Possible hack attempt?

Discussion in 'General' started by tristanlee85, Aug 17, 2007.

  1. tristanlee85

    tristanlee85 New Member

    I received 168 of these e-mail while I was at work today:

    Subject: Cron <root@server> chown root:root /tmp/r00t && chmod 4755 /tmp/r00t && rm -rf /etc/cron.d/core && kill -USR1 13559

    Body: chown: cannot access `/tmp/r00t': No such file or directory

    Any ideas?
     
  2. Ben

    Ben New Member Moderator HowtoForge Supporter ISPConfig Developer

    I would say this does not look that good.
    You could take a look at you cronjobs, check your system with rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html)

    Do you have any possible insecure webapplication like any forum (vb, wbb, phpbb) or a "cms" like mambo etc. by that a attempt like this could be executed on your machine?
     
  3. tristanlee85

    tristanlee85 New Member

    I have phpBB. I just got those e-mails for the first time today. I checked for the users logged in at the time of getting the e-mails and I was the only one logged in.
     
  4. tristanlee85

    tristanlee85 New Member

    Code:
    Rootkit Hunter 1.2.9 is running
    
    Determining OS... Ready
    
    
    Checking binaries
    * Selftests
         Strings (command)                                        [ OK ]
    
    
    * System tools
    Info: prelinked files found
      Performing 'known good' check...
       /bin/cat                                                   [ BAD ]
       /bin/chmod                                                 [ BAD ]
       /bin/chown                                                 [ BAD ]
       /bin/date                                                  [ BAD ]
       /bin/dmesg                                                 [ OK ]
       /bin/env                                                   [ BAD ]
       /bin/grep                                                  [ OK ]
       /bin/kill                                                  [ OK ]
       /bin/login                                                 [ OK ]
       /bin/ls                                                    [ BAD ]
       /bin/more                                                  [ OK ]
       /bin/mount                                                 [ OK ]
       /bin/netstat                                               [ BAD ]
       /bin/ps                                                    [ BAD ]
       /bin/su                                                    [ BAD ]
       /sbin/chkconfig                                            [ OK ]
       /sbin/depmod                                               [ OK ]
       /sbin/ifconfig                                             [ BAD ]
       /sbin/init                                                 [ OK ]
       /sbin/insmod                                               [ OK ]
       /sbin/ip                                                   [ OK ]
       /sbin/lsmod                                                [ OK ]
       /sbin/modinfo                                              [ OK ]
       /sbin/modprobe                                             [ OK ]
       /sbin/rmmod                                                [ OK ]
       /sbin/runlevel                                             [ OK ]
       /sbin/sulogin                                              [ OK ]
       /sbin/sysctl                                               [ OK ]
       /sbin/syslogd                                              [ OK ]
       /usr/bin/chattr                                            [ OK ]
       /usr/bin/du                                                [ BAD ]
       /usr/bin/file                                              [ OK ]
       /usr/bin/find                                              [ BAD ]
       /usr/bin/head                                              [ BAD ]
       /usr/bin/killall                                           [ OK ]
       /usr/bin/lsattr                                            [ OK ]
       /usr/bin/md5sum                                            [ BAD ]
       /usr/bin/passwd                                            [ OK ]
       /usr/bin/pstree                                            [ BAD ]
       /usr/bin/sha1sum                                           [ BAD ]
       /usr/bin/stat                                              [ BAD ]
       /usr/bin/top                                               [ BAD ]
       /usr/bin/users                                             [ BAD ]
       /usr/bin/vmstat                                            [ OK ]
       /usr/bin/w                                                 [ OK ]
       /usr/bin/watch                                             [ OK ]
       /usr/bin/wc                                                [ BAD ]
       /usr/bin/wget                                              [ BAD ]
       /usr/bin/whereis                                           [ OK ]
       /usr/bin/who                                               [ BAD ]
       /usr/bin/whoami                                            [ BAD ]
    --------------------------------------------------------------------------------
    Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced
    binaries or updated packages (which give other hashes). Be sure your hashes are
    up-to-date (rkhunter --update). If you're in doubt about these hashes, contact
    us through the Rootkit Hunter mailinglist at rkhunter-users@lists.sourceforge.net.
    --------------------------------------------------------------------------------
    
