SSH Problems, TPS FC4, messages from cron

Discussion in 'Server Operation' started by Hagforce, Apr 14, 2008.

  1. Hagforce

    Hagforce New Member


    I have some strange problems on my server, starting last night.

    Every minute root gets this mail
    Cron <[email protected]>  chown root:root /tmp/w00tt && chmod 4755 /tmp/w00tt && rm -rf /etc/cron.d/core && kill -USR1 2584
    Witch says
    /bin/sh: line 0: kill: (2584) - No such process
    I run SSH on a non standard port.
    But suddenly SSH is back on port 22.
    I checked my /etc/ssh/sshd_config and it is configured with the port I want.

    I use ISPConfig, and I have opened the firewall for the non standard SSH port.

    I also see that a root login was performed
    ALERT - Root Shell Access on: Mon Apr 14 05:02:13 CEST 2008
    This usually logs IP adr or says tty1.

    It is after this login the messages begin to come for root.
    Strange, I use a non standard SSH port, and a very secure password for root.

    Any tips here :confused:
    Last edited: Apr 14, 2008
  2. topdog

    topdog Active Member

    You have been rooted
  3. Hagforce

    Hagforce New Member

    Ok, this is not good :eek:

    I found a folder in /temp/ that is named .dat
    It seems to contain an exploit, for installing eggdrop.

    I removed a file in /etc/cron.d called core.2585
    Then the messages from cron stopped.

    The file seems unreadable in text editors, bot some is readable.

    What should I do next...
  4. topdog

    topdog Active Member

    You need to check the system from good read only media, because right now all your binaries must have been changed.

    My best bet is trash the system and rebuild a new system restoring configurations from known good backups.
  5. Hagforce

    Hagforce New Member

    Thank you.

    How can I check what binarys have been changed?
    Thrashing the system is not a good option for me right now :(
  6. topdog

    topdog Active Member

    You need to know the md5sums of these binaries usually you would use the rpm database to verify
    rpm -Va
    this but if the guy that brokein were good i guess they have already messed up the db

    In most cases exploited binaries will also have thier attributes changed such that you cannot replace them so check using
    lsatt /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
    Any with the immutable and append flag set should be suspect.
  7. topdog

    topdog Active Member

    You also need to run a rootkit hunter, rkhunter and chrootkit should help.
  8. Hagforce

    Hagforce New Member

    Thank you again topdog.

    chkrootkit and rkhunter does not find anything (I deleted the one I found manualy).

    What should I look for runnung rpm -Va?
    lsatt returns -bash: lsat: command not found
  9. topdog

    topdog Active Member

    with rpm -Va your should be looking for binaries whose md5 / ownership has changed.

    I guess the person has removed lsattr because he has changed the attributes of your files, so you need to get your own one anyway as the installed one could be altered.
  10. Hagforce

    Hagforce New Member

    lsattr returns ---------- on all :confused:
    I run lsatt first time, sorry.

    I have shut down ssh for now.
    Changed root psw.
    And everything is back to normal (seems).

    What can I do to make ssh safe to use again?
    I guess, delete all files witch has to do with ssh, and re install it?
    Witch folders to delete? Have ssh and ssh2 on fedora c4.

    I have many e-mail accounts on the server, but only one user have access to shell (root), must I take any action regarding the e-mail users/addresses?
  11. topdog

    topdog Active Member

    I actually think you are focusing in the wrong place, i think the server was exploited via something else not ssh, the person just configured ssh back on port 22 for them to connect to the machine.

    You need to focus on finding which software was vulnerable and was exploited for the attacker to get in.
  12. Hagforce

    Hagforce New Member

    You are right I think.
    It`s easy to get blind.

    The files was located in the temp folder.
    And /etc/cron.d/

    I guess the temp folder is the source, and this came from a unsecure website on my server.

    This seems to be the exploit, attached as

    But I can`t understand how they got to run it.
    And how they got the cron job.

    The file contains the file witch was located in /etc/cron.d/

    The w00tt file exploit seems to be for an older core, so I should have updated, and maybe this would`t have happened.

    But is that enough, or do you think there are other weaknesses?

    Attached Files:

  13. topdog

    topdog Active Member

    You need to audit what is running, running selinux in most cases would mitigate some of these attacks its a pity control panel designers dont seem to consider such security mechanisms when designing their software.

    If apache was running secured by selinux there would be no way it could be allowed to write to the cron directories
  14. topdog

    topdog Active Member

  15. Hagforce

    Hagforce New Member

    Ok, so it`s time to update my server :)

    Can I use selinux and run ISPConfig?
    In the guide TPS FC4 it`s recommended to disable selinux.
  16. topdog

    topdog Active Member

    Thats what i was saying most control panels are not selinux enabled.
  17. Hagforce

    Hagforce New Member

    One more question... :eek:

    Is there a good way to reinstall all binaries?
  18. falko

    falko Super Moderator ISPConfig Developer

    Might be a problem for FC4 as it'S rather old. I don't know if the repos are still active.
  19. topdog

    topdog Active Member

    Why you insist on keeping a out of support machine on the internet beats me.

    You should be creating a upgrade plan now not salvaging a system that will be cracked the next day.
  20. Hagforce

    Hagforce New Member

    U are right.
    I just need some time.
    Will be upgrading to Fedora8.

    So it`s just buying myself the time :(

Share This Page