Linux/OSF-A

From: Stephen Beer (stephen.beer@blupont.com)
Date: 12/05/02 

From: stephen.beer@blupont.com (Stephen Beer)
Date: 5 Dec 2002 11:16:47 -0800

Linux/OSF-A

One of our client's machine has been attacked and crashed at 02:00
this morning.

I have done some detective work as shown below and I would appreciate
some help.

note: my VNC connections into the machine are shown as me.me.me.me

=======================================================================
/var/maillog
maillog: Dec 5 01:01 sendmail daemon started

>> sendmail daemon didn't kick in at 02:00 so machine had crashed by
then

/var/log/cron
Dec 5 01:50:00 ns CROND[27590]: (memememe) CMD
($HOME/sh/email_bookings.sh >> $HOME/tmp/email_crontab.out 2>&1)
Dec 5 01:55:00 ns CROND[27681]: (memememe) CMD
($HOME/sh/email_bookings.sh >> $HOME/tmp/email_crontab.out 2>&1)

>> Last cron was at 01:55 - confirming again that it crashed before
02:00

/var/log/secure
Dec 4 09:04:59 ns xinetd[589]: START: vnc pid=10547 from=me.me.me.me
Dec 4 14:34:24 ns xinetd[589]: START: ftp pid=16463
from=203.231.234.206
Dec 4 14:35:05 ns xinetd[589]: EXIT: ftp pid=16463 duration=41(sec)
Dec 4 21:59:48 ns xinetd[589]: START: vnc pid=23573 from=me.me.me.me
Dec 5 13:28:07 ns sshd[575]: Server listening on 0.0.0.0 port 22.
Dec 5 13:40:47 ns xinetd[596]: START: vnc pid=1172 from=me.me.me.me

>> Machine got rebooted at 13:28 today at our request

>> Does the above mean that 203.231.234.206 has successfully opened an
ftp
>> connection or does it mean that he only attempted to do so?

>> On rebooting the machine I ran Sophos and...

SWEEP virus detection utility
Version 3.64, December 2002 [Linux/Intel]
Includes detection for 78381 viruses, trojans and worms
Copyright (c) 1989,2002 Sophos Plc, www.sophos.com
 
System time 14:08:07, System date 05 December 2002
 
Quick Sweeping
 
Could not open /usr/bin/kbdrate
Could not open /usr/bin/kappfinder
Could not open /usr/lib/X11/XF86Config
Could not open /usr/share/doc/db3-devel-3.1.17/examples_c/tags
Could not open /usr/share/doc/db3-devel-3.1.17/examples_cxx/tags
Could not open /usr/include/asm/asm
Could not open /usr/include/linux/linux
>>> Virus 'Linux/OSF-A' found in file /usr/tmp/vadimII
 
73019 files swept in 7 minutes and 48 seconds.
7 errors were encountered.
1 virus was discovered.
1 file out of 73019 was infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
End of Sweep.

>> Virus had been deposited in /usr/tmp - note that the owner is
apache

[root@ns tmp]# cd /usr/tmp
[root@ns tmp]# ls -lrt
total 1532
-rw-r--r-- 1 apache apache 570648 Oct 19 11:53 pb.tar.gz
-rw-r--r-- 1 apache apache 959440 Nov 26 08:54 emek.tar.gz
-rwxr-xr-x 1 apache apache 23414 Dec 5 01:49 vadimII

>> ...and that apache had deposited other files
>> I have now removed vadimII and the *gz files stored there

/var/log/httpd/error_log

[root@ns log]# grep 'Dec 5 0' httpd/*
httpd/error_log:[Thu Dec 5 00:26:42 2002] [notice] child pid 28246
exit signal Segmentation fault (11)
httpd/error_log:[Thu Dec 5 00:26:45 2002] [notice] child pid 28244
exit signal Segmentation fault (11)
httpd/error_log:[Thu Dec 5 00:26:50 2002] [notice] child pid 28250
exit signal Segmentation fault (11)
httpd/error_log:[Thu Dec 5 01:34:33 2002] [error] [client
218.230.246.90] client sent HTTP/1.1 request
without hostname (see RFC2616 section 14.23): /
httpd/error_log:[Thu Dec 5 01:43:00 2002] [error] mod_ssl: SSL
handshake failed (server www.memememe.co.uk:443, client
218.230.246.90) (OpenSSL library error follows)
httpd/error_log:[Thu Dec 5 01:43:00 2002] [error] OpenSSL:
error:1406908F:lib(20):func(105):reason(143)httpd/error_log:[Thu Dec
5 01:48:04 2002] [error] mod_ssl: SSL handshake failed (server
www.memememe.co.uk:443, client 218.230.246.90) (OpenSSL library error
follows)
httpd/error_log:[Thu Dec 5 01:48:04 2002] [error] OpenSSL:
error:1406908F:lib(20):func(105):reason(143)[root@ns log]#

>> This looks suspicious to me....
>> Somebody crashed an apache connection around 00:26 - are they
getting access to the machine
>> through a vulnerability in Apache??

>> Is 218.230.246.90 trying something dodgy?

Looking at the Sophos description for the virus:

http://www.sophos.com/virusinfo/analyses/linuxosfa.html

Linux/OSF-A will attempt to infect 200 ELF executables in the current
working directory and the directory /bin. The virus will avoid the
file ps or any files ending in ps.
If the virus is executed by a privileged user then it will attempt to
create a backdoor server on the system. This is achieved by opening a
socket on port 3049 or above and waiting for specially configured
packets containing instructions for the backdoor program. The server
may be asked to create a TCP connection with the attacker and to then
attempt to supply them with a shell to use remotely.

>> How can you tell if the /bin directories are infected - I've since
scanned >> them using Sophos and no problems reported - is that
enough?

Firewall
The firewall rules allowed incoming traffic on essential ports (http,
etc) and denied all other incoming.
It did *not* deny any outgoing traffic (although it does, as of today,
deny all non-essential)

I am no expert at all but it looks like somone has deposited this
using some weakness in Apache.
How do they do this and how do w guard against it?
Is apache deemed a privileged user?

OK, given then that apache is a privileged user and that they can
execute vadimII to listen on port 3049 surely a remote program cannot
communicate with it if we have port 3049 closed for incoming traffic.

Am I right here?

If so then how did this prick manage to crash the box? Has he crashed
it remotely somehow???

For anyone who can help with all or some of this many thanks

Cheers
  Stephen