    [Press <ENTER> to continue]
    
    Check rootkits
    * Default files and directories
       Rootkit '55808 Trojan - Variant A'...                      [ OK ]
       ADM Worm...                                                [ OK ]
       Rootkit 'AjaKit'...                                        [ OK ]
       Rootkit 'aPa Kit'...                                       [ OK ]
       Rootkit 'Apache Worm'...                                   [ OK ]
       Rootkit 'Ambient (ark) Rootkit'...                         [ OK ]
       Rootkit 'Balaur Rootkit'...                                [ OK ]
       Rootkit 'BeastKit'...                                      [ OK ]
       Rootkit 'beX2'...                                          [ OK ]
       Rootkit 'BOBKit'...                                        [ OK ]
       Rootkit 'CiNIK Worm (Slapper.B variant)'...                [ OK ]
       Rootkit 'Danny-Boy's Abuse Kit'...                         [ OK ]
       Rootkit 'Devil RootKit'...                                 [ OK ]
       Rootkit 'Dica'...                                          [ OK ]
       Rootkit 'Dreams Rootkit'...                                [ OK ]
       Rootkit 'Duarawkz'...                                      [ OK ]
       Rootkit 'Flea Linux Rootkit'...                            [ OK ]
       Rootkit 'FreeBSD Rootkit'...                               [ OK ]
       Rootkit 'Fuck`it Rootkit'...                               [ OK ]
       Rootkit 'GasKit'...                                        [ OK ]
       Rootkit 'Heroin LKM'...                                    [ OK ]
       Rootkit 'HjC Kit'...                                       [ OK ]
       Rootkit 'ignoKit'...                                       [ OK ]
       Rootkit 'ImperalsS-FBRK'...                                [ OK ]
       Rootkit 'Irix Rootkit'...                                  [ OK ]
       Rootkit 'Kitko'...                                         [ OK ]
       Rootkit 'Knark'...                                         [ OK ]
       Rootkit 'Li0n Worm'...                                     [ OK ]
       Rootkit 'Lockit / LJK2'...                                 [ OK ]
       Rootkit 'MRK'...                                           [ OK ]
       Rootkit 'Ni0 Rootkit'...                                   [ OK ]
       Rootkit 'RootKit for SunOS / NSDAP'...                     [ OK ]
       Rootkit 'Optic Kit (Tux)'...                               [ OK ]
       Rootkit 'Oz Rootkit'...                                    [ OK ]
       Rootkit 'Portacelo'...                                     [ OK ]
       Rootkit 'R3dstorm Toolkit'...                              [ OK ]
       Rootkit 'RH-Sharpe's rootkit'...                           [ OK ]
       Rootkit 'RSHA's rootkit'...                                [ OK ]
       Sebek LKM...                                               [ OK ]
       Rootkit 'Scalper Worm'...                                  [ OK ]
       Rootkit 'Shutdown'...                                      [ OK ]
       Rootkit 'SHV4'...                                          [ Warning! ]
    
                 --------------------------------------------------------------------------------
                 Found parts of this rootkit/trojan by checking the default files and directories
                 Please inspect the available files, by running this check with the parameter
                 --createlogfile and check the log file (current file: /dev/null).
                 --------------------------------------------------------------------------------
    
    
    [Press <ENTER> to continue]
    
       Rootkit 'SHV5'...                                          [ Warning! ]
    
                 --------------------------------------------------------------------------------
                 Found parts of this rootkit/trojan by checking the default files and directories
                 Please inspect the available files, by running this check with the parameter
                 --createlogfile and check the log file (current file: /dev/null).
                 --------------------------------------------------------------------------------
    
    
    [Press <ENTER> to continue]
    
