[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] I got Hacked, here's how I fixed it.
- Subject: [cobalt-security] I got Hacked, here's how I fixed it.
- From: "Lance Rushing" <lance_rushing@xxxxxxxxxxx>
- Date: Tue, 14 Jan 2003 15:49:52 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
First off I'd like to thank all the frequent contributors to this list. The
archives provided much assistance in fixing the server.
I get a call from a client that portions of their web site aren't working.
Mysql was throwing an error about not being able to write to the /tmp
directory. 'No big deal' it think and telnet to the server.
Upon telneting I am instantly logged in!!! No username required no
password. I'm just at a 'bash# ' prompt. BASTARDS!! A freaking root kit.
===========================
The Diagnosis
===========================
I checked Sun for any recent patches. I've been lazy/busy the last months
and missed two updates. I apply the patches and start going about cleaning
up the server.
Obviously /bin/login was infected because it wasn't authenticating. I take
a look at the file, last modified Sep 9 17:00. Also the file has all of its
sucSadAi attributes set. I look around on the server and bind several other
binaries that are infected with the same date and all of the attributes set.
/bin/ps
/usr/bin/top
/bin/login
/bin/netstat
/sbin/ifconfig
/usr/bin/pstree
/usr/bin/find
/usr/bin/slocate
/usr/bin/locate
/usr/bin/updatedb
I also find /usr/sbin/xntps and startup scripts for it in /etc/rc.d.
So after some archive searching I get chkrootkit and run it.
Checking `pstree'... INFECTED
Checking `login'... INFECTED
Checking `ifconfig'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit
installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Checking `lkm'... You have 4 process hidden for ps command
===========================
The Treatment
===========================
I remove the xntps from the startup scripts and reboot.
Next I replace all of the infected files. You really shouldn't reinstall
the whole rpm because it might overwrite another binary that might be newer
(patched). So you need to unpack the rpm and replace only the infected
files with the uninfected originals.
Find all the suspicious files:
Method 1:
Using lsattr should show you all files that have some special attribues set
The following command will search the whole computer.
lsattr -aR * 2> /dev/null | grep -ve "^--------" | grep -ve ":$" |
grep -ve ^$
If you want to find ones that are just in certian directories:
lsattr -aR /bin 2> /dev/null | grep -ve "^--------" | grep -ve ":$" |
grep -ve ^$
Also check /sbin /usr/bin /usr/sbin /usr/local and /etc
Method 2:
Verify the rpms for the files in a binary directory
rpm --verify -f /bin/*
Example output: (see 'man rpm' for more info)
S.5..UG. /usr/bin/md5sum
means the size, md5, User and Group are different than it's rpm
so it needs to be replace:
1. Remove all of the locking attributes. (if necessary)
chattr -s -u -c -S -a -d -A -i [filename]
2. Figure out which rpm the binary came from.
a. rpm -qf [filename]
b. Check out which package that rpm in
grep [rpm_name] /var/lib/cobalt/
c1. If the rpm came from a package (other than the OS-#)
Download the pkg again: (if necessary)
mkdir /tmp/downloads
cd /tmp/downloads
wget ftp.cobalt.com/pub/packages/raq4/eng/[packge_file]
Unpack it:
mkdir /tmp/unpacked_pkgs
tar -xzf [packge_file] -C /tmp/unpacked_pkgs
Get the rpm:
mkdir /tmp/rpms
cp /tmp/unpacked_pkgs/RPMS/[rpm_file] /tmp/rpms
c2. If the rpm came from the iso.
Download the iso and md5sum: (if necessary)
mkdir /tmp/iso
cd /tmp/iso
wget ftp.cobalt.com/pub/iso/960-RAQ4R101BU.iso.gz
wget ftp.cobalt.com/pub/iso/960-RAQ4R101BU.iso.md5sum
(This is the iso that my raq used, your iso name might be different)
Unzip it:
gunzip 960-RAQ4R101BU.iso.gz (takes a while)
Md5 verify:
md5sum 960-RAQ4R101BU.iso
cat 960-RAQ4R101BU.iso.md5sum
Mount it:
mkdir /mount/loop
mount -o loop /tmp/iso/960-RAQ4R101BU.iso /mnt/loop
Verify it is for your cobalt:
cat /etc/build
ls /mnt/loop/nfsroot-x86/bto-sync/production
Make sure your build is reflected in the name of the directory.
Get the rpm:
mkdir /tmp/rpms
cd mnt/loop/nfsroot-x86/bto-sync/production/3100R_1.155/rpms
(My cobalt is a 3100R_1.155, yours might vary)
cp [rpm_file] /tmp/rpms
d. Unpack the rpm
cd /tmp/rpms
rpm2cpio [rpm_file] | cpio -idmv --no-absolute-filenames
e. Replace the infected file
cp -f /tmp/rpms/bin/sample /bin/sample or:
cp -f /tmp/rpms/sbin/sample /sbin/sample
Remove/fix any config files
look at /etc/inetd.conf ( I had some in.cfinger thing running)
also /etc/ld.so.hash ( only delete once you have /bin/login working
correctly)
===========================
Conclusion
===========================
1. Stay up on updates more often.
2. get ipchains up
3. check logs often and then lock bad ip's out with ipchains
4. http://www.average.org/cobalt/quick-security-guide.html
===========================
Useful links
===========================
Unpack rpms:
http://la-samhna.de/library/compile/unpacking.html
Unpacking pkgs:
http://list.cobalt.com/pipermail/cobalt-users/2002-July/074123.html
ftp://ftp.cobalt.sun.com/pub/developer/TechNotes/DTN10-0-5.pdf
cat /usr/local/sbin/cobalt_upgrade
Mounting ISOs:
http://xpt.sourceforge.net/techdocs/linuxdisk/Mount/linuxdisk10.001.html
chkrootkit:
http://list.cobalt.com/pipermail/cobalt-security/2002-November/006842.html
Recovering from a hack:
http://www.incidents.org/archives/intrusions/msg00464.html
http://marc.theaimsgroup.com/?l=cobalt-users&m=104009524721034&w=2
t0rn:
http://list.cobalt.com/pipermail/cobalt-security/2001-July/002678.html
http://www.solarspeed.net/news/4.php
http://list.cobalt.com/pipermail/cobalt-security/2001-August/003161.html
Thanks and good luck,
Lance Rushing