Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
Infected!
Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: Infected!

  1. #1

    Infected!

    So I'm told that "w" (the who) suddenly doesn't work, giving a libproc error. This bodes ill. I haven't made any changes.

    So I do a ps-e and I see:

    28648 ? 00:00:00 Zatron

    What the hell? So I do a chkrootkit...

    Checking `du'... INFECTED
    Checking `ifconfig'... INFECTED



    Aiigh!

  2. #2
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    Re:Infected!

    How bad were you rooted

  3. #3

    Re:Infected!

    Or more importantly, how did they get root?

  4. #4

    Re:Infected!

    [quote author=tolstoy link=board=5;threadid=5123;start=0#50766 date=1033079212]
    Or more importantly, how did they get root?
    [/quote]

    Yeah, I'm wondering that, too.

    I've been using Linux for a couple years and not once have I ever been rooted or backdoored (I did, however, play around with netbus and backorifice back in the days when everybody on dalnet was infected with it; I was able to grab more free pr0n than you could shake a stick at. ).

    ftp, telnet, and ssh are your enemies. Don't enable those services unless you have a really, really good reason to do so. There are probably some other questionable services out there, too, but I'm too lazy to check for them right now.

    Can't you set up a firewall so that only certain people with certain IPs can access your telnet/ssh ports?

  5. #5
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    Re:Infected!

    [quote author=Prince Myshkin link=board=5;threadid=5123;start=0#50769 date=1033081495]
    ftp, telnet, and ssh are your enemies.
    [/quote]

    Umm, telnet and ftp -- yes they are bad

    SSH is not. Where did you get the notion that SSH is bad?

  6. #6
    Mentor
    Join Date
    May 2001
    Location
    New Jersey
    Posts
    1,473

    Re:Infected!

    [quote author=Gahwani link=board=5;threadid=5123;start=0#50743 date=1033059049]




    What the hell? So I do a chkrootkit...

    Checking `du'... INFECTED
    Checking `ifconfig'... INFECTED

    [/quote]

    what is chkrootkit???

  7. #7

    Re:Infected!

    [quote author=boblucci link=board=5;threadid=5123;start=0#50775 date=1033088174]
    what is chkrootkit???
    [/quote]

    It checks your system for signs of a rootkit installed. A very valuable tool.

    http://www.chkrootkit.org


  8. #8

    Re:Infected!

    I'm back, after doing some work on my system.

    As I said, I got suspicious when one of my users reported that "w" was no longer working. I got <I>really</I> suspicious when I did a netstat and discovered that it wasn't listing my own ssh connection! I pulled out chkrootkit, as mentioned previously, which informed me that I had several infected (read: trojaned) files. It also reported that there were 5 programs that were being hidden from ps.

    I immediately grabbed fresh copies of ps, pstree, netstat, etc, from a machine I knew was not infected, or I reinstalled from a fresh rpm (depending on what was quicker). Using those I discovered a few strange programs, including xsf running. I googled on that and found the Tux Rootkit, and quickly looking in /dev/tux I found the rootkit used.

    I saw that the attacker's files were owned by Apache, which leads me to believe that the attacker used a hole in apache to get in. My apache install is admittedly an older install, and I have been meaning to patch it but have been unable to recently.

    The following files were trojaned on my system:
    df* dmesg* find* killall* login* netstat* pstree* tcpd* updatedb*
    crontab* dir* du* ifconfig* locate* ls* ps* syslogd* top* vdir*

    I replaced these files with fresh copies/upgrades. I also read about what the Tux kit did, and saw that I was compromised at 11am on Sept 25. I know this for two reasons: that's when the rootkit was placed on the system, and when I look at my logs, I saw that syslogd was restarted at that time. Restarting syslogd is the first thing a tuxkit attacker does, replacing it with his own, trojaned syslogd that will hide his/her activities.

    The attacker was sloppy in a number of ways - the trojans had bad permissions, which alerted me to the rootkit, but I also noticed that he didn't clean up in bash_history, so I have the commands he used after he gained root access. This includes his trojan password and what ports (3901 and 3999) his trojans were listening on! Luckily, he didn't do anything damaging other than downloading the rootkit, and starting up an SSH backdoor and an IRC psybnc program.

    Most puzzling to me is that he also put some strange programs in tmp that seem to be backdoors or other rootkit programs. They are part of a package called "ttyX-0.7.1" and includes programs "Jerky", "Murdoc", and "Zatron". I did google searches for these and found nothing. They could be renamed files. I did discover Zatron running, which I immediately killed.

    Like I said, I think I got off easy. No data files were destroyed. I killed the web server and am keeping it down until I can update it. I wish I knew exactly what he did to gain access - or at least to fool apache. I didn't see anything in httpd's logs, nor did I see anything obvious in mysql or php that could have been hacked.

    To be sure I'll shortly reinstall with either mandrake 9 or redhat, but still. What a pain in the ass.

    By the way, telnet is disabled on my system. I use ssh for remote access - I have to have it, or else I can't use the server. FTP was enabled at the time - I use pureftp which is a pretty secure ftp daemon. Nevertheless, I only run it when someone HAS to ftp a file to me - I had left it active only 4 days. I don't think they got in through it, since like I said the user id's on the rootkit belonged to apache.

  9. #9

    Re:Infected!

    My recommendation: install Debian Woody.

    It comes with Apache, and if you're using the 'Unstable' branch, upgrading Apache is as simple as typing "apt-get update && apt-get upgrade". It's free, easy, and it's unlikely that you'll get rooted again if you upgrade your stuff at least once or twice a month.

    Also, Debian itself costs $0. For $0-15 (people usually charge you for shipping and cd costs), you can get someone to send you 7 cd-roms filled with software. Try getting that kind of a deal from Mandrake or Redhat.

    Hell, just try getting a package management system that isn't crap from Mandy or Redhat! :P

  10. #10

    Re:Infected!

    Debian is definetly on my top 5 of distributions I would go to, particularly because this is a server machine and not a desktop machine. Debian's automatic updating is something that appeals to me, mostly because I do have a limited amount of time and I run a significant amount of services.

    However I also hear that Debian is significantly different from most other linuxes. (linuxi?) ... the last time I looked at it, it didn't even have ssh2 capabilities because it wasn't as updated as often as the other distributions.

    The differences have me somewhat concerned, because I really don't want to re-invent the wheel. Mandrake's update utility is pretty much non-existant (unless this changed in 9) but I hear that Redhat has something decent with up2date.



Similar Threads

  1. 80% of Chinese Computers Virus Infected
    By cloverm in forum General Chat
    Replies: 3
    Last Post: 10-21-2002, 11:56 PM
  2. everything they touch get infected...
    By pbharris in forum General Chat
    Replies: 8
    Last Post: 07-26-2002, 09:49 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •