[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] [RaQ3i] interesting hack symptoms
- Subject: RE: [cobalt-security] [RaQ3i] interesting hack symptoms
- From: "Peter Batenburg (linking.nl)" <peter@xxxxxxxxxx>
- Date: Fri, 3 Nov 2000 09:54:09 +0100 (MET)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Try tail /etc/inetd.conf mainly, the bindshells are located there.. If
they installed a rootkit allready, the bindshell will be a sshd on a
different port, or a /bin/login backdoor. If thats the case, i would
suggest reinstalling.. You'll never know what files are backdoored 100%.
Also, disabeling Anonymous ftp doesn't solve things. People with an
account to the box can also use an exploit, and hack your system.
I would install the latest version of the ftpd your using. There's a
public patch for ProFTPd available from cobalt. And for wu-ftpd, you can
get the tar.gz from ftp.wu-ftpd.org.. rpms can be found at
updates.redhat.com..
On Fri, 3 Nov 2000, David Etheridge wrote:
> I had the same results when running the kit. Again like yourself I also run
> portsentry in paranoid mode and only allow the ports that I wish to be open
> to be accessible.
>
> Dave Etheridge
>
> -----Original Message-----
> From: Theodore Jones [mailto:theoj@xxxxxxxxxxxxx]
> Sent: 02 November 2000 21:25
> To: Cobalt Security Disc.
> Subject: [cobalt-security] [RaQ3i] interesting hack symptoms
>
>
> Hello All,
>
> yesterday I awoke to find that the server I'm responsible for had been
> rebooted without my notification or approval. I also found that a
> MySQL/PHP application had gone belly up and was not working any more.
> The ISP that hosts the server said that they did not order a reboot, so
> it appeared that it happened internally from some cause, and it was done
> rather abrubtly.
>
> Digging through the logs. I found that someone had connected to the
> machine vai anon ftp about 15 to 30 minutes before the crash. This
> crash incedentlly was what cause the MySQL/PHP connection problem I
> think. Somehow the ownership of the files for that particular database
> had been changed I think. They were all owned and gruoped to root. I
> changed them to be owned and grouped to "mysql" and finally PHP could
> access the db and display content from the db again. Oh yes, and I also
> did a restore on the database tables to clean them up from the crash.
>
> I suspect strongly that my system was compromised and so now I am trying
> to backtrack and ferret out possible trojans and root-kits, etc. I
> tried this nice program called "chkrootkit" at
> http://www.chkrootkit.org, which is easy to install and run. When I ran
> it I found a few items that popped out:
>
> Checking `cron'... NOT TESTED
> Checking `sshd'... NOT TESTED
> Checking `bindshell'... INFECTED
>
> First of all, I'm wondering if cron and sshd were not tested because
> one, I don't have SSH installed, and two, cron is located in a
> non-default location different from most standard linux distribs?
>
> The one that of course bugs me is "bindshell". I can't seem to find
> where this bindshell file is located or how to look into where it's at
> and what it's doing, and if I do indeed have a compromise problem. I've
> found some slim documentation on this backdoor hole, but most of it is
> from hacker websites wich I'd rather avoid. I do know that rootkit IV
> for linux usually sets this bindshell backdoor to listening on port
> 31337 (eleet, i guess as they cleverly call it). I checked this port
> and nothing seems to be active there. In fact my portsentry utility is
> set to listen on that port and block outsiders if they connect to it.
> The attacker(s) could probably have changed the port number however, so
> this doesn't entirely eliminate that avenue...
>
> My idea was to ask if anyone wants to try this program on a pretty
> standard RaQ3i box and see if they get the same kind of results? I'm
> trying to ascertain if I >do< have problems, or the "layout" of the
> cobalt system is somewhat different and causes these anomolies with the
> chkrootkit program?
>
> Also, I was just experimenting with this command:
> netstat -ap | grep LISTEN
>
> and before it displays the list of listening connections, it tells me
> this:
> [root@www admin]# netstat -ap | grep LISTEN
> (Not all processes could be identified, non-owned process info
> will not be shown, you would have to be root to see it all.)
>
> which I think is kind of strange, as I >am< logged in as root!
>
> Thanks much for any tips anyone can provide on ferreting out this
> bindshell problem, and you can bet I've switched of Anon FTP for the
> time being!
>
> Thanks,
>
> ~ Theo
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>