* Is this a compromise and how?
@ 2000-12-14 8:53 brian
2000-12-14 8:58 ` Matthew Dharm
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: brian @ 2000-12-14 8:53 UTC (permalink / raw)
To: linux-kernel
Sorry is this is too far off topic, but it seems to me the
kernel may be helping in this break in or maybe some magic
aspect of the filesystem.
I noted in an ls that
-rwxr-xr-x 1 root root 36784 Jul 17 05:06 rpc.mountd*
-rwxr-xr-x 1 root root 3368 Jul 17 05:06 rpc.nfsd*
-rwxr-xr-x 1 root ftp 22 Sep 8 22:15 rpc.rcmd*
-rwxr-xr-x 1 root root 9872 Jul 17 05:06 rpc.rquotad*
-rwxr-xr-x 1 root root 13936 Feb 9 2000 rpc.rstatd*
-rwxr-xr-x 1 root root 7952 Feb 9 2000 rpc.rusersd*
-rwxr-xr-x 1 root root 6512 Feb 11 2000 rpc.rwalld*
-rwxr-xr-x 1 root root 17624 Mar 7 2000 rpc.yppasswdd*
-rwxr-xr-x 1 root root 23984 Mar 7 2000 rpc.ypxfrd*
-rwxr-xr-x 1 root root 10692 Sep 5 16:03 rpcinfo*
rpc.rcmd look a little suspicious?
And guess what it contains?
%cat /usr/sbin/rpc.rcmd
/usr/include/strlib.h
Hmmmm.
%ls -l /usr/include/strlib.h
-rwxr-xr-x 1 root root 16768 Sep 16 09:55 /usr/include/strlib.h*
%file /usr/include/strlib.h
/usr/include/strlib.h: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped
%/usr/include/strlib.h
bind: Address already in use
Now watch this magic trick:
%mkdir foo
%cd foo
%touch strlib.h
%ls
%find . -print
.
./strlib.h
%
Get it? strlib.h never appears in the file system via ls whereever
it may be created.
More fun:
%echo hello >strlib.h
%ls
%cat strlib.h
hello
%
Pretty cool huh?
Let me know if you would like a copy of the code.
A quick strace shows that it binds to port 24000.
It also contains a list of 5 IP addrs. I suspect it doesn't
broadcast, but allows people in from those IPs.
Anyone know what has happened? I religiously install the redhat
updates, and am subscribed to the CERT advistors and install
the fixes the moment I get them.
The system was RedHat 6.2, linux 2.2.17pre14 at the time the
breakin occured.
I've been running firewalled with only services I provide turned
on for access, and in /etc/inetd.conf.
What is keeping strlib.h from appearing ls's? A hacked ls command?
--
Brian Litzinger <brian@worldcontrol.com>
Copyright (c) 2000 By Brian Litzinger, All Rights Reserved
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Is this a compromise and how?
2000-12-14 8:53 Is this a compromise and how? brian
@ 2000-12-14 8:58 ` Matthew Dharm
2000-12-14 20:22 ` Frank van Maarseveen
2000-12-14 14:49 ` Igmar Palsenberg
2000-12-14 20:06 ` Dr. Kelsey Hudson
2 siblings, 1 reply; 7+ messages in thread
From: Matthew Dharm @ 2000-12-14 8:58 UTC (permalink / raw)
To: Brian Litzinger, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1185 bytes --]
On Thu, Dec 14, 2000 at 12:53:46AM -0800, brian@worldcontrol.com wrote:
> Sorry is this is too far off topic, but it seems to me the
> kernel may be helping in this break in or maybe some magic
> aspect of the filesystem.
I doubt that.... from this description, you've been hacked. Even if your
/etc/inetd.conf is in good shape, it looks like someone got in.
I'm guessing that your ls was also hijacked. You're using RedHat, so try
the rpm -V command to verify that the ls binary is the same as what should
be in the package. While you're at it, verify the package is the right one
(compare to a CD or distr ftp site).
Out of curiosity, are you running portmap? Perhaps BIND? There are lots
of potential culprits here -- but I suggest you verify all of your binaries
and go back and upgrade everything on your system, as well as re-visit the
issue of what daemons are started up at boot time.
