Re: My server catched a rootkit?

To: debian-user@lists.debian.org
Subject: Re: My server catched a rootkit?
From: Camaleón <noelamac@gmail.com>
Date: Sun, 28 Nov 2010 12:22:48 +0000 (UTC)
Message-id: <[🔎] pan.2010.11.28.12.22.46@gmail.com>
References: <[🔎] 4CF00211.6090201@gmail.com> <[🔎] pan.2010.11.26.19.21.49@gmail.com> <[🔎] 4CF039DF.6060806@gmail.com>

On Fri, 26 Nov 2010 22:51:11 +0000, James Brown wrote:

> Camaleón wrote:

>> JFYI, there was a recent exploit for ProFtpd:
>> 
>> http://www.exploit-db.com/exploits/15449/
>> 
>> Also followed here:
>> 
>> proftpd: IAC remote root exploit
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769
>> 
>> Not sure if lenny is also affected :-?
>> 
>> (...)
> 
> It seems to me that it is the vulnerable version:
>  aptitude show  psa-proftpd  psa-proftpd-inetd

> Version: 1.3.2e-debian5.0.build95100504.17 

Ugh :-(

But I cannot find that "psa-proftpd" package in debian repos. From where 
did you install it? :-?

>>> Found HIDDEN PID: 1759
>>> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625)
>> 
>> Check your "/var/log/auth.log" and "history" but your logs doesn't
>> sound very good :-(
>> 
>> 
> I don't see any  suspicious in "history", "/var/log/auth.log" is empty,
> but I had earlier problems with its settins. As I can see from last,
> nobody connected with my server from my last connection in the beginning
> of this month. But I see some strange:
>
> 1) in "/var/log/apt/term.log":
> dpkg: `ldconfig' not found on PATH.
> dpkg: `start-stop-daemon' not found on PATH. dpkg: `install-info' not
> found on PATH. dpkg: `update-rc.d' not found on PATH. dpkg: 4 expected
> program(s) not found on PATH. NB: root's PATH should usually contain
> /usr/local/sbin, /usr/sbin and /sbin. - unusual record and making when I
> don't logged in the server; I have no records from that period in
> "/var/log/aptitude" and in "/var/log/dpkg" since my last logging and
> updating/upgrading packeges. 
> 2) in the /var/log/sw-cp-server (HTTP
> server for SWsoft control panels ) based on lighttp according to
> aptitude search) - many records for the suspicious period sa the next:
> (connections.c.299) SSL: 1 error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol - was my server hijack
> through the control panel?
> 3) in "/var/log/tor":
> [notice] Received reload signal (hup). Reloading config and resetting
> internal state. -a) in the same time each last days; b) I didn't logged
> in my server and didn't sent that signal to tor-daemon. 4) in
> /var/log/messages I have many unexpected messages about opening and
> closing ftp-sessions;
> 5) in /var/log/messages and /var/log/debug I have many records
> "mod_delay/0.6: error opening DelayTable
> '/var/run/proftpd/proftpd.delay': No such file or directory" in the
> suspicios period;

I'm not an expert in linux computer forensics but your logs are 
displaying scaring information happening in your box. Secunia reports a 
high impact on affected system ("security bypass, manipulation of data 
and system access"):

http://secunia.com/advisories/42052

Maybe is time to perform clean install as Jochen suggested.

Greetings,

-- 
Camaleón

Reply to:

References:
- My server catched a rootkit?
  - From: James Brown <jbrownfirst@gmail.com>
- Re: My server catched a rootkit?
  - From: Camaleón <noelamac@gmail.com>
- Re: My server catched a rootkit?
  - From: James Brown <jbrownfirst@gmail.com>

Prev by Date: Re: how to determine the interpreter
Next by Date: Re: Smileys don't animate
Previous by thread: Re: My server catched a rootkit?
Next by thread: Re: My server catched a rootkit?
Index(es):
- Date
- Thread