[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?

Subject: Re: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Sun Nov 10 10:21:02 2002
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

<cobalt@xxxxxxxxxxxxx> wrote:
> I believe I have been hacked (well I'm sure, but I still have hope)
>
> chkrootkit returns:
>
> Checking `du'... INFECTED
> Checking `killall'... INFECTED
> Checking `ls'... INFECTED
> Checking `netstat'... INFECTED
> Checking `ps'... INFECTED
> Checking `pstree'... INFECTED
> Checking `syslogd'... INFECTED
> Checking `top'... INFECTED
>
> With the following time stamps and sizes
>
> -rwxrwxr-x   1 root     root        43336 Nov  8 15:40 login
> -rwxrwxr-x   1 root     root       184023 Nov  8 15:40 ls
> -rwxrwxr-x   1 root     root       258612 Nov  8 15:40 netstat
> -rwxrwxr-x   1 root     root        47388 Nov  8 15:40 ps
> -rwxrwxr-x   1 root     root        28696 Nov  8 15:40 syslogd
> -rwxrwxr-x   1 root     root       117311 Nov  8 15:40 du
> -rwxrwxr-x   1 root     root        22459 Nov  8 15:40 killall
> -rwxrwxr-x   1 root     root        24147 Nov  8 15:40 pstree
> -rwxrwxr-x   1 root     root        68692 Nov  8 15:40 top
> -rwxrwxr-x   1 root     root       655916 Nov  8 15:40 sshd

Unfortunately your assessment is correct.  I've helped several clients
recover from this particular rootkit recently.  It's also not uncommon for
other rootkits to be present so I recommend either doing a full audit if you
have the tools, information and expertise to do so or restoring the system
from the OSR CD.  If you go the former route, at a minimum you'll want to
replace all of the binaries above.  You can retrieve them from
ftp://ftp.cobalt.com/pub/products/raq4/RPMS/.  To find the source for each
you can use rpm.  For example to find the RPM for ps do:

1. whereis ps
2. rpm -qf /bin/ps (returns procps-2.0.6-5)

Then replace the trojaned binaries with those from the RPMs.

> The only patch I'm missing (I believe) is RaQ4-mod_ssl-2.8.4.pkg.
>
> ANY Help and advice would be appreciated

Install that PKG.  Ensure that all other PKGs are installed.  Also delete
"/usr/lib/.ark?".  Delete /dev/ptyxx as well.  Replace OpenSSH from the
pkgmaster.com package.  If it's feasible, change all user passwords on the
server.  If not, at least change root and admin's and install and run John
the Ripper to check for weak passwords and replace those.  If you can crack
them the hacker can to and may use them to take advantage of a current or
future vulnerability.  Before you do any of this, run NMAP (either install
it or run the Windows version) to do a port scan.  After you've replaced
netstat (and other binaries), run it to see if any strange services are
running and use kill/killall to kill the connections.  Hint: netstat | grep
irc (I've seen IRC programs installed on several infected machines).  Also,
lsof is another worthy program to install and run to investigate.  lsof |
grep irc (or just lsof or lsof with other flags).  Run "ls" recursively from
the root directory (/ not /root/) and save the output in a file, then use a
text editor with search capability or cat/grep to find files with timestamps
within a minute of "Nov 8 15:40" (date trojaned binaries were created) to
see if any other files were created or trojaned at the same time and deal
with them accordingly.

ls -aRl / > ls_out (using clean ls, not trojanned)
cat ls_out | grep "Nov 8 15:40" | sort +5 (or "Nov 8 15:3" and "Nov 8 15:4"
to be safer)

Then install and configure a firewall using IPCHAINS (don't just install it,
limit the ports which can be accessed and IPs which can be accessed from as
much as feasible), portsentry, logsentry, chkrootkit, fcheck (or tripwire),
etc. and set them up to run periodically and analyze their output
dilligently and frequently.  If you discover the hacker is connected (or had
been connected) from a particular IP you might want to implement an IPCHAINS
rule to block the IP permanently (or at least temporarily so the hacker
loses interest in your server).  If the IP was 123.123.123.123 you'd add a
rule like the following (-l does logging):

-A input -s 123.123.123.123/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j DENY -l

Enforce strong passwords (use John the Ripper to help find weak passwords),
disable any services you don't utilize (IMAP, telnet and ASP are some that
many of my clients don't use).  Of course, there are other tools and
procedures that can help limit risk in addition or instead of those I
mentioned.  If you don't have the expertise, time or desire to handle
installation and monitoring in-house there are people like me and others
on-list who have been doing Cobalt security for clients for years.

Here are some URLs you may find useful.

http://www.linuxworld.com/linuxworld/lw-2001-04/lw-04-vcontrol_1.html

I also find it useful to download, peruse and often even install the
rootkits (of course only installing on a development box) to learn what they
are and how they work.  Here are the Ambient rootkits I'm aware of.
http://packetstorm.decepticons.org/UNIX/penetration/rootkits/ark-1.0.tar.gz
http://packetstorm.decepticons.org/UNIX/penetration/rootkits/ark-1.0.1.tar.g
z

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
  - From: cobalt

Prev by Date: RE: [cobalt-users] Permission denied error RaQ3
Next by Date: Re: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
Previous by thread: Re: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
Next by thread: RE: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index