system seems hacked...

[Federico Voges]

Roger Oberholtzer wrote:
> I have just seen something odd on a principal server (suse 10.0) in our
> DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I
> saw a different user running ssh_scan. Me thinks, this is not right. So,
> I started by changing passwords for all, and rebooting. Then I notice on
> the freshly booted system:
> 
> root      4137     1  0 14:16 ?        00:00:00 /usr/sbin/sshd -o
> PidFile=/var/run/sshd.init.pid
> jan       4755     1  0 14:17 ?        00:00:00 /usr/sbin/sshd
> 
> 
> netstat tells me
> 
> tcp        0      0 :::22                   :::*
> LISTEN      4137/sshd
> udp        0      0 0.0.0.0:32775           0.0.0.0:*
> 4755/sshd
> 
> So this unexpected sshd has udp port 32775 open. How odd.
> 
> User jan should not be running anything, let alone sshd. If I kill it.
> it comes back. I checked the /usr/sbin/sshd and it has a correct
> checksum compared to an internal machine. So then I looked in inittab
> and the rc scripts (process 1 is init) to see if anything there looks
> odd. I do not see anything the gives me a clue as to why this is
> running. Of course the rc scripts are harder to check as they run
> programs that run programs, etc. I did a check to see what is different
> from the installed RPMs. Nothing looked odd.
> 
> I had a look at http://suseforums.net/index.php?showtopic=31358 which
> seems to be describing the same thing. Except that in my case, the odd
> sshd is still running after the reboot. And it will not go away...
> 
> Anyone seen/heard of this specific exploit?
> 
Try chkrootkit (http://www.chkrootkit.org/) it detects quite a few rootkits.

Also, look for hidden directories (find / -name ".??*" -type d). They 
usually hide their "tools" using that trick.

And I'd reinstall that box from scratch and apply all the security fixes 
of the distro you use.

HTH.

Cheers,
Fed.