Visited by a cracker
From: Per Christian B. Viken (perchr_at_angryadmin.net)
To: <email@example.com> Date: Sun, 11 Jul 2004 16:45:09 +0200
I've had a rather disturbing evening.
A friend of mine runs a small server for himself and some friends. It's
running slackware 10.
When I logged in, I noticed that the load was way over what's normal (around
1.36 now, usually it's under 0.10), so I run 'top'. I see a program called
'strace' running, hogging all the cpu power.
So I get curious. I chdir to the users home, and looks around. It's empty.
But, the 'smart' little cracker has forgotten about .bash_history, so here I
can see everything that he has been doing.
Aparently, he has downloaded and setup an eggdrop, removed it again, and
then downloaded a psybnc, which he also removed shortly. Then things get
gcc ptrace-kmod.c -o ptrace
chmod +x ptrace
rm -rf ptrace
rm -rf ptrace-kmod.c
chmod +x egx
rm -rf egx
The ptrace-kmod.c has this for a header:
* Linux kernel ptrace/kmod local root exploit
* This code exploits a race condition in kernel/kmod.c, which creates
* kernel thread in insecure manner. This bug allows to ptrace cloned
* process, allowing to take control over privileged modprobe binary.
* Should work under all current 2.2.x and 2.4.x kernels.
Luckily, the server runs 2.6.6, so this wasn't any threat.
The 'egx' executable seems to be somewhat like the other, cause when I run
it, it outputs '[-] Unable to determine kernel address: Operation not
supported' and dies.
My guesses are that the apache.tar.gz-file is also some kind of exploit, but
I couldn't get it, so I didn't get a chance to see.
Seeing that he didn't know how to properly hide his tracks, I hoped he might
be stupid enough to use his own IP to log in from as well, so I run 'cat
/var/log/messages | grep <username>'.
But, he has logged in and out using 7 different Ips. 5 belonging to
Pakistan, and the other two to Libanon.
I've been suspicious to this user since my friend added him a few days ago.
He actually got a domain, prepaid for three years for an account, so I did
have some concerns about this.
Now, after discovering this, I've talked with my friend, and the credit card
used to paying for the domain, belongs to a woman in the UK. Probably stolen
I've run chkrootkit 0.43 and Rootkit Hunter 1.1.1 and they didn't find
So, my real question is:
Is there anything else I should check out? Anywhere else some nasty exploits
or trojans might be hiding? And should I try to find this guy? Or is it
Per Christian B. Viken
ASCII ribbon campaign ( )
- against HTML email X
& vCards / \