following:
ns:~# cd /usr/lib/libsh
ns:/usr/lib/libsh# ls
-al
total 44
drwxr-xr-x 6 root
root 4096 Aug 21 08:38
.
drwxr-xr-x 38 root
root 12288 Aug 22 20:38
..
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
.backup
-rw------- 1 root
root 365 Aug 21 08:37
.bash_history
-rwxr-xr-x 1 root
root 1206 Apr 18 2003
.bashrc
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
.owned
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
.sniff
-rwxr-xr-x 1 root
root 2039 Aug 22 20:28
hide
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
utilz
Also:
ns:/usr/lib/libsh# lsattr *
--------------
hide
ns:/usr/lib/libsh# lsattr .b*
--------------
.bash_history
-------------- .bashrc
ns:/usr/lib/libsh# lsattr .
--------------
./utilz
-------------- ./hide
Now try to delete:
ns:/usr/lib/libsh# rm -rf *
rm: cannot unlink
`hide': Permission denied
rm: cannot remove directory `utilz': Permission
denied
ns:/usr/lib/libsh# ls -al
total 44
drwxr-xr-x
6 root
root 4096 Aug 21 08:38
.
drwxr-xr-x 38 root
root 12288 Aug 22 20:38
..
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
.backup
-rw------- 1 root
root 365 Aug 21 08:37
.bash_history
-rwxr-xr-x 1 root
root 1206 Apr 18 2003
.bashrc
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
.owned
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
.sniff
-rwxr-xr-x 1 root
root 2039 Aug 22 20:28
hide
drwxr-xr-x 2 root
root 4096 Aug 22 19:24
utilz
So it seems that the immutable attribute is not set
on either of these files, but they can not be deleted. Also if I copy this
directory to another place it becomes "invisible". ie you don't see it with ls,
but you can change to it with cd. Make sense?
I have done a fresh re-install of all commands used
above. And I will be complately rebuilding the compromised box, but I am still
intrigued by this.
Anybody like to have a go?
Best regards,
Andreas