Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th August 2007, 06:43
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default Possible hack attempt?

I received 168 of these e-mail while I was at work today:

Subject: Cron <root@server> chown root:root /tmp/r00t && chmod 4755 /tmp/r00t && rm -rf /etc/cron.d/core && kill -USR1 13559

Body: chown: cannot access `/tmp/r00t': No such file or directory

Any ideas?
Reply With Quote
Sponsored Links
  #2  
Old 17th August 2007, 08:49
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

I would say this does not look that good.
You could take a look at you cronjobs, check your system with rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html)

Do you have any possible insecure webapplication like any forum (vb, wbb, phpbb) or a "cms" like mambo etc. by that a attempt like this could be executed on your machine?
Reply With Quote
  #3  
Old 17th August 2007, 09:05
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

I have phpBB. I just got those e-mails for the first time today. I checked for the users logged in at the time of getting the e-mails and I was the only one logged in.
Reply With Quote
  #4  
Old 17th August 2007, 09:19
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

Code:
Rootkit Hunter 1.2.9 is running

Determining OS... Ready


Checking binaries
* Selftests
     Strings (command)                                        [ OK ]


* System tools
Info: prelinked files found
  Performing 'known good' check...
   /bin/cat                                                   [ BAD ]
   /bin/chmod                                                 [ BAD ]
   /bin/chown                                                 [ BAD ]
   /bin/date                                                  [ BAD ]
   /bin/dmesg                                                 [ OK ]
   /bin/env                                                   [ BAD ]
   /bin/grep                                                  [ OK ]
   /bin/kill                                                  [ OK ]
   /bin/login                                                 [ OK ]
   /bin/ls                                                    [ BAD ]
   /bin/more                                                  [ OK ]
   /bin/mount                                                 [ OK ]
   /bin/netstat                                               [ BAD ]
   /bin/ps                                                    [ BAD ]
   /bin/su                                                    [ BAD ]
   /sbin/chkconfig                                            [ OK ]
   /sbin/depmod                                               [ OK ]
   /sbin/ifconfig                                             [ BAD ]
   /sbin/init                                                 [ OK ]
   /sbin/insmod                                               [ OK ]
   /sbin/ip                                                   [ OK ]
   /sbin/lsmod                                                [ OK ]
   /sbin/modinfo                                              [ OK ]
   /sbin/modprobe                                             [ OK ]
   /sbin/rmmod                                                [ OK ]
   /sbin/runlevel                                             [ OK ]
   /sbin/sulogin                                              [ OK ]
   /sbin/sysctl                                               [ OK ]
   /sbin/syslogd                                              [ OK ]
   /usr/bin/chattr                                            [ OK ]
   /usr/bin/du                                                [ BAD ]
   /usr/bin/file                                              [ OK ]
   /usr/bin/find                                              [ BAD ]
   /usr/bin/head                                              [ BAD ]
   /usr/bin/killall                                           [ OK ]
   /usr/bin/lsattr                                            [ OK ]
   /usr/bin/md5sum                                            [ BAD ]
   /usr/bin/passwd                                            [ OK ]
   /usr/bin/pstree                                            [ BAD ]
   /usr/bin/sha1sum                                           [ BAD ]
   /usr/bin/stat                                              [ BAD ]
   /usr/bin/top                                               [ BAD ]
   /usr/bin/users                                             [ BAD ]
   /usr/bin/vmstat                                            [ OK ]
   /usr/bin/w                                                 [ OK ]
   /usr/bin/watch                                             [ OK ]
   /usr/bin/wc                                                [ BAD ]
   /usr/bin/wget                                              [ BAD ]
   /usr/bin/whereis                                           [ OK ]
   /usr/bin/who                                               [ BAD ]
   /usr/bin/whoami                                            [ BAD ]
--------------------------------------------------------------------------------
Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
up-to-date (rkhunter --update). If you're in doubt about these hashes, contact
us through the Rootkit Hunter mailinglist at rkhunter-users@lists.sourceforge.net.
--------------------------------------------------------------------------------

[Press <ENTER> to continue]