     
  5. tristanlee85

    tristanlee85 New Member

    Code:
       Rootkit 'Sin Rootkit'...                                   [ OK ]
       Rootkit 'Slapper'...                                       [ OK ]
       Rootkit 'Sneakin Rootkit'...                               [ OK ]
       Rootkit 'Suckit Rootkit'...                                [ OK ]
       Rootkit 'SunOS Rootkit'...                                 [ OK ]
       Rootkit 'Superkit'...                                      [ OK ]
       Rootkit 'TBD (Telnet BackDoor)'...                         [ OK ]
       Rootkit 'TeLeKiT'...                                       [ OK ]
       Rootkit 'T0rn Rootkit'...                                  [ OK ]
       Rootkit 'Trojanit Kit'...                                  [ OK ]
       Rootkit 'Tuxtendo'...                                      [ OK ]
       Rootkit 'URK'...                                           [ OK ]
       Rootkit 'VcKit'...                                         [ OK ]
       Rootkit 'Volc Rootkit'...                                  [ OK ]
       Rootkit 'X-Org SunOS Rootkit'...                           [ OK ]
       Rootkit 'zaRwT.KiT Rootkit'...                             [ OK ]
    
    * Suspicious files and malware
       Scanning for known rootkit strings                         [ OK ]
       Scanning for known rootkit files                           [ OK ]
       Testing running processes...                               [ OK ]
       Miscellaneous Login backdoors                              [ OK ]
       Miscellaneous directories                                  [ OK ]
       Software related files                                     [ OK ]
       Sniffer logs                                               [ OK ]
    
    [Press <ENTER> to continue]
    
    
    * Trojan specific characteristics
       shv4
         Checking /etc/rc.d/rc.sysinit
           Test 1                                                 [ Clean ]
           Test 2                                                 [ Clean ]
           Test 3                                                 [ Clean ]
         Checking /etc/inetd.conf                                 [ Not found ]
         Checking /etc/xinetd.conf                                [ Clean ]
    
    * Suspicious file properties
       chmod properties
         Checking /bin/ps                                         [ Clean ]
         Checking /bin/ls                                         [ Clean ]
         Checking /usr/bin/w                                      [ Clean ]
         Checking /usr/bin/who                                    [ Clean ]
         Checking /bin/netstat                                    [ Clean ]
         Checking /bin/login                                      [ Clean ]
       Script replacements
         Checking /bin/ps                                         [ Clean ]
         Checking /bin/ls                                         [ Clean ]
         Checking /usr/bin/w                                      [ Clean ]
         Checking /usr/bin/who                                    [ Clean ]
         Checking /bin/netstat                                    [ Clean ]
         Checking /bin/login                                      [ Clean ]
    
    * OS dependant tests
    
       Linux
         Checking loaded kernel modules...                        [ OK ]
         Checking file attributes                                 [ OK ]
         Checking LKM module path                                 [ OK ]
    
    
    Networking
    * Check: frequently used backdoors
      Port 2001: Scalper Rootkit                                  [ OK ]
      Port 2006: CB Rootkit                                       [ OK ]
      Port 2128: MRK                                              [ OK ]
      Port 14856: Optic Kit (Tux)                                 [ OK ]
      Port 47107: T0rn Rootkit                                    [ OK ]
      Port 60922: zaRwT.KiT                                       [ OK ]
    
    * Interfaces
         Scanning for promiscuous interfaces...                   [ OK ]
    
    [Press <ENTER> to continue]
    
