Re: Removing hacker's file

From: Doug Laidlaw (laidlaws_at_myaccess.com.au)
Date: 06/06/03 

Date: Fri, 06 Jun 2003 14:30:51 +1000

Doug Holtz wrote:

>
> "Doug Laidlaw" <laidlaws@myaccess.com.au> wrote in message
> news:f4fe2f80.0306051554.3bf6b6b8@posting.google.com...
>> Nico Kadel-Garcia <nkadel@verizon.net> wrote in message
> news:<SxHDa.36276$ca5.6880@nwrdny02.gnilink.net>...
>> > Doug Laidlaw wrote:
>> >
>> > > unruh@string.physics.ubc.ca (Bill Unruh) wrote in message
> news:<bbm3el$8pr$1@nntp.itservices.ubc.ca>...
>> > >
>> > >>Doug Laidlaw <laidlaws@myaccess.com.au> writes:
>> > >>
>> > >>]A hacker has put what looks like a data file in my /dev/cpu. It is
> shown as
>> > >>]owned by root, but root can't delete or edit it, only change its
>> > >>]permissions. I know that I need to reinstall, but would like to
>> > >>make
> life
>> > >>]difficult for the hacker until I am able. I have changed its
> permissions
>> > >>]to 000, but I know that the change won't stop him. How can I delete
> this
>> > >>]file?
>> > >>
>> > >>man lsattr
>> > >>man chattr
>> > >>See the immutable flag.
>>
>>
>> > >>
>> > >>But reinstall and get up to date with the security updates.
>> > >>Note they have root on your machine, and thus they may well know your
>> > >>root password, and can use your machine to attack other machines (
> you
>> > >>getting blamed in the process)
>> > >
>> > >
>> > > Thanks Bill. Gee, you do a lot on the newsgroups.
>> > >
>> > > I reinstalled the OS, formatting the partition in the process. I
>> > > then set up the Mandrake Shorewall firewall, and on its default
>> > > settings, I
>> > > couldn't get out, but he got back in and put the mtrr file back. I
>> > > could see his attacks in /var/log/secure. Since then, I have
>> > > downloaded a config for Shorewall for one machine, which lets me out
>> > > and (theoretically) doesn't let anyone in, but it doesn't seem to
>> > > worry him. Looks as though I need a fresh install of Linux *AND*
>> > > Windows 98. He had copied my Windows drive as seen by /mnt/windows
>> > > to
>> > > a /mnt/windows directory on my Windows partition. Sounds as though
>> > > all he wants to do is harrass me, but I can't take the risk. What do
>> > > I do to keep him out?
>> > >
>> > > I am sending this from Windows, but Windows may be compromised too?
>> >
>> > Looks like this weasel has some tools in his hands, and is persistent.
>> > It's probably time to call the cops, call his incoming IP address
>> > provider, and call his mommy to spank his hands.
>> >
>> > And I suspect he's using a realitively new hole in some service you're
>> > running and exposing to the Net. (Such as HTTP running a weak CGI
>> > script from somewhere else, a sendmail weakness, your FTP server, a set
>> > of usernames and passwords he's stolen from elsewhere, etc.)
>> >
>> > Turn off *EVERYTHING* in the short term, turn off all your services,
>> > re-install, change all your passwords, and start from scratch. You
>> > might also benefit strongly from running tripwire from a read-only
>> > database of your core files: I really highly recommend CD-R's for this,
>> > since you can chroot to the CD-RPM itself and run static binaries from
>> > there to access your real drive's files.
>>
>> I have replied to this from Linux, but the guy is back. His address is
>> "unknown" in the log files. The file he installed is proofed against
>> both lsattr and chattr. Both give a message "Unknown code B 3 " and
>> exit. The Australian Federal Police are happy to accept a referral,
>> but don't have the resources to do anything about it. I am now
>> shutting down and reinstalling everything. I will install Nessus and
>> tripwire before I try to connect to the Net again.
>>
>> Doug.
>
> Doug;
>
> I did a google search on "mtrr" and found it to be a linux memory type
> range
> register, something for video. Are you SURE you had a hacker? It's be
> good to read the log.
>
> Doug Holtz

Thanks Doug. I was going by something I read on one of the security sites,
that ANY file in /dev which is not a device file must be put there by a
hacker. They may be wrong. It certainly reads as though it could be what
you say, but would /dev/cpu be the place for it? And why is it protected
against chattr? I also have copies in /proc/ and in /lib/dev-state/cpu/.

