[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Unusual ps command output
- Subject: Re: [cobalt-security] Unusual ps command output
- From: Martín Fiumara <martinfiumara@xxxxxxxxxxx>
- Date: Mon, 12 Nov 2001 13:30:05 -0300
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Chris: im almost sure that your server has been compromised again... The
output you see from the ps command comes from a fake "ps" binary, which
belongs to a rootkit, i dont remember the name right now.
It is sad too say that cobalt people dont care much about security, and that
their patches are a litlle out of date.
I had the same incident that you on my cobalt raq 3, but i luckily found the
cause of the incident and manage to solve it (after cobalt sipport just gave
me a OS reload as the only solution).
I´d like the oportunity to call all cobalt users to push cobalt to release
services updates, because sendmail and bind services are VERY vulnerables,
despite the cobalt patches... Thats just and example.
----- Original Message -----
From: "Chris Moreton" <chrismo2002@xxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Sunday, November 11, 2001 7:50 PM
Subject: [cobalt-security] Unusual ps command output
> Hi,
>
> I periodically send myself a file from my RaQ4 built up of output from the
> "ps -efw" command built up througout the day. Normally, I get output in
the
> form
>
> UID PID PPID C STIME TTY TIME CMD
> root 1 0 0 Nov08 ? 00:00:04 init
> root 2 1 0 Nov08 ? 00:00:15 [kflushd]
> root 3 1 0 Nov08 ? 00:00:18 [kupdate]
> root 4 1 0 Nov08 ? 00:00:00 [kpiod]
>
> etcetera...
>
> But today I got the output below. What strikes me is that the headings
are
> different and the appearance of the name "r00t". My server has been
> compromised twice recently, and on each occasion I have noticed that the
"ps
> -ef" command has produced minimal output like below and that in order to
get
> what I expect I need to do "ps -aux".
>
> On both these occasions I rebuilt the server and applied all the security
> patches from cobalt. Also, being very paranoid, I turned off all the FTP,
> DNS and Email services and my ISP closed all unnessecary ports following
the
> rebuild.
>
> Does anyone know how to explain this?
>
> PID TTY STAT TIME COMMAND
> 11301 p0 S 0:00 -sh HOME=/root USER=root LOGNAME=root
> PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root
> SHELL=/bin/sh SSH_CLIENT=1
> 23216 p0 S 0:00 \_ sh ./r00t 194 105 LESSOPEN=|/usr/bin/lesspipe.sh
%s
> HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0
> MAIL=/v
> 23230 p0 R 10:01 \_ ./scan 194 53 105
LESSOPEN=|/usr/bin/lesspipe.sh
> %s HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0
> MAI
> 30013 p1 S 0:00 -sh HOME=/root USER=root LOGNAME=root
> PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root
> SHELL=/bin/sh SSH_CLIENT=2
>
> Thanks,
> Chris
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>