[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] [RaQ3i] interesting hack symptoms
- Subject: [cobalt-security] [RaQ3i] interesting hack symptoms
- From: Theodore Jones <theoj@xxxxxxxxxxxxx>
- Date: Thu, 02 Nov 2000 13:24:36 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hello All,
yesterday I awoke to find that the server I'm responsible for had been
rebooted without my notification or approval. I also found that a
MySQL/PHP application had gone belly up and was not working any more.
The ISP that hosts the server said that they did not order a reboot, so
it appeared that it happened internally from some cause, and it was done
rather abrubtly.
Digging through the logs. I found that someone had connected to the
machine vai anon ftp about 15 to 30 minutes before the crash. This
crash incedentlly was what cause the MySQL/PHP connection problem I
think. Somehow the ownership of the files for that particular database
had been changed I think. They were all owned and gruoped to root. I
changed them to be owned and grouped to "mysql" and finally PHP could
access the db and display content from the db again. Oh yes, and I also
did a restore on the database tables to clean them up from the crash.
I suspect strongly that my system was compromised and so now I am trying
to backtrack and ferret out possible trojans and root-kits, etc. I
tried this nice program called "chkrootkit" at
http://www.chkrootkit.org, which is easy to install and run. When I ran
it I found a few items that popped out:
Checking `cron'... NOT TESTED
Checking `sshd'... NOT TESTED
Checking `bindshell'... INFECTED
First of all, I'm wondering if cron and sshd were not tested because
one, I don't have SSH installed, and two, cron is located in a
non-default location different from most standard linux distribs?
The one that of course bugs me is "bindshell". I can't seem to find
where this bindshell file is located or how to look into where it's at
and what it's doing, and if I do indeed have a compromise problem. I've
found some slim documentation on this backdoor hole, but most of it is
from hacker websites wich I'd rather avoid. I do know that rootkit IV
for linux usually sets this bindshell backdoor to listening on port
31337 (eleet, i guess as they cleverly call it). I checked this port
and nothing seems to be active there. In fact my portsentry utility is
set to listen on that port and block outsiders if they connect to it.
The attacker(s) could probably have changed the port number however, so
this doesn't entirely eliminate that avenue...
My idea was to ask if anyone wants to try this program on a pretty
standard RaQ3i box and see if they get the same kind of results? I'm
trying to ascertain if I >do< have problems, or the "layout" of the
cobalt system is somewhat different and causes these anomolies with the
chkrootkit program?
Also, I was just experimenting with this command:
netstat -ap | grep LISTEN
and before it displays the list of listening connections, it tells me
this:
[root@www admin]# netstat -ap | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
which I think is kind of strange, as I >am< logged in as root!
Thanks much for any tips anyone can provide on ferreting out this
bindshell problem, and you can bet I've switched of Anon FTP for the
time being!
Thanks,
~ Theo