17th August 2007, 06:43
|
|
Senior Member
|
|
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 1 Time in 1 Post
|
|
Possible hack attempt?
I received 168 of these e-mail while I was at work today:
Subject: Cron <root@server> chown root:root /tmp/r00t && chmod 4755 /tmp/r00t && rm -rf /etc/cron.d/core && kill -USR1 13559
Body: chown: cannot access `/tmp/r00t': No such file or directory
Any ideas?
|
17th August 2007, 08:49
|
|
Moderator
|
|
Join Date: Jul 2006
Posts: 1,016
Thanks: 7
Thanked 56 Times in 51 Posts
|
|
I would say this does not look that good.
You could take a look at you cronjobs, check your system with rkhunter ( http://www.rootkit.nl/projects/rootkit_hunter.html)
Do you have any possible insecure webapplication like any forum (vb, wbb, phpbb) or a "cms" like mambo etc. by that a attempt like this could be executed on your machine?
|
17th August 2007, 09:05
|
|
Senior Member
|
|
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 1 Time in 1 Post
|
|
I have phpBB. I just got those e-mails for the first time today. I checked for the users logged in at the time of getting the e-mails and I was the only one logged in.
|
17th August 2007, 09:19
|
|
Senior Member
|
|
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 1 Time in 1 Post
|
|
Code:
Rootkit Hunter 1.2.9 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Info: prelinked files found
Performing 'known good' check...
/bin/cat [ BAD ]
/bin/chmod [ BAD ]
/bin/chown [ BAD ]
/bin/date [ BAD ]
/bin/dmesg [ OK ]
/bin/env [ BAD ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ BAD ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/su [ BAD ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ BAD ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ BAD ]
/usr/bin/file [ OK ]
/usr/bin/find [ BAD ]
/usr/bin/head [ BAD ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ OK ]
/usr/bin/pstree [ BAD ]
/usr/bin/sha1sum [ BAD ]
/usr/bin/stat [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/users [ BAD ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ BAD ]
/usr/bin/wget [ BAD ]
/usr/bin/whereis [ OK ]
/usr/bin/who [ BAD ]
/usr/bin/whoami [ BAD ]
--------------------------------------------------------------------------------
Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
up-to-date (rkhunter --update). If you're in doubt about these hashes, contact
us through the Rootkit Hunter mailinglist at rkhunter-users@lists.sourceforge.net.
--------------------------------------------------------------------------------
[Press <ENTER> to continue]
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM... [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
[Press <ENTER> to continue]
Rootkit 'SHV5'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
[Press <ENTER> to continue]
|
17th August 2007, 09:20
|
|
Senior Member
|
|
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 1 Time in 1 Post
|
|
Code:
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]
[Press <ENTER> to continue]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces... [ OK ]
[Press <ENTER> to continue]
System checks
* Allround tests
Checking hostname... Found. Hostname is server.vasceria.com
Checking for passwordless user accounts... OK
Checking for differences in user accounts... Found differences
Info:
----------------------
> dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
> mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
> admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash
> tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash
< admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash
< forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash
< fdxsql:x:12015:12015::/home/fdxsql:/bin/bash
< tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash
< mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
< tebriel:x:10049:10003:Chris:/home/www/web3/user/tebriel:/bin/bash
< dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
> forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash
----------------------
Info: Some items have been added (items marked with '<')
Info: Some items have been removed (items marked with '>')
Checking for differences in user groups... Found differences
Info:
----------------------
< users:x:100:sales,orders,phpbb,tebriel
> users:x:100:sales,orders,phpbb
> dovecot:x:97:
> mysql:x:27:
< fdxsql:x:12015:
< mysql:x:27:
< dovecot:x:97:
----------------------
Info: Some items have been added (items marked with '<')
Info: Some items have been removed (items marked with '>')
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
..................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /dev/.udev
---------------
Please inspect: /dev/.udev (directory)
[Press <ENTER> to continue]
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- GnuPG 1.4.2.2 [ OK ]
- Apache 2.2.2 [ Unknown ]
- Bind DNS 9.3.2 [ OK ]
- OpenSSL 0.9.8a [ OK ]
- PHP 5.1.6 [ Unknown ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.3.0 [ Unknown ]
- OpenSSH 4.3p2 [ Unknown ]
Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or contact us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... Unknown HZ value! (94) Assume 100.
Internal error!
[ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
[Press <ENTER> to continue]
---------------------------- Scan results ----------------------------
MD5 scan
Scanned files: 51
Incorrect MD5 checksums: 23
File scan
Scanned files: 342
Possible infected files: 2
Possible rootkits: SHV4 SHV5
Application scan
Vulnerable applications: 0
Scanning took 418 seconds
-----------------------------------------------------------------------
Do you have some problems, undetected rootkits, false positives, ideas
or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
-----------------------------------------------------------------------
|
17th August 2007, 10:15
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,897
Thanks: 693
Thanked 4,190 Times in 3,208 Posts
|
|
This does not look good. You should rerun rkhunter with the --createlogfile as suggested in the output and check out in the logfile which rootkit files exactly had been found.
Which linux distribution do you use?
|
17th August 2007, 16:51
|
|
Senior Member
|
|
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 1 Time in 1 Post
|
|
I will re-run it and create a log file this time. I woke up to 609 of those same e-mails.
I wonder why it says r00t instead of root?
Also, I'm using FC5.
|
17th August 2007, 21:39
|
|
Senior Member
|
|
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 1 Time in 1 Post
|
|
After looking through the log, it looks like I've been "owned."
Code:
[root@server libsh]# ls -al
total 104
drwxr-xr-x 6 root root 4096 Aug 16 22:00 .
drwxr-xr-x 112 root root 69632 Aug 16 22:00 ..
drwxr-xr-x 2 root root 4096 Aug 17 15:47 .backup
-rwxr-xr-x 1 122 114 1206 Apr 18 2003 .bashrc
drwxr-xr-x 2 root root 4096 Aug 16 22:00 .owned
drwxr-xr-x 2 root root 4096 Aug 17 15:47 .sniff
-rwxr-xr-x 1 122 114 2000 Aug 23 2006 hide
drwxr-xr-x 2 tristan tristan 4096 Aug 17 15:47 utilz
|
17th August 2007, 22:07
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,897
Thanks: 693
Thanked 4,190 Times in 3,208 Posts
|
|
If possible, you should reinstall the complete server or restore the complete server from a backup that was done before it got hacked. Otherwise you can never be 100% sure that your server is clean.
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +2. The time now is 14:27.
|
|
English | 
Deutsch
Recent comments
8 hours 39 min ago
15 hours 20 min ago
19 hours 11 min ago
20 hours 49 min ago
1 day 5 hours ago
1 day 14 hours ago
1 day 15 hours ago
1 day 19 hours ago
1 day 23 hours ago
1 day 23 hours ago