Matt Dharm
--
Matthew Dharm Home: mdharm-usb@one-eyed-alien.net
Maintainer, Linux USB Mass Storage Driver
C: They kicked your ass, didn't they?
S: They were cheating!
-- The Chief and Stef
User Friendly, 11/19/1997
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Is this a compromise and how?
2000-12-14 8:53 Is this a compromise and how? brian
2000-12-14 8:58 ` Matthew Dharm
@ 2000-12-14 14:49 ` Igmar Palsenberg
2000-12-14 20:06 ` Dr. Kelsey Hudson
2 siblings, 0 replies; 7+ messages in thread
From: Igmar Palsenberg @ 2000-12-14 14:49 UTC (permalink / raw)
To: brian; +Cc: linux-kernel
> Pretty cool huh?
>
> Let me know if you would like a copy of the code.
>
> A quick strace shows that it binds to port 24000.
>
> It also contains a list of 5 IP addrs. I suspect it doesn't
> broadcast, but allows people in from those IPs.
>
> Anyone know what has happened? I religiously install the redhat
> updates, and am subscribed to the CERT advistors and install
> the fixes the moment I get them.
>
> The system was RedHat 6.2, linux 2.2.17pre14 at the time the
> breakin occured.
>
> I've been running firewalled with only services I provide turned
> on for access, and in /etc/inetd.conf.
>
> What is keeping strlib.h from appearing ls's? A hacked ls command?
Yep. Looks like a rootkit to me.
Igmar
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Is this a compromise and how?
2000-12-14 8:53 Is this a compromise and how? brian
2000-12-14 8:58 ` Matthew Dharm
2000-12-14 14:49 ` Igmar Palsenberg
@ 2000-12-14 20:06 ` Dr. Kelsey Hudson
2 siblings, 0 replies; 7+ messages in thread
From: Dr. Kelsey Hudson @ 2000-12-14 20:06 UTC (permalink / raw)
To: brian; +Cc: linux-kernel
It looks like you've been r00ted, dude!
Someone installed a r00tk1t and you are now seeing the after-effects of
it. What I'd do, in your case:
back up /usr/local, /home, /etc, then reload the system clean, and replace
teh backups. The system should be in a close state (read: no root kit) to
before you reloaded it.
Good luck!
On Thu, 14 Dec 2000 brian@worldcontrol.com wrote:
> Sorry is this is too far off topic, but it seems to me the
> kernel may be helping in this break in or maybe some magic
> aspect of the filesystem.
>
> I noted in an ls that
>
> -rwxr-xr-x 1 root root 36784 Jul 17 05:06 rpc.mountd*
> -rwxr-xr-x 1 root root 3368 Jul 17 05:06 rpc.nfsd*
> -rwxr-xr-x 1 root ftp 22 Sep 8 22:15 rpc.rcmd*
> -rwxr-xr-x 1 root root 9872 Jul 17 05:06 rpc.rquotad*
> -rwxr-xr-x 1 root root 13936 Feb 9 2000 rpc.rstatd*
> -rwxr-xr-x 1 root root 7952 Feb 9 2000 rpc.rusersd*
> -rwxr-xr-x 1 root root 6512 Feb 11 2000 rpc.rwalld*
> -rwxr-xr-x 1 root root 17624 Mar 7 2000 rpc.yppasswdd*
> -rwxr-xr-x 1 root root 23984 Mar 7 2000 rpc.ypxfrd*
> -rwxr-xr-x 1 root root 10692 Sep 5 16:03 rpcinfo*
>
> rpc.rcmd look a little suspicious?
>
> And guess what it contains?
>
> %cat /usr/sbin/rpc.rcmd
> /usr/include/strlib.h
>
> Hmmmm.
>
> %ls -l /usr/include/strlib.h
> -rwxr-xr-x 1 root root 16768 Sep 16 09:55 /usr/include/strlib.h*
>
> %file /usr/include/strlib.h
> /usr/include/strlib.h: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped
>
> %/usr/include/strlib.h
> bind: Address already in use
>
> Now watch this magic trick:
>
> %mkdir foo
> %cd foo
> %touch strlib.h
> %ls
> %find . -print
> .
> ./strlib.h
> %
>
> Get it? strlib.h never appears in the file system via ls whereever
> it may be created.
