Re: My server catched a rootkit?
On Fri, 26 Nov 2010 22:51:11 +0000, James Brown wrote:
> Camaleón wrote:
>> JFYI, there was a recent exploit for ProFtpd:
>>
>> http://www.exploit-db.com/exploits/15449/
>>
>> Also followed here:
>>
>> proftpd: IAC remote root exploit
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769
>>
>> Not sure if lenny is also affected :-?
>>
>> (...)
>
> It seems to me that it is the vulnerable version:
> aptitude show psa-proftpd psa-proftpd-inetd
> Version: 1.3.2e-debian5.0.build95100504.17
Ugh :-(
But I cannot find that "psa-proftpd" package in debian repos. From where
did you install it? :-?
>>> Found HIDDEN PID: 1759
>>> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625)
>>
>> Check your "/var/log/auth.log" and "history" but your logs doesn't
>> sound very good :-(
>>
>>
> I don't see any suspicious in "history", "/var/log/auth.log" is empty,
> but I had earlier problems with its settins. As I can see from last,
> nobody connected with my server from my last connection in the beginning
> of this month. But I see some strange:
>
> 1) in "/var/log/apt/term.log":
> dpkg: `ldconfig' not found on PATH.
> dpkg: `start-stop-daemon' not found on PATH. dpkg: `install-info' not
> found on PATH. dpkg: `update-rc.d' not found on PATH. dpkg: 4 expected
> program(s) not found on PATH. NB: root's PATH should usually contain
> /usr/local/sbin, /usr/sbin and /sbin. - unusual record and making when I
> don't logged in the server; I have no records from that period in
> "/var/log/aptitude" and in "/var/log/dpkg" since my last logging and
> updating/upgrading packeges.
> 2) in the /var/log/sw-cp-server (HTTP
> server for SWsoft control panels ) based on lighttp according to
> aptitude search) - many records for the suspicious period sa the next:
> (connections.c.299) SSL: 1 error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol - was my server hijack
> through the control panel?
> 3) in "/var/log/tor":
> [notice] Received reload signal (hup). Reloading config and resetting
> internal state. -a) in the same time each last days; b) I didn't logged
> in my server and didn't sent that signal to tor-daemon. 4) in
> /var/log/messages I have many unexpected messages about opening and
> closing ftp-sessions;
> 5) in /var/log/messages and /var/log/debug I have many records
> "mod_delay/0.6: error opening DelayTable
> '/var/run/proftpd/proftpd.delay': No such file or directory" in the
> suspicios period;
I'm not an expert in linux computer forensics but your logs are
displaying scaring information happening in your box. Secunia reports a
high impact on affected system ("security bypass, manipulation of data
and system access"):
http://secunia.com/advisories/42052
Maybe is time to perform clean install as Jochen suggested.
Greetings,
--
Camaleón
Reply to: