Re: My server catched a rootkit?
Camaleón wrote:
> On Fri, 26 Nov 2010 18:53:05 +0000, James Brown wrote:
>
>> I have a VDS under Debian Lenny,
>> ~# uname -a
>> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
>> GNU/Linux
>>
>> I have received the next messages from crondaemon:
>> /etc/cron.daily/rkhunter:
>> Internal error!
>> Internal error!
>> .................................
>>
>> and from rkhunter that my server have problems which you can see in the
>> attached log inculding detected SHV4 Rootkit and SHV5 Rootkit
>
> (...)
>
> JFYI, there was a recent exploit for ProFtpd:
>
> http://www.exploit-db.com/exploits/15449/
>
> Also followed here:
>
> proftpd: IAC remote root exploit
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769
>
> Not sure if lenny is also affected :-?
>
> (...)
It seems to me that it is the vulnerable version:
aptitude show psa-proftpd psa-proftpd-inetd
Package: psa-proftpd
State: installed
Automatically installed: no
Version: 1.3.2e-debian5.0.build95100504.17
Priority: extra
Section: non-free/mail
Maintainer: <info@parallels.com>
Uncompressed Size: 4452k
Depends: libc6 (>= 2.7-1), libpam0g (>= 0.99.7.1), libssl0.9.8 (>=
0.9.8f-5), xinetd
Conflicts: ftp-server
Replaces: ftp-server
Provides: ftp-server
Description: ProFTPD -- Professional FTP Server.
ProFTPD is an enhanced FTP server with a focus toward simplicity,
security, and ease of configuration. It features a
very Apache-like configuration syntax, and a highly customizable server
infrastructure, including support for multiple
'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility. This build includes Plesk mod_quota
patch.
Package: psa-proftpd-inetd
State: installed
Automatically installed: no
Version: 1.3.2e-debian5.0.build95100504.17
Priority: extra
Section: non-free/mail
Maintainer: <info@parallels.com>
Uncompressed Size: 135k
Depends: psa-proftpd, netbase
Provides: psa-proftpd-start
Description: ProFTPD -- Setup for inetd operation.
This package is necesary to setup ProFTPD to run from inetd.
>
>> Found HIDDEN PID: 1431
>> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:47525)
>>
>> Found HIDDEN PID: 1759
>> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625)
>
> Check your "/var/log/auth.log" and "history" but your logs doesn't sound
> very good :-(
>
> Greetings,
>
I don't see any suspicious in "history", "/var/log/auth.log" is empty,
but I had earlier problems with its settins.
As I can see from last, nobody connected with my server from my last
connection in the beginning of this month.
But I see some strange:
1) in "/var/log/apt/term.log":
dpkg: `ldconfig' not found on PATH.
dpkg: `start-stop-daemon' not found on PATH.
dpkg: `install-info' not found on PATH.
dpkg: `update-rc.d' not found on PATH.
dpkg: 4 expected program(s) not found on PATH.
NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.
- unusual record and making when I don't logged in the server; I have no
records from that period in "/var/log/aptitude" and in "/var/log/dpkg"
since my last logging and updating/upgrading packeges.
2) in the /var/log/sw-cp-server (HTTP server for SWsoft control panels )
based on lighttp according to aptitude search) - many records for the
suspicious period sa the next:
(connections.c.299) SSL: 1 error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol - was my server hijack
through the control panel?
3) in "/var/log/tor":
[notice] Received reload signal (hup). Reloading config and resetting
internal state. -a) in the same time each last days; b) I didn't logged
in my server and didn't sent that signal to tor-daemon.
4) in /var/log/messages I have many unexpected messages about opening
and closing ftp-sessions;
5) in /var/log/messages and /var/log/debug I have many records
"mod_delay/0.6: error opening DelayTable
'/var/run/proftpd/proftpd.delay': No such file or directory" in the
suspicios period;
Reply to: