[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] A hacked box - an example
- Subject: RE: [cobalt-security] A hacked box - an example
- From: "Joe Llewelyn" <Joe@xxxxxxxx>
- Date: Tue, 24 Apr 2001 15:03:55 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Bill,
[root@ns1 /root]# rpm -V util-linux
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
.M...... /usr/bin/newgrp
.M...... /usr/bin/write
Call me paranoid, but the third login one looks worrying.. Any thoughts?
The other RPM -V xxxxxxxx you used yeilded nothing on this RaQ, apart the
prompt again with no error message.
Rgds..
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Bill Irwin
Sent: 24 April 2001 11:58
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] A hacked box - an example
Hey folks,
Just want to show you a box that has been hacked into and what it looks
like. As I've recently stated, MIPS processors are immune to these hack
attacks. If you have a Qube 1 or 2, or a RaQ 1 or 2, you have nothing to
worry about regardless of what comes back. It was my error in forgetting
to say that the first time around. I apologize for those who have been
worried needlessly by this.
A customer believed he was hacked and asked me to verify. Here's the
results:
[admin admin]$ rpm -V procps
SM5..... /bin/ps <===Both of these came back
SM5..... /usr/bin/top <===
[admin admin]$ rpm -V fileutils
S.5..... /bin/ls <===
S.5..... /usr/bin/du <===
[admin admin]$ rpm -V net-tools
S.5..... /bin/netstat <=======hides his logins
[admin admin]$ rpm -V util-linux
..5..... /bin/login <===This is a sure sign (except MIPS)
..?..... /usr/bin/chfn<===these I'm not sure about
..?..... /usr/bin/chsh <===
.M?..... /usr/bin/newgrp
.M...... /usr/bin/write
As you can see, the root kit tries to hide the intruders tracks from
detection. Top wouldn't show the extra processes, Netstat, won't show
either since its been trojaned, and Login has been changed.
lsattr * /usr/bin showed the following:
----ia-- /usr/bin/du <===verfied by RPM check
----ia-- /usr/bin/find
----ia-- /usr/bin/top <===verified by RPM check
----ia-- /usr/bin/pstree
----ia-- /usr/bin/tklogin <===verfied by RPM check
lsattr * /usr/sbin showed the following:
----ia-- /usr/sbin/nscd
Sometimes you can also find a directory called /dev/.lib, in this case,
I couldn't get it to show (ls had been changed).
Lionfind's output
==== Lionfind ====
Version 0.1.9
A script to report on the existence of and remove the Lion worm.
Copyright 2001 William Stearns <wstearns@xxxxxxxxx>,
Released under the GNU General Public License (GPL).
Updated versions may be found at the
Institute for Security Technology Studies
(http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.htm),
and SANS (http://www.sans.org/y2k/lion.htm).
Lion detected.
Would you like to kill all running processes run from the
following executables? If so, enter "Y" without quotes.
/dev/.lib/lib/1i0n.sh /dev/.lib/lib/lib/1i0n.sh
/dev/.lib/lib/scan/1i0n.sh /dev/.lib/lib/scan/getip.sh
/dev/.lib/lib/scan/star.sh /dev/.lib/lib/scan/scan.sh
/dev/.lib/lib/scan/hack.sh /dev/.lib/lib/scan/pscan
/dev/.lib/lib/scan/randb /dev/.lib/lib/scan/bindx.sh
/dev/.lib/lib/scan/bind /dev/.lib/lib/lib/1i0n.sh
/dev/.lib/lib/lib/getip.sh /dev/.lib/lib/lib/pg /dev/.lib/lib/lib/sz
/dev/.lib/lib/lib/t0rnp /dev/.lib/lib/lib/t0rns /dev/.lib/lib/lib/t0rnsb
/dev/.lib/lib/lib/tfn /dev/.lib/lib/lib/mjy /dev/.lib/lib/lib/name
/dev/.lib/lib/lib/.t0rn/shdcf2 /dev/.lib/lib/lib/.t0rn/sharsed
/dev/.lib/1i0n.sh /dev/.lib/star.sh /dev/.lib/scan.sh /dev/.lib/randb
/dev/.lib/pscan /dev/.lib/bindx.sh /dev/.lib/bind /dev/.lib/hack.sh
/dev/.lib/getip.sh /dev/.lib/lion /sbin/asp /usr/sbin/nscd
/usr/src/.puta/t0rns /bin/in.telnetd /usr/sbin/inetd
--
The following packages (rpms, debs, tars, etc.) may have been
modified beyond my ability to fix them. If any of the following
are installed on your system, please pull down fresh copies from
a trusted source. Please check for packages that have been
updated since your distribution was released and get those if they
exist.
Modified File Possible Package Name
/bin/ls fileutils
/bin/netstat net-tools
/bin/ps procps
/sbin/ifconfig net-tools
/usr/bin/du fileutils
/usr/bin/find findutils
/usr/bin/top procps
/usr/sbin/in.fingerd finger-server
/usr/sbin/nscd nscd
Do you wish to delete the following files:
/etc/ttyhash /usr/sbin/nscd /usr/src/.puta/.1addr /usr/src/.puta/.1file
/usr/src/.puta/.1proc /usr/src/.puta/.1logz
and directories:?
----------------------------
You may be able to recover by replacing the following items. However as
I stated before, official recommendation by Cobalt Tech Support is a
complete and total OS restore since this is the only sure way to get rid
of backdoors.
Programs like Tripwire, when properly applied and used, will let you
know exactly which of these files have been changed and possibly when.
You would have been alerted the second the changes occured thereby
lessening the damage this intruder could do. Tripwire also has a new
program out that in the event you are broken into, it would prevent the
pages from being shown, and would show an "error" page instead. These
programs are not supported by Cobalt so we would not be able to answer
any questions regarding their usage on Cobalt Products. I would do
testing before usage on a production server.
If you have any questions about whether you've been hacked or not,
please direct your inquiries on our email support form to me, Bill
Irwin. I'll be glad to look into your situation and verify if in fact
you've been broken into.
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security