Check rootkits
* Default files and directories
   Rootkit '55808 Trojan - Variant A'...                      [ OK ]
   ADM Worm...                                                [ OK ]
   Rootkit 'AjaKit'...                                        [ OK ]
   Rootkit 'aPa Kit'...                                       [ OK ]
   Rootkit 'Apache Worm'...                                   [ OK ]
   Rootkit 'Ambient (ark) Rootkit'...                         [ OK ]
   Rootkit 'Balaur Rootkit'...                                [ OK ]
   Rootkit 'BeastKit'...                                      [ OK ]
   Rootkit 'beX2'...                                          [ OK ]
   Rootkit 'BOBKit'...                                        [ OK ]
   Rootkit 'CiNIK Worm (Slapper.B variant)'...                [ OK ]
   Rootkit 'Danny-Boy's Abuse Kit'...                         [ OK ]
   Rootkit 'Devil RootKit'...                                 [ OK ]
   Rootkit 'Dica'...                                          [ OK ]
   Rootkit 'Dreams Rootkit'...                                [ OK ]
   Rootkit 'Duarawkz'...                                      [ OK ]
   Rootkit 'Flea Linux Rootkit'...                            [ OK ]
   Rootkit 'FreeBSD Rootkit'...                               [ OK ]
   Rootkit 'Fuck`it Rootkit'...                               [ OK ]
   Rootkit 'GasKit'...                                        [ OK ]
   Rootkit 'Heroin LKM'...                                    [ OK ]
   Rootkit 'HjC Kit'...                                       [ OK ]
   Rootkit 'ignoKit'...                                       [ OK ]
   Rootkit 'ImperalsS-FBRK'...                                [ OK ]
   Rootkit 'Irix Rootkit'...                                  [ OK ]
   Rootkit 'Kitko'...                                         [ OK ]
   Rootkit 'Knark'...                                         [ OK ]
   Rootkit 'Li0n Worm'...                                     [ OK ]
   Rootkit 'Lockit / LJK2'...                                 [ OK ]
   Rootkit 'MRK'...                                           [ OK ]
   Rootkit 'Ni0 Rootkit'...                                   [ OK ]
   Rootkit 'RootKit for SunOS / NSDAP'...                     [ OK ]
   Rootkit 'Optic Kit (Tux)'...                               [ OK ]
   Rootkit 'Oz Rootkit'...                                    [ OK ]
   Rootkit 'Portacelo'...                                     [ OK ]
   Rootkit 'R3dstorm Toolkit'...                              [ OK ]
   Rootkit 'RH-Sharpe's rootkit'...                           [ OK ]
   Rootkit 'RSHA's rootkit'...                                [ OK ]
   Sebek LKM...                                               [ OK ]
   Rootkit 'Scalper Worm'...                                  [ OK ]
   Rootkit 'Shutdown'...                                      [ OK ]
   Rootkit 'SHV4'...                                          [ Warning! ]

             --------------------------------------------------------------------------------
             Found parts of this rootkit/trojan by checking the default files and directories
             Please inspect the available files, by running this check with the parameter
             --createlogfile and check the log file (current file: /dev/null).
             --------------------------------------------------------------------------------


[Press <ENTER> to continue]

   Rootkit 'SHV5'...                                          [ Warning! ]

             --------------------------------------------------------------------------------
             Found parts of this rootkit/trojan by checking the default files and directories
             Please inspect the available files, by running this check with the parameter
             --createlogfile and check the log file (current file: /dev/null).
             --------------------------------------------------------------------------------


[Press <ENTER> to continue]
Reply With Quote
  #5  
Old 17th August 2007, 09:20
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

Code:
   Rootkit 'Sin Rootkit'...                                   [ OK ]
   Rootkit 'Slapper'...                                       [ OK ]
   Rootkit 'Sneakin Rootkit'...                               [ OK ]
   Rootkit 'Suckit Rootkit'...                                [ OK ]
   Rootkit 'SunOS Rootkit'...                                 [ OK ]
   Rootkit 'Superkit'...                                      [ OK ]
   Rootkit 'TBD (Telnet BackDoor)'...                         [ OK ]
   Rootkit 'TeLeKiT'...                                       [ OK ]
   Rootkit 'T0rn Rootkit'...                                  [ OK ]
   Rootkit 'Trojanit Kit'...                                  [ OK ]
   Rootkit 'Tuxtendo'...                                      [ OK ]
   Rootkit 'URK'...                                           [ OK ]
   Rootkit 'VcKit'...                                         [ OK ]
   Rootkit 'Volc Rootkit'...                                  [ OK ]
   Rootkit 'X-Org SunOS Rootkit'...                           [ OK ]
   Rootkit 'zaRwT.KiT Rootkit'...                             [ OK ]

