Linux workstation got hacked!

From: Et cetera (etcetera05@yahoo.com)
Date: 12/11/02

Next message: Luke Vogel: "Re: Linux workstation got hacked!"
Previous message: Florian Weimer: "Re: Debian more secure than OpenBSD ?!"
Next in thread: Luke Vogel: "Re: Linux workstation got hacked!"
Reply: Luke Vogel: "Re: Linux workstation got hacked!"
Reply: John Oliver: "Re: Linux workstation got hacked!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: etcetera05@yahoo.com (Et cetera)
Date: 10 Dec 2002 23:57:55 -0800

My Linux workstation has been hacked.

Running redhat 5.2.

Accidently noticed the /etc/passwd file modified, the last line
changed to:

r00t:x:0:0::/usr/sbin/r00t:/bin/bash

/etc/shadow modified too. Started looking around and found files in
the
/home/ftp/ directory:

/home/ftp/rk
/home/ftp/lrk

/home/ftp/rk> ll -R

rk:
total 8
-rwx------ 1 root root 3515 Dec 11 00:32 install*
drwx------ 3 root root 4096 Dec 11 00:32 utils/

rk/utils:
total 168
-rwx------ 1 root root 7291 Dec 11 00:32
adore-0.14.tar.gz*
-rwx------ 1 root root 2257 Dec 11 00:32 da.sh*
-rwx------ 1 root root 16767 Dec 11 00:32 sl2t*
drwx------ 2 root root 4096 Dec 11 00:32 snif/
-rwx------ 1 root root 186 Dec 11 00:32 sysinfo*
-rw------- 1 root root 0 Dec 11 00:32 tcp.log
-rwx------ 1 root root 124076 Dec 11 00:32 wget*

rk/utils/snif:
total 20
-rwx------ 1 root root 7165 Dec 11 00:32 linsniffer*
-rwx------ 1 root root 75 Dec 11 00:32 logclear*
-rwx------ 1 root root 4060 Dec 11 00:32 sense*
-rw------- 1 root root 11 Dec 11 00:32 tcp.log

/home/ftp/lrk> ll -R

/home_ftp> ll -R lrk Wed 11
2:44
lrk:
total 1080
-rwx------ 1 root root 1390 Dec 11 00:31 cleaner*
-rwx------ 1 root root 715 Dec 11 00:31 clear*
-rwx------ 1 root root 8268 Dec 11 00:31 flewd2*
-rwx------ 1 root root 8268 Dec 11 00:31 flewd3*
-rwx------ 1 root root 77 Dec 11 00:31 gaura*
-rwx------ 1 root root 7165 Dec 11 00:31 holber*
-rwx------ 1 root root 22328 Dec 11 00:31 ifconfig*
-rwx------ 1 root root 4622 Dec 11 00:31 install*
-rwx------ 1 root root 1657 Dec 11 00:31 killrk*
-rwx------ 1 root root 36692 Dec 11 00:31 ls*
-rwx------ 1 root root 35300 Dec 11 00:31 netstat*
-rwx------ 1 root root 33280 Dec 11 00:31 ps*
-rwx------ 1 root root 24142 Dec 11 00:31 pstree*
-rwx------ 1 root root 671 Dec 11 00:31 s*
-rwx------ 1 root root 145 Dec 11 00:31 salut*
-rwx------ 1 root root 4060 Dec 11 00:31 sense*
-rwx------ 1 root root 6124 Dec 11 00:31 slice*
-rwx------ 1 root root 522 Dec 11 00:31 ssh_host_key*
-rwx------ 1 root root 512 Dec 11 00:31
ssh_random_seed*
-rwx------ 1 root root 685887 Dec 11 00:31 tava*
-rwx------ 1 root root 0 Dec 11 00:31 tcp.log*
-rwx------ 1 root root 53588 Dec 11 00:31 top*
-rwx------ 1 root root 95470 Dec 11 00:31 utile.tgz*
-rwx------ 1 root root 4060 Dec 11 00:31 vad*

Files are modified or replaced all over the system! In /usr/bin, /bin,
/etc,
and elsewhere. Such as /usr/bin/pstree and /usr/bin/gaura and
/usr/sbin/tava, holber, r00t and tcp.log. These files refuse to get
deleted by root. It appears ssh has been installed.

I realize I have to reinstall the entire OS, but what else can be
done?

How can the hacker or his source be identified?

There are some entries in the /var/log/secure* files, IP addresses I
do not recognize.

Strange entries in the /var/log/messages* files, like:

messages:Dec 6 23:50:59 localhost ftpd[1733]: FTP session closed
messages:Dec 7 20:32:31 localhost ftpd[943]: FTP session closed
messages:Dec 10 21:27:11 localhost ftpd: ACB2A8B3.ipt.aol.com:
connected: IDLE
messages.2:Nov 21 18:06:55 localhost ftpd[1290]: FTP session closed
messages.2:Nov 21 18:36:50 localhost ftpd[1320]: FTP session closed
messages.2:Nov 22 18:35:46 localhost ftpd[1010]: FTP session closed
messages.2:Nov 26 23:18:32 localhost ftpd[1247]: FTP LOGIN REFUSED
(ftp
in/etc/ftpusers) FROM p50888FD6.dip.t-dialin.net [80.136.143.214],
anonymous

[1221]: failed login from lns08a-9-230.w.club-internet.fr
[212.194.176.230], anonymous@ftp.microsoft.com
readme:messages:Dec 6 17:54:50 localhost ftpd:
lns08a-9-230.w.club-internet.fr: connected: IDLE

What's the best version of Redhat to install. Also what firewall
should I run.

This is really terrible. Any thoughts would be greatly appreciated.

Next message: Luke Vogel: "Re: Linux workstation got hacked!"
Previous message: Florian Weimer: "Re: Debian more secure than OpenBSD ?!"
Next in thread: Luke Vogel: "Re: Linux workstation got hacked!"
Reply: Luke Vogel: "Re: Linux workstation got hacked!"
Reply: John Oliver: "Re: Linux workstation got hacked!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Which Distribution
... >am currently running Redhat 9. ... I was going to just install Fedora Core 2, ... >since I have only used Redhat in my Linux experience. ... >one called Gentoo Linux, which looks pretty nice. ...
(comp.os.linux.misc)
dhcp fails on Roadrunner
... I'm running redhat 8.0 and i've been having some issues for a while, ... I tried installing dhcpcd (redhat didn't install this or pump, ... dhclient)and typing 'service network restart', ... nameserver 24.25.195.3 ...
(comp.os.linux.networking)
Remote Maintenance by GUI
... I have a firewall/router/server box running RedHat 7.3. ... Is it possible to use GUI apps on the remote machine for things like ... print queue management - at least run apps on the server but have X front ... server box I didn't install X because any time I've used installation ...
(comp.os.linux.questions)
Re: configure make install
... >> I'm running RedHat 9 and am trying to install the newest Gaim client. ... >> The client requires glib 2 or above and RedHat is still using version ...
(linux.redhat.install)