[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] A hacked box - an example

Subject: [cobalt-security] A hacked box - an example
From: Bill Irwin <bill_irwin@xxxxxxxx>
Date: Tue, 24 Apr 2001 06:57:38 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hey folks,

Just want to show you a box that has been hacked into and what it looks
like. As I've recently stated, MIPS processors are immune to these hack
attacks. If you have a Qube 1 or 2, or a RaQ 1 or 2, you have nothing to
worry about regardless of what comes back. It was my error in forgetting
to say that the first time around. I apologize for those who have been
worried needlessly by this.

A customer believed he was hacked and asked me to verify. Here's the
results:

[admin admin]$ rpm -V procps
SM5.....   /bin/ps         <===Both of these came back
SM5.....   /usr/bin/top    <===
[admin admin]$ rpm -V fileutils
S.5.....   /bin/ls         <=== 
S.5.....   /usr/bin/du     <===
[admin admin]$ rpm -V net-tools
S.5.....   /bin/netstat  <=======hides his logins
[admin admin]$ rpm -V util-linux
..5.....   /bin/login <===This is a sure sign (except MIPS)
..?.....   /usr/bin/chfn<===these I'm not sure about
..?.....   /usr/bin/chsh <===
.M?.....   /usr/bin/newgrp
.M......   /usr/bin/write

As you can see, the root kit tries to hide the intruders tracks from
detection. Top wouldn't show the extra processes, Netstat, won't show
either since its been trojaned, and Login has been changed.

lsattr * /usr/bin showed the following:

----ia-- /usr/bin/du   <===verfied by RPM check
----ia-- /usr/bin/find
----ia-- /usr/bin/top   <===verified by RPM check
----ia-- /usr/bin/pstree
----ia-- /usr/bin/tklogin <===verfied by RPM check

lsattr * /usr/sbin showed the following:

----ia-- /usr/sbin/nscd

Sometimes you can also find a directory called /dev/.lib, in this case,
I couldn't get it to show (ls had been changed). 

Lionfind's output 

==== Lionfind ====
Version 0.1.9
A script to report on the existence of and remove the Lion worm.
Copyright 2001 William Stearns <wstearns@xxxxxxxxx>,
Released under the GNU General Public License (GPL).
Updated versions may be found at the
Institute for Security Technology Studies
(http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.htm),
and SANS (http://www.sans.org/y2k/lion.htm).
Lion detected.
Would you like to kill all running processes run from the
following executables? If so, enter "Y" without quotes.
/dev/.lib/lib/1i0n.sh /dev/.lib/lib/lib/1i0n.sh
/dev/.lib/lib/scan/1i0n.sh /dev/.lib/lib/scan/getip.sh
/dev/.lib/lib/scan/star.sh /dev/.lib/lib/scan/scan.sh
/dev/.lib/lib/scan/hack.sh /dev/.lib/lib/scan/pscan
/dev/.lib/lib/scan/randb /dev/.lib/lib/scan/bindx.sh
/dev/.lib/lib/scan/bind /dev/.lib/lib/lib/1i0n.sh
/dev/.lib/lib/lib/getip.sh /dev/.lib/lib/lib/pg /dev/.lib/lib/lib/sz
/dev/.lib/lib/lib/t0rnp /dev/.lib/lib/lib/t0rns /dev/.lib/lib/lib/t0rnsb
/dev/.lib/lib/lib/tfn /dev/.lib/lib/lib/mjy /dev/.lib/lib/lib/name
/dev/.lib/lib/lib/.t0rn/shdcf2 /dev/.lib/lib/lib/.t0rn/sharsed
/dev/.lib/1i0n.sh /dev/.lib/star.sh /dev/.lib/scan.sh /dev/.lib/randb
/dev/.lib/pscan /dev/.lib/bindx.sh /dev/.lib/bind /dev/.lib/hack.sh
/dev/.lib/getip.sh /dev/.lib/lion /sbin/asp /usr/sbin/nscd
/usr/src/.puta/t0rns /bin/in.telnetd /usr/sbin/inetd

--
The following packages (rpms, debs, tars, etc.) may have been
modified beyond my ability to fix them. If any of the following
are installed on your system, please pull down fresh copies from
a trusted source. Please check for packages that have been
updated since your distribution was released and get those if they
exist.
Modified File	Possible Package Name
/bin/ls	fileutils
/bin/netstat	net-tools
/bin/ps	procps
/sbin/ifconfig	net-tools
/usr/bin/du	fileutils
/usr/bin/find	findutils
/usr/bin/top	procps
/usr/sbin/in.fingerd	finger-server
/usr/sbin/nscd	nscd
Do you wish to delete the following files:
/etc/ttyhash /usr/sbin/nscd /usr/src/.puta/.1addr /usr/src/.puta/.1file
/usr/src/.puta/.1proc /usr/src/.puta/.1logz
and directories:?
----------------------------
You may be able to recover by replacing the following items. However as
I stated before, official recommendation by Cobalt Tech Support is a
complete and total OS restore since this is the only sure way to get rid
of backdoors.

Programs like Tripwire, when properly applied and used, will let you
know exactly which of these files have been changed and possibly when.
You would have been alerted the second the changes occured thereby
lessening the damage this intruder could do. Tripwire also has a new
program out that in the event you are broken into, it would prevent the
pages from being shown, and would show an "error" page instead. These
programs are not supported by Cobalt so we would not be able to answer
any questions regarding their usage on Cobalt Products. I would do
testing before usage on a production server.

If you have any questions about whether you've been hacked or not,
please direct your inquiries on our email support form to me, Bill
Irwin. I'll be glad to look into your situation and verify if in fact
you've been broken into.

Follow-Ups:
- Re: [cobalt-security] A hacked box - an example
  - From: storage
- Re: [cobalt-security] A hacked box - an example
  - From: Gossi The Dog
- RE: [cobalt-security] A hacked box - an example
  - From: MikeM
- RE: [cobalt-security] A hacked box - an example
  - From: Joe Llewelyn

References:
- RE: [cobalt-security] Possible problem?
  - From: Ryan McAdams

Prev by Date: RE: [cobalt-security] Possible problem?
Next by Date: Re: [cobalt-security] A hacked box - an example
Previous by thread: RE: [cobalt-security] Possible problem?
Next by thread: Re: [cobalt-security] A hacked box - an example

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index