    System checks
    * Allround tests
       Checking hostname... Found. Hostname is server.vasceria.com
       Checking for passwordless user accounts... OK
       Checking for differences in user accounts... Found differences
       Info:
    ----------------------
    > dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
    > mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
    > admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash
    > tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash
    < admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash
    < forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash
    < fdxsql:x:12015:12015::/home/fdxsql:/bin/bash
    < tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash
    < mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
    < tebriel:x:10049:10003:Chris:/home/www/web3/user/tebriel:/bin/bash
    < dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
    > forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash
    ----------------------
       Info: Some items have been added (items marked with '<')
       Info: Some items have been removed (items marked with '>')
       Checking for differences in user groups... Found differences
       Info:
    ----------------------
    < users:x:100:sales,orders,phpbb,tebriel
    > users:x:100:sales,orders,phpbb
    > dovecot:x:97:
    > mysql:x:27:
    < fdxsql:x:12015:
    < mysql:x:27:
    < dovecot:x:97:
    ----------------------
       Info: Some items have been added (items marked with '<')
       Info: Some items have been removed (items marked with '>')
       Checking boot.local/rc.local file...
         - /etc/rc.local                                          [ OK ]
         - /etc/rc.d/rc.local                                     [ OK ]
         - /usr/local/etc/rc.local                                [ Not found ]
         - /usr/local/etc/rc.d/rc.local                           [ Not found ]
         - /etc/conf.d/local.start                                [ Not found ]
         - /etc/init.d/boot.local                                 [ Not found ]
       Checking rc.d files...
         Processing........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ..................................
       Result rc.d files check                                    [ OK ]
       Checking history files
         Bourne Shell                                             [ OK ]
    
    * Filesystem checks
       Checking /dev for suspicious files...                      [ OK ]
       Scanning for hidden files...                               [ Warning! ]
    ---------------
    /etc/.pwd.lock /dev/.udev
    ---------------
    Please inspect:  /dev/.udev (directory)
    
    [Press <ENTER> to continue]
    
    
    Application advisories
    * Application scan
       Checking Apache2 modules ...                               [ Not found ]
       Checking Apache configuration ...                          [ OK ]
    
    * Application version scan
       - GnuPG 1.4.2.2                                            [ OK ]
       - Apache 2.2.2                                             [ Unknown ]
       - Bind DNS 9.3.2                                           [ OK ]
       - OpenSSL 0.9.8a                                           [ OK ]
       - PHP 5.1.6                                                [ Unknown ]
       - Procmail MTA 3.22                                        [ OK ]
       - ProFTPd 1.3.0                                            [ Unknown ]
       - OpenSSH 4.3p2                                            [ Unknown ]
    
    Your system contains some unknown version numbers. Please run Rootkit Hunter
    with the --update parameter or contact us through the Rootkit Hunter mailinglist
    at rkhunter-users@lists.sourceforge.net.
    
    
    Security advisories
    * Check: Groups and Accounts
       Searching for /etc/passwd...                               [ Found ]
       Checking users with UID '0' (root)...                      [ OK ]
    
    * Check: SSH
       Searching for sshd_config...
       Found /etc/ssh/sshd_config
       Checking for allowed root login... Watch out Root login possible. Possible risk!
        info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
        Hint: See logfile for more information about this issue
       Checking for allowed protocols...                          [ OK (Only SSH2 allowed) ]
    
    * Check: Events and Logging
       Search for syslog configuration...                         [ OK ]
       Checking for running syslog slave... Unknown HZ value! (94) Assume 100.
    Internal error!
                          [ OK ]
       Checking for logging to remote system...                   [ OK (no remote logging) ]
    
    [Press <ENTER> to continue]
    
    ---------------------------- Scan results ----------------------------
    
    MD5 scan
    Scanned files: 51
    Incorrect MD5 checksums: 23
    
    File scan
    Scanned files: 342
    Possible infected files: 2
    Possible rootkits: SHV4 SHV5
    
    Application scan
    Vulnerable applications: 0
    
    Scanning took 418 seconds
    
    -----------------------------------------------------------------------
    
    Do you have some problems, undetected rootkits, false positives, ideas
    or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
    at rkhunter-users@lists.sourceforge.net.
    
    -----------------------------------------------------------------------
    
     
  6. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    This does not look good. You should rerun rkhunter with the --createlogfile as suggested in the output and check out in the logfile which rootkit files exactly had been found.

    Which linux distribution do you use?
     
  7. tristanlee85

    tristanlee85 New Member

    I will re-run it and create a log file this time. I woke up to 609 of those same e-mails.

    I wonder why it says r00t instead of root?

    Also, I'm using FC5.
     
  8. tristanlee85

    tristanlee85 New Member

  9. tristanlee85

    tristanlee85 New Member

    After looking through the log, it looks like I've been "owned."

