[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Hacked RaQ4 - findings

Subject: Re: [cobalt-security] Hacked RaQ4 - findings
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Wed, 18 Apr 2001 21:06:14 +0200
Organization: Forumworld.com
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello,

today I had been tasked with checking a customers RaQ4 for signs of intrusion 
and would like to share my findings. Maybe it's of use for someone:

After a brief inspection of running processes and network requests I broke 
out "chkroot-1.1.7" and adorefind. Adorefind didn't find any traces of this 
popular linux-worm. However, chkroot pointed out that both "netstat" and 
"rshd" had been replaced with compromised binaries.

Aside from that there were many other fishy things on this machine and it 
appeared as if the intruder had been a regular on this box for more than two 
months. So even before I concluded my investigation I recommended a complete 
OS reinstall to sanitize this mess.  

Here are my findings for that respective machine:

Cronjob for user "root" which restarts /usr/sbin/init (318004 bytes) every 
five minutes. The running process /usr/sbin/init has nothing to do with the 
normal "init", which is located in /sbin/init (27176 bytes).

So I removed both the cronjob and the file /usr/sbin/init after killing the 
process.

Additionally /root/.bash_history revealed that this machine had been used for 
scanning and/or intrusion of other hosts:

./synscan
./synscan 24.1 sex eth0 100 113
;s
./synscan 
./synscan 24.10 sex eth0 10 113
cat sex
telnet 24.1.36.136 13
telnet 24.1.36.136 1134
telnet 24.1.36.136 113
asd
./synscan 24.10 sex eth0 10 113 >asdf
[...]

./i 128.227.16.85
telnet 128.227.16.104
./i 128.227.16.104
telnet 128.227.23.243
telnet 128.227.32.64
./i 128.227.32.64
telnet 128.227.74.163

This goes on for another 130KB of logfile. Quite a busy chap, this visitor.

The binaries used for the above listed purposes could be located in 
/usr/lib/.ek/ even though a copy of the sources was found in /tmp/

The tools in question seem to be from a Polish cracker group called "Last 
stage of delirium". That's at least what the readme claimed. I looked over 
the sources and it seems to be pretty slick stuff. 

On a lighter note: I actually wonder if I can couple it to my own Portsentry 
on my RaQ3 to fight back actively in cases of intrusion attempts <vbeg>.
 
A scan for files with suid=0 turned up so many fishy stuff with strange names 
in odd places that I didn't even bother to check further. This box is a prime 
candidate for the restore-CD.

The infected RaQ4 had all the latest security patches applied. However, it 
seems extremely likely that the patches were applied after the box had been 
rooted. Initial traces in the logfiles (only /var/log/auth provided more than 
the last two months) could be found as early as 10th Feb 2001, when the first 
unsuccessful rlogins showed up in quick succession.

Conclusion: You can't be paranoid enough. 


Mit freundlichen Grüßen / Best regards

Michael Stauber

Follow-Ups:
- Re: [cobalt-security] Hacked RaQ4 - findings
  - From: Bill Irwin
- Re: [cobalt-security] Hacked RaQ4 - findings
  - From: Lawrence Frewin of Accommodation.com

Prev by Date: Re: [cobalt-security] Possible problem?
Next by Date: RE: [cobalt-security] Possible problem?
Previous by thread: Re: [cobalt-security] Port 143 and Portsentry
Next by thread: Re: [cobalt-security] Hacked RaQ4 - findings

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index