* Suspicious files and malware
   Scanning for known rootkit strings                         [ OK ]
   Scanning for known rootkit files                           [ OK ]
   Testing running processes...                               [ OK ]
   Miscellaneous Login backdoors                              [ OK ]
   Miscellaneous directories                                  [ OK ]
   Software related files                                     [ OK ]
   Sniffer logs                                               [ OK ]

[Press <ENTER> to continue]


* Trojan specific characteristics
   shv4
     Checking /etc/rc.d/rc.sysinit
       Test 1                                                 [ Clean ]
       Test 2                                                 [ Clean ]
       Test 3                                                 [ Clean ]
     Checking /etc/inetd.conf                                 [ Not found ]
     Checking /etc/xinetd.conf                                [ Clean ]

* Suspicious file properties
   chmod properties
     Checking /bin/ps                                         [ Clean ]
     Checking /bin/ls                                         [ Clean ]
     Checking /usr/bin/w                                      [ Clean ]
     Checking /usr/bin/who                                    [ Clean ]
     Checking /bin/netstat                                    [ Clean ]
     Checking /bin/login                                      [ Clean ]
   Script replacements
     Checking /bin/ps                                         [ Clean ]
     Checking /bin/ls                                         [ Clean ]
     Checking /usr/bin/w                                      [ Clean ]
     Checking /usr/bin/who                                    [ Clean ]
     Checking /bin/netstat                                    [ Clean ]
     Checking /bin/login                                      [ Clean ]

* OS dependant tests

   Linux
     Checking loaded kernel modules...                        [ OK ]
     Checking file attributes                                 [ OK ]
     Checking LKM module path                                 [ OK ]


Networking
* Check: frequently used backdoors
  Port 2001: Scalper Rootkit                                  [ OK ]
  Port 2006: CB Rootkit                                       [ OK ]
  Port 2128: MRK                                              [ OK ]
  Port 14856: Optic Kit (Tux)                                 [ OK ]
  Port 47107: T0rn Rootkit                                    [ OK ]
  Port 60922: zaRwT.KiT                                       [ OK ]

* Interfaces
     Scanning for promiscuous interfaces...                   [ OK ]

[Press <ENTER> to continue]

System checks
* Allround tests
   Checking hostname... Found. Hostname is server.vasceria.com
   Checking for passwordless user accounts... OK
   Checking for differences in user accounts... Found differences
   Info:
----------------------
> dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
> mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
> admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash
> tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash
< admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash
< forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash
< fdxsql:x:12015:12015::/home/fdxsql:/bin/bash
< tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash
< mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
< tebriel:x:10049:10003:Chris:/home/www/web3/user/tebriel:/bin/bash
< dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
> forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash
----------------------
   Info: Some items have been added (items marked with '<')
   Info: Some items have been removed (items marked with '>')
   Checking for differences in user groups... Found differences
   Info:
----------------------
< users:x:100:sales,orders,phpbb,tebriel
> users:x:100:sales,orders,phpbb
> dovecot:x:97:
> mysql:x:27:
< fdxsql:x:12015:
< mysql:x:27:
< dovecot:x:97:
----------------------
   Info: Some items have been added (items marked with '<')
   Info: Some items have been removed (items marked with '>')
   Checking boot.local/rc.local file...
     - /etc/rc.local                                          [ OK ]
     - /etc/rc.d/rc.local                                     [ OK ]
     - /usr/local/etc/rc.local                                [ Not found ]
     - /usr/local/etc/rc.d/rc.local                           [ Not found ]
     - /etc/conf.d/local.start                                [ Not found ]
     - /etc/init.d/boot.local                                 [ Not found ]
   Checking rc.d files...
     Processing........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ..................................
   Result rc.d files check                                    [ OK ]
   Checking history files
     Bourne Shell                                             [ OK ]

