system seems hacked...
Bill Campbell
linux-sxs at celestial.com
Mon Feb 25 15:33:57 PST 2008
On Thu, Feb 21, 2008, Roger Oberholtzer wrote:
>On Fri, 2008-02-22 at 07:37 +1100, James McDonald wrote:
>
>> > Anyone seen/heard of this specific exploit?
>> >
>> >
>> No I haven't. Have you tried chkrootkit and rkhunter to see if they can
>> identify it?
>>
>> Also probably not going to work if it's hiding itself but try pstree
>> which may show you the parent process.
>
>I cross posted to the openSUSE list (as that is where this was running).
>All is sorted. Seems it was:
>
> http://www.energymech.net/
>
>which is a non-root IRC bot. One thing it does is hide the real process
>name. It was not /usr/bin/sshd. It was the IRC bot running from a user
>folder with only that user's rights. Still, I am not happy. There will
>be a password shakeup with the users!
This type of attack often is made via webmin or usermin exploiting bad user
passwords.
Setting user's shells to /bin/false unless they really need shell access is
always a Good Idea(tm). This won't restrict e-mail or similar access, but
will generally prevent a large number of attacks (unless of course somebody
has replaced /bin/false with /bin/bash or some such -- which I did see at
an ISP's within the last couple of years).
There was a major security problem with SuSE's chfn command a while back
that would allow people to change their shell via usermin so that crackers
could change /bin/false to /bin/bash, then have full access to the system.
Unless you have a method of tracking the status of *ALL* critical programs
including setuid/setgid status, md5/sha1 digests, etc. you should probably
reinstall. Tripwire and aide are pretty good for this.
The ``rpm -v'' command can be useful in identifying changed programs. Ones
that are often hit are /bin/ps, /bin/login, /bin/ls, /usr/bin/find, and
similar ones that get changed to hide the cracker's processes and changes.
I always check for executable programs in /tmp, /dev, and /var/tmp as
crackers often hide things there. One way to do this would be something
like:
find /tmp /dev /var/tmp -print0 | xargs -0 file | grep executable
The -print0 and -0 options insure that crackers can't hide files by putting
whitespace in the file names.
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders, give
orders, cooperate, act alone, solve equations, analyze a new problem, pitch
manure, program a computer, cook a tasty meal, fight efficiently, die
gallantly. Specialization is for insects. Robert Heinlein
More information about the Linux-users
mailing list