It is as follows:

reg00: base=0x00000000 ( 0MB), size= 256MB: write-back, count=1
reg01: base=0xe0000000 (3584MB), size= 64MB: write-combining, count=1
reg02: base=0xe5000000 (3664MB), size= 4MB: write-combining, count=1
reg05: base=0xe0000000 (3584MB), size= 64MB: write-combining, count=1

What I am relying on however, is the entries in /var/log/secure as follows:

Jun 5 18:11:41 dougshost xinetd[1586]: START: sgi_fam pid=2966 from=<no
address>
Jun 5 18:20:50 dougshost webmin[2193]: Webmin starting
Jun 5 18:56:27 dougshost xinetd[1589]: START: sgi_fam pid=24468 from=<no
address>
Jun 5 19:05:52 dougshost xinetd[1589]: START: sgi_fam pid=2655 from=<no
address>
Jun 5 20:32:23 dougshost webmin[2196]: Webmin starting
Jun 5 20:39:36 dougshost xinetd[1588]: START: sgi_fam pid=2944 from=<no
address>
Jun 5 20:50:29 dougshost xinetd[1588]: START: sgi_fam pid=3053 from=<no
address>

I am no good at reading logs, but it seems to say that someone outside is
running sgi-fam at irregular intervals which agree with my connection
times. SGI::FAM is a Perl script to run fam. From the man page:

>Normally, fam is started by inetd(1M). It is registered with
>portmap(1M) as performing the sgi_fam service.

So it seems that it runs while I am connected. Perhaps I am seeing normal
operation, but the timing is irregular. The default is every 6 seconds,
and would that be logged to /log/secure?

The other thing is the strange appearance of the zipped file in my home
directory and the copying of /mnt/windows to /mnt/windows. That is the
command I would have had to use, and I would have got an error message. I
downloaded and partly installed Nessus before the last reinstall, and I can
no longer find it. I may have accidentally deleted it during the
reinstall, but I don't think so. It should still have been either in my
Windows Download directory or my home directory.

I haven't reinstalled again yet, and since I may be O.K., I won't until I
receive your reply, but I will keep connected time to a minimum.

Doug.

Linux: in a world without fences, who needs Gates?

Relevant Pages

  • Re: adware and SP2
    ... I wouln't reinstall the OS. ... "Doug Main" wrote: ... > safe mode with System Restore turned off. ...
    (microsoft.public.windowsxp.general)
  • Re: Cant retain passwords
    ... Tried everything Doug has mentioned... ... I've tried services, restarts, reinstall OL2000 - even a rebuild and reinstall of WinXPpro!!! ... >>Per user Group Policy Restrictions for XP Home and XP Pro ... >>Please reply only to the newsgroup so all may benefit. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Problem with fresh install of IIS on XP
    ... Thanks doug, you were right. ... There was a leftover app from the reinstall ... >>I completely removed and reinstalled IIS on my XP box. ...
    (microsoft.public.inetserver.iis)
  • Re: Why?Why?Why?Why?
    ... Uninstall, edit the registry, then reinstall... ... > | global template. ... > | Doug wrote: ...
    (microsoft.public.word.newusers)
  • Re: combine network connections
    ... Microsoft Online Partner Support ... Doug I think you are misunderstanding my point. ... because it is a wireless connection. ... Ok, assuming that you have 54 Mbps wireless connections, at best, and are ...
    (microsoft.public.windowsxp.general)
Quantcast