Weird login, possibly related to rootkit Q

Weird login, possibly related to rootkit Q

[Gene Heskett]

I've been asked to see if anyone has seen a case where a rh9 machine 
with one nic in it, but with 3 virtual addresses, apparently got 
rooted.

One address is 192.168.ish and the other two are assigned network 
addresses.  Symptoms were that all the usual admin tools were haveing 
their create date updated at one minute intervals to stay current, and 
anything we tried to do with them was a segfault.  And the machine was 
lagged terribly, with the cpu running 50F hotter than normal.  Cleaning 
and regreaseing the cpu & heatsink only helped about 10 degrees.  cpu 
fan is running good.

So we did a reinstall (rh9) without formatting because there was a lot 
of non-replaceable data on it.  This also saved the logs, but they are 
obviously not a lot of help when about 5 hours is missing at about the 
time everything went to hell.

One of the things left visible in the logs was an ssh login by root, 
from one of its ethernet addresses to another, but without a 
corresponding root login from an outside address!

Has anyone seen such a duck waddle by before?

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

Re: Weird login, possibly related to rootkit Q

[Benjamin LaHaise]

On Thu, Feb 23, 2006 at 01:21:07AM -0500, Gene Heskett wrote:
> So we did a reinstall (rh9) without formatting because there was a lot 
> of non-replaceable data on it.  This also saved the logs, but they are 
> obviously not a lot of help when about 5 hours is missing at about the 
> time everything went to hell.

Let's get this straight: your old Linux distro got rooted, so you installed 
an old Linux distro that no longer gets security updates to replace it.  
Why is that kernel related?  Sounds more like pebkac.

		-ben
-- 
"Ladies and gentlemen, I'm sorry to interrupt, but the police are here 
and they've asked us to stop the party."  Don't Email: <dont@kvack.org>.

Re: Weird login, possibly related to rootkit Q

[Gene Heskett]

On Friday 24 February 2006 14:04, Benjamin LaHaise wrote:
>On Thu, Feb 23, 2006 at 01:21:07AM -0500, Gene Heskett wrote:
>> So we did a reinstall (rh9) without formatting because there was a
>> lot of non-replaceable data on it.  This also saved the logs, but
>> they are obviously not a lot of help when about 5 hours is missing
>> at about the time everything went to hell.
>
>Let's get this straight: your old Linux distro got rooted, so you
> installed an old Linux distro that no longer gets security updates to
> replace it. Why is that kernel related?  Sounds more like pebkac.

The version of php in the newer distros is not backards compatible and 
breaks most of the scripts used by the web page server (this box is its 
database) and that would require a lengthy rewrite of the php stuff on 
both machines, so the re-install of rh9 was the perceived easiest way 
out.  Its a commercial business whose web page gets 20k+ hits a day & 
downtime shouldn't be extended 2-3 days while re-writeing all of that 
as it took around 2 weeks to do it all originally.  Then at the end of 
the install, we edited the yum.conf to use the legacy servers and let 
it install/upgrade everything, a Gigabyte or so.

Had the php for say FC4 been backwards compatible, then obviously we 
would have taken a different path.  I don't think the yum.conf had been 
updated or installed even before this, and apt-get had, with its old 
paths in its config, also quit working quite some time back.

OTOH, if its gets hit again, then obviously we'll go to a newer distro 
and re-write the scripts.  It may even be time for Jim to learn how to 
use sed, and just globally replace the old with the new for each 
command.  But he's busy too, just having been handed responsibility for 
a bunch of G5's doing editing in news.  Too busy IMO, which is why I 
'came out of retirement' long enough to give him a hand & point 
directions to take while recovering.

>  -ben

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

Re: Weird login, possibly related to rootkit Q

[Jesper Juhl]

On 2/24/06, Gene Heskett <gene.heskett@verizon.net> wrote:
> On Friday 24 February 2006 14:04, Benjamin LaHaise wrote:
> >On Thu, Feb 23, 2006 at 01:21:07AM -0500, Gene Heskett wrote:
> >> So we did a reinstall (rh9) without formatting because there was a
> >> lot of non-replaceable data on it.  This also saved the logs, but
> >> they are obviously not a lot of help when about 5 hours is missing
> >> at about the time everything went to hell.
> >
> >Let's get this straight: your old Linux distro got rooted, so you
> > installed an old Linux distro that no longer gets security updates to
> > replace it. Why is that kernel related?  Sounds more like pebkac.
>
> The version of php in the newer distros is not backards compatible and
> breaks most of the scripts used by the web page server (this box is its
> database) and that would require a lengthy rewrite of the php stuff on
> both machines, so the re-install of rh9 was the perceived easiest way
> out.  Its a commercial business whose web page gets 20k+ hits a day &
> downtime shouldn't be extended 2-3 days while re-writeing all of that
> as it took around 2 weeks to do it all originally.  Then at the end of
> the install, we edited the yum.conf to use the legacy servers and let
> it install/upgrade everything, a Gigabyte or so.
>
> Had the php for say FC4 been backwards compatible, then obviously we
> would have taken a different path.  I don't think the yum.conf had been
> updated or installed even before this, and apt-get had, with its old
> paths in its config, also quit working quite some time back.
>

ehh, how about

1. Install newer up-to-date distro
2. install custom build old version of PHP.

still quick way to get going and you'd get the bennefit of lots of
fixes in the distro (even if your PHP would still be quite old)...

--
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: Weird login, possibly related to rootkit Q

[Benjamin LaHaise]

On Fri, Feb 24, 2006 at 04:10:08PM -0500, Gene Heskett wrote:
> The version of php in the newer distros is not backards compatible and 
> breaks most of the scripts used by the web page server (this box is its 
> database) and that would require a lengthy rewrite of the php stuff on 
> both machines, so the re-install of rh9 was the perceived easiest way 

Last time I checked, source compatibility tended not to break.  Heck, 
you can even install Red Hat 7.2 binaries on Fedora Core 4.  I still 
don't see what this has to do with the kernel, though.

		-ben
-- 
"Ladies and gentlemen, I'm sorry to interrupt, but the police are here 
and they've asked us to stop the party."  Don't Email: <dont@kvack.org>.