[lug] i got hacked

Bear Giles bgiles at coyotesong.com
Thu Apr 18 16:29:56 MDT 2002 

> rm -rf /root/