>
> More fun:
>
> %echo hello >strlib.h
> %ls
> %cat strlib.h
> hello
> %
>
> Pretty cool huh?
>
> Let me know if you would like a copy of the code.
>
> A quick strace shows that it binds to port 24000.
>
> It also contains a list of 5 IP addrs. I suspect it doesn't
> broadcast, but allows people in from those IPs.
>
> Anyone know what has happened? I religiously install the redhat
> updates, and am subscribed to the CERT advistors and install
> the fixes the moment I get them.
>
> The system was RedHat 6.2, linux 2.2.17pre14 at the time the
> breakin occured.
>
> I've been running firewalled with only services I provide turned
> on for access, and in /etc/inetd.conf.
>
> What is keeping strlib.h from appearing ls's? A hacked ls command?
>
>
--
Kelsey Hudson khudson@ctica.com
Software Engineer
Compendium Technologies, Inc (619) 725-0771
---------------------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Is this a compromise and how?
2000-12-14 8:58 ` Matthew Dharm
@ 2000-12-14 20:22 ` Frank van Maarseveen
2000-12-14 22:40 ` Alan Cox
2000-12-15 23:44 ` brian
0 siblings, 2 replies; 7+ messages in thread
From: Frank van Maarseveen @ 2000-12-14 20:22 UTC (permalink / raw)
To: Brian Litzinger, linux-kernel
On Thu, Dec 14, 2000 at 12:58:26AM -0800, Matthew Dharm wrote:
>
> I doubt that.... from this description, you've been hacked. Even if your
> /etc/inetd.conf is in good shape, it looks like someone got in.
>
> I'm guessing that your ls was also hijacked. You're using RedHat, so try
> the rpm -V command
Once hacked you can't trust anything. A malicious person might just
install RPMs for example.
Re-install is the only option.
Restore backups only after verifying that they do not re-install the
backdoors as well. This is where your current hacked system may be
useful. Something like the coroners toolkit (?) written by Wietse Venema
(and others?) might help you determining at what date your system has
been hacked. Don't be suprised if you find multiple break-ins accumulated
over the years.
If you have (had) a network: attached systems may have been compromised
as well.
--
Frank
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Is this a compromise and how?
2000-12-14 20:22 ` Frank van Maarseveen
@ 2000-12-14 22:40 ` Alan Cox
2000-12-15 23:44 ` brian
1 sibling, 0 replies; 7+ messages in thread
From: Alan Cox @ 2000-12-14 22:40 UTC (permalink / raw)
To: Frank van Maarseveen; +Cc: Brian Litzinger, linux-kernel
> > I'm guessing that your ls was also hijacked. You're using RedHat, so try
> > the rpm -V command
> Once hacked you can't trust anything. A malicious person might just
> install RPMs for example.
There is a proper way to do this. You boot the rescue CD, then do the rpm
verify of each package with the rpm binary on the CD (static) agains the
package on the CD.
> Re-install is the only option.
I would advise this however it is not 'only' but 'very good idea'
> Restore backups only after verifying that they do not re-install the
(popular one is roots .login)
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Is this a compromise and how?
2000-12-14 20:22 ` Frank van Maarseveen
2000-12-14 22:40 ` Alan Cox
@ 2000-12-15 23:44 ` brian
1 sibling, 0 replies; 7+ messages in thread
From: brian @ 2000-12-15 23:44 UTC (permalink / raw)
To: Frank van Maarseveen; +Cc: linux-kernel
Thanks for all the reponses.
I happened to have /home in its own partition, so I reinstalled from
scratch via CD and installed all the security updates, among a
myriad of other security measures.
I decided not to restore /usr/local from backups, but instead to
rebuild everything in /usr/local from fresh sources.
All those executables and shared libraries in /usr/local just seemed
to risky.
--
Brian Litzinger <brian@worldcontrol.com>
Copyright (c) 2000 By Brian Litzinger, All Rights Reserved
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2000-12-16 0:11 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2000-12-14 8:53 Is this a compromise and how? brian
2000-12-14 8:58 ` Matthew Dharm
2000-12-14 20:22 ` Frank van Maarseveen
2000-12-14 22:40 ` Alan Cox
2000-12-15 23:44 ` brian
2000-12-14 14:49 ` Igmar Palsenberg
2000-12-14 20:06 ` Dr. Kelsey Hudson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).