[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] A hacked box - an example

Subject: Re: [cobalt-security] A hacked box - an example
From: Bill Irwin <bill_irwin@xxxxxxxx>
Date: Tue, 24 Apr 2001 12:44:02 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Joe, 

If you tried some of the others and they showed nothing, then I wouldn't
worry unless you get more evidence. If you truly want to be sure, grab
chkrootkit (?) I think that was the one that checked for rootkits, and
lionfind as it checks for the lionworm. These will give you definitive
answers.

Joe Llewelyn wrote:
> 
> Bill,
> 
> [root@ns1 /root]# rpm -V util-linux
> S.5....T c /etc/pam.d/chfn
> S.5....T c /etc/pam.d/chsh
> S.5....T c /etc/pam.d/login
> .M......   /usr/bin/newgrp
> .M......   /usr/bin/write
> 
> Call me paranoid, but the third login one looks worrying.. Any thoughts?
> 
> The other RPM -V xxxxxxxx you used yeilded nothing on this RaQ, apart the
> prompt again with no error message.
> 
> Rgds..
> 
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Bill Irwin
> Sent: 24 April 2001 11:58
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] A hacked box - an example
> 
> Hey folks,
> 
> Just want to show you a box that has been hacked into and what it looks
> like. As I've recently stated, MIPS processors are immune to these hack
> attacks. If you have a Qube 1 or 2, or a RaQ 1 or 2, you have nothing to
> worry about regardless of what comes back. It was my error in forgetting
> to say that the first time around. I apologize for those who have been
> worried needlessly by this.
> 
> A customer believed he was hacked and asked me to verify. Here's the
> results:
> 
> [admin admin]$ rpm -V procps
> SM5.....   /bin/ps         <===Both of these came back
> SM5.....   /usr/bin/top    <===
> [admin admin]$ rpm -V fileutils
> S.5.....   /bin/ls         <===
> S.5.....   /usr/bin/du     <===
> [admin admin]$ rpm -V net-tools
> S.5.....   /bin/netstat  <=======hides his logins
> [admin admin]$ rpm -V util-linux
> ..5.....   /bin/login <===This is a sure sign (except MIPS)
> ..?.....   /usr/bin/chfn<===these I'm not sure about
> ..?.....   /usr/bin/chsh <===
> .M?.....   /usr/bin/newgrp
> .M......   /usr/bin/write
> 
> As you can see, the root kit tries to hide the intruders tracks from
> detection. Top wouldn't show the extra processes, Netstat, won't show
> either since its been trojaned, and Login has been changed.
> 
> lsattr * /usr/bin showed the following:
> 
> ----ia-- /usr/bin/du   <===verfied by RPM check
> ----ia-- /usr/bin/find
> ----ia-- /usr/bin/top   <===verified by RPM check
> ----ia-- /usr/bin/pstree
> ----ia-- /usr/bin/tklogin <===verfied by RPM check
> 
> lsattr * /usr/sbin showed the following:
> 
> ----ia-- /usr/sbin/nscd
> 
> Sometimes you can also find a directory called /dev/.lib, in this case,
> I couldn't get it to show (ls had been changed).
> 
> Lionfind's output
> 
> ==== Lionfind ====
> Version 0.1.9
> A script to report on the existence of and remove the Lion worm.
> Copyright 2001 William Stearns <wstearns@xxxxxxxxx>,
> Released under the GNU General Public License (GPL).
> Updated versions may be found at the
> Institute for Security Technology Studies
> (http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.htm),
> and SANS (http://www.sans.org/y2k/lion.htm).
> Lion detected.
> Would you like to kill all running processes run from the
> following executables? If so, enter "Y" without quotes.
> /dev/.lib/lib/1i0n.sh /dev/.lib/lib/lib/1i0n.sh
> /dev/.lib/lib/scan/1i0n.sh /dev/.lib/lib/scan/getip.sh
> /dev/.lib/lib/scan/star.sh /dev/.lib/lib/scan/scan.sh
> /dev/.lib/lib/scan/hack.sh /dev/.lib/lib/scan/pscan
> /dev/.lib/lib/scan/randb /dev/.lib/lib/scan/bindx.sh
> /dev/.lib/lib/scan/bind /dev/.lib/lib/lib/1i0n.sh
> /dev/.lib/lib/lib/getip.sh /dev/.lib/lib/lib/pg /dev/.lib/lib/lib/sz
> /dev/.lib/lib/lib/t0rnp /dev/.lib/lib/lib/t0rns /dev/.lib/lib/lib/t0rnsb
> /dev/.lib/lib/lib/tfn /dev/.lib/lib/lib/mjy /dev/.lib/lib/lib/name
> /dev/.lib/lib/lib/.t0rn/shdcf2 /dev/.lib/lib/lib/.t0rn/sharsed
> /dev/.lib/1i0n.sh /dev/.lib/star.sh /dev/.lib/scan.sh /dev/.lib/randb
> /dev/.lib/pscan /dev/.lib/bindx.sh /dev/.lib/bind /dev/.lib/hack.sh
> /dev/.lib/getip.sh /dev/.lib/lion /sbin/asp /usr/sbin/nscd
> /usr/src/.puta/t0rns /bin/in.telnetd /usr/sbin/inetd
> 
> --
> The following packages (rpms, debs, tars, etc.) may have been
> modified beyond my ability to fix them. If any of the following
> are installed on your system, please pull down fresh copies from
> a trusted source. Please check for packages that have been
> updated since your distribution was released and get those if they
> exist.
> Modified File   Possible Package Name
> /bin/ls fileutils
> /bin/netstat    net-tools
> /bin/ps procps
> /sbin/ifconfig  net-tools
> /usr/bin/du     fileutils
> /usr/bin/find   findutils
> /usr/bin/top    procps
> /usr/sbin/in.fingerd    finger-server
> /usr/sbin/nscd  nscd
> Do you wish to delete the following files:
> /etc/ttyhash /usr/sbin/nscd /usr/src/.puta/.1addr /usr/src/.puta/.1file
> /usr/src/.puta/.1proc /usr/src/.puta/.1logz
> and directories:?
> ----------------------------
> You may be able to recover by replacing the following items. However as
> I stated before, official recommendation by Cobalt Tech Support is a
> complete and total OS restore since this is the only sure way to get rid
> of backdoors.
> 
> Programs like Tripwire, when properly applied and used, will let you
> know exactly which of these files have been changed and possibly when.
> You would have been alerted the second the changes occured thereby
> lessening the damage this intruder could do. Tripwire also has a new
> program out that in the event you are broken into, it would prevent the
> pages from being shown, and would show an "error" page instead. These
> programs are not supported by Cobalt so we would not be able to answer
> any questions regarding their usage on Cobalt Products. I would do
> testing before usage on a production server.
> 
> If you have any questions about whether you've been hacked or not,
> please direct your inquiries on our email support form to me, Bill
> Irwin. I'll be glad to look into your situation and verify if in fact
> you've been broken into.
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

-- 
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.

References:
- RE: [cobalt-security] A hacked box - an example
  - From: Joe Llewelyn

Prev by Date: RE: [cobalt-security] A hacked box - an example
Next by Date: RE: [cobalt-security] A hacked box - an example
Previous by thread: RE: [cobalt-security] A hacked box - an example
Next by thread: RE: [cobalt-security] Possible problem?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index