Re: root or openssh exploited?
_at_(none)
Date: 03/28/04
- Next message: Randy Ramsdell: "Re: root or openssh exploited?"
- Previous message: ghaze: "Re: how deep do i need to dive ?"
- In reply to: Kev: "root or openssh exploited?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Mar 2004 19:02:01 -0500
Kev wrote:
> Hi
>
> a quick summary of my status before mmy question
>
> *) Linux RedHat 7.3
> *) kernel 2.4.20-24.7
> *) uptime 100+ days
> *) OpenSSH_3.7p1
> *) loads of user accounts, user auth is against a local passwd file
> *) root login via ssh *is* allowed in sshd_config
> *) only ports visible to the world is 22, the rest shielded by a Cisco
> firewall
> *) no sign of any malicious activity within our network
>
> On this system we found
>
> *) root password had mysteriously changed, maybe due to sysadmin error? The
> "expected" root password worked until at least 5 days ago. Only root
> access now is via stored ssh keys.
>
> *) running chkrootkit-0.43 we see one probable problem
> ./chkproc -v
> PID 20: not in readdir output
> PID 20: not in ps output
> You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
>
> Sure enough ps and ls /proc dont see a PID 20 or a dir called "20" resp.
>
> We will remove this system from operation, and reset all
> accounts and passwords.
>
> However, I want to know (if I can know) which exploit was used, in
> particular it would be good to know if it was a remote exploit of
> openssh or a local exploit of some sort, and since when has the machine been
> exploited?
>
> I'd also like to know as much as possible about the myserious PID 20
>
> Since I have a running kernel I can do a few things:
>
> cat /proc/20/cmdline
> initauto
>
> sum /proc/1/exe /proc/20/exe
> 26159 27 /proc/1/exe
> 26159 27 /proc/20/exe
>
> PID 1 is of course init.
>
> ls -l /proc/20/fd
> total 0
> lrwx------ 1 root root 64 Mar 27 00:06 0 -> /dev/null
> lrwx------ 1 root root 64 Mar 27 00:06 1 -> /dev/null
> lrwx------ 1 root root 64 Mar 27 00:06 2 -> /dev/null
> lrwx------ 1 root root 64 Mar 27 00:06 3 -> /dev/kmem
> lrwx------ 1 root root 64 Mar 27 00:06 4 -> socket:[22]
>
> that "22" looks suspciously like a ssh related issue.
>
> "man proc" tells me field 22 in /proc/<PID>/stat
> is the start time of a process. On my system that gives:
>
> cat /proc/1/stat /proc/20/stat | awk '{print $22}'
> 39
> 655
>
> This would suggest that the rogue init process started only 6
> seconds after the real init process. Also 20 is a quite a low PID,
> though of course I know that wraps around.
>
> Does that give anyone any clues? Can I trust the outputs above?
> Maybe the "changed" root password and the strange process
> are in fact unrelated, one may be an accident and one may have been the
> case for 3+ months! That is of course what worries me ...
>
> Suggestions ....
>
> Kev
This may be trivial to you but ..
Things to try:
1. use lsof to find programs running (this has come in handy for me
after root access was gained as some rootkits - if installed - don't
trojan lsof)
2. check rpm database for any changes to packages
Questions:
Is sshd allowing ssh 1 protocal?
Hints:
I have transfered (known good) commands to the possibly cracked system.
Transfer the "ps" command over and find out what program is using PID
20. It will work as long as the libraries haven't been f'ed up.
- Next message: Randy Ramsdell: "Re: root or openssh exploited?"
- Previous message: ghaze: "Re: how deep do i need to dive ?"
- In reply to: Kev: "root or openssh exploited?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