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning! ]
---------------
/etc/.pwd.lock /dev/.udev
---------------
Please inspect:  /dev/.udev (directory)

[Press <ENTER> to continue]


Application advisories
* Application scan
   Checking Apache2 modules ...                               [ Not found ]
   Checking Apache configuration ...                          [ OK ]

* Application version scan
   - GnuPG 1.4.2.2                                            [ OK ]
   - Apache 2.2.2                                             [ Unknown ]
   - Bind DNS 9.3.2                                           [ OK ]
   - OpenSSL 0.9.8a                                           [ OK ]
   - PHP 5.1.6                                                [ Unknown ]
   - Procmail MTA 3.22                                        [ OK ]
   - ProFTPd 1.3.0                                            [ Unknown ]
   - OpenSSH 4.3p2                                            [ Unknown ]

Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or contact us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.


Security advisories
* Check: Groups and Accounts
   Searching for /etc/passwd...                               [ Found ]
   Checking users with UID '0' (root)...                      [ OK ]

* Check: SSH
   Searching for sshd_config...
   Found /etc/ssh/sshd_config
   Checking for allowed root login... Watch out Root login possible. Possible risk!
    info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
    Hint: See logfile for more information about this issue
   Checking for allowed protocols...                          [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
   Search for syslog configuration...                         [ OK ]
   Checking for running syslog slave... Unknown HZ value! (94) Assume 100.
Internal error!
                      [ OK ]
   Checking for logging to remote system...                   [ OK (no remote logging) ]

[Press <ENTER> to continue]

---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 51
Incorrect MD5 checksums: 23

File scan
Scanned files: 342
Possible infected files: 2
Possible rootkits: SHV4 SHV5

Application scan
Vulnerable applications: 0

Scanning took 418 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.

-----------------------------------------------------------------------
Reply With Quote
  #6  
Old 17th August 2007, 10:15
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,334 Times in 4,184 Posts
Default

This does not look good. You should rerun rkhunter with the --createlogfile as suggested in the output and check out in the logfile which rootkit files exactly had been found.

Which linux distribution do you use?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 17th August 2007, 16:51
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

I will re-run it and create a log file this time. I woke up to 609 of those same e-mails.

I wonder why it says r00t instead of root?

Also, I'm using FC5.
Reply With Quote
  #8  
Old 17th August 2007, 21:23
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

Also, I found these 2 TXT files in my /tmp/ directory. They look to me like worms of some sort.

http://www.plastikracing.net/m3r.txt
http://www.plastikracing.net/ojo.txt
Reply With Quote
  #9  
Old 17th August 2007, 21:39
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

After looking through the log, it looks like I've been "owned."

Code:
[root@server libsh]# ls -al
total 104
drwxr-xr-x   6 root     root         4096 Aug 16 22:00 .
drwxr-xr-x 112 root     root        69632 Aug 16 22:00 ..
drwxr-xr-x   2 root     root         4096 Aug 17 15:47 .backup
-rwxr-xr-x   1 122      114          1206 Apr 18  2003 .bashrc
drwxr-xr-x   2 root     root         4096 Aug 16 22:00 .owned
drwxr-xr-x   2 root     root         4096 Aug 17 15:47 .sniff
-rwxr-xr-x   1 122      114          2000 Aug 23  2006 hide
drwxr-xr-x   2 tristan  tristan      4096 Aug 17 15:47 utilz
Reply With Quote
  #10  
Old 17th August 2007, 22:07
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,334 Times in 4,184 Posts
 
Default

If possible, you should reinstall the complete server or restore the complete server from a backup that was done before it got hacked. Otherwise you can never be 100% sure that your server is clean.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hack: change Database prefix to domain name nilsk Tips/Tricks/Mods 7 8th March 2009 14:21
Possible hack attempt? mtyme Technical 6 16th June 2007 14:17
ispconfig server hack hans2512 General 3 15th March 2007 11:50
Constant Error: "[client 127.0.0.1] Attempt to serve directory: /var/www/html/" bpmee Server Operation 2 11th December 2006 16:15
Prevent BREAKIN ATTEMPT! IKShadow Installation/Configuration 6 22nd November 2006 22:15


All times are GMT +2. The time now is 12:52.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.