    Code:
    [root@server libsh]# ls -al
    total 104
    drwxr-xr-x   6 root     root         4096 Aug 16 22:00 .
    drwxr-xr-x 112 root     root        69632 Aug 16 22:00 ..
    drwxr-xr-x   2 root     root         4096 Aug 17 15:47 .backup
    -rwxr-xr-x   1 122      114          1206 Apr 18  2003 .bashrc
    drwxr-xr-x   2 root     root         4096 Aug 16 22:00 .owned
    drwxr-xr-x   2 root     root         4096 Aug 17 15:47 .sniff
    -rwxr-xr-x   1 122      114          2000 Aug 23  2006 hide
    drwxr-xr-x   2 tristan  tristan      4096 Aug 17 15:47 utilz
    
     
  10. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    If possible, you should reinstall the complete server or restore the complete server from a backup that was done before it got hacked. Otherwise you can never be 100% sure that your server is clean.
     
  11. tristanlee85

    tristanlee85 New Member

    By reinstall you mean the OS, correct? As for backing up ISPConfig to transfer to a fresh OS installation, would I be best off to create a tarball of my admispconfig/ and www/ directories in the /home/ directory?
     
  12. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    yes.

    Dont you ahve a backup from the time before the hack occured? It would be better to use that.

    If not, have a look at this thread:

    http://www.howtoforge.com/forums/showthread.php?t=2717&highlight=move ispconfig

    You will need a backup of /home/ /var/ /root/ispconfig and /etc because you will need the passd, sahdow and group file. And this is the biggets problem as your passwords might be compromised. Also if you put your websies back online without finding the security hole that the hacker had used, you might get hacked again very fast.

    So if possible, you start either with a fresh installation of ISPConfig and recreate the accounts and move just the conetnt of the websites and databases or use the data from a backup thatw as made before the hack.
     
  13. tristanlee85

    tristanlee85 New Member

    As for the backup, do I use the backup tool from the Management tab or from the Tools tab? Will one of those back up allow me to restore EVERYTHING once I reinstall the OS, re-install a clean version of ISPConfig, and then restore the backup and have everything there?
     
  14. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You can not use the ISPConfig backup tools to make a full backup. Please have a look at the link to the thread I posted above.
     
  15. Boon-Dog-Danny

    Boon-Dog-Danny New Member

    hey just a few answers.. r00t is his g-mail name its like db.r00t something .. in a nutshell it happened because you allowed upload or attachments or avatar uploads in your phpbb.. ahh ya say.. I know I just cleaned it all out.. check your modules/forums/cache/ folder.. you will see all sorts of goodies in there.. attach_config.php.. thats it.. thats the only thing thats suspose to be in there all of the other stuff you see delete.. including those folders.. do not go by the creation date.. if you read one of the net.php folders you can take apart what happened.. just read anong.. you were attacked by a script kiddy anyway you will have to do all that in your winscp editor .. then check all your 777 file folders.. for files called.. oh anything really mostly .. version or r00t those will be locked .. then file names in the 777 folders like includes.php errors.php net.php

    hope that helps
     
    Last edited: Oct 29, 2007
  16. erebus

    erebus New Member

    I would like to ask something related to this...

    In the past, running a Slackware server without ISPConfig, it happened to my server to be compromised, because a user was running a CMS (Mambo I think).

    With the perfect server setup, and running all sites with PHP safe mode enabled, am I supposed to be secure from such threats?

    I am asking this because you can never know exactly if a client has upgraded its CMS or forum to the latest version...
     
  17. sjau

    sjau Local Meanie Moderator HowtoForge Supporter

    I would not use phpBB - it has a very bad history regarding hacks...
     
  18. erebus

    erebus New Member

    Yes but I'm not talking about me but for my clients. I cannot always look at what they install from time to time, that's why I ask if by using an updated system along with PHP's safe mode can give you enough protection against exploits.
     
  19. sjau

    sjau Local Meanie Moderator HowtoForge Supporter

    SafeMode should do the job but I'd rather use suPHP. suPHP will make apache (and PHP) run as that exact system user and damage should then be limited to that user's account and files.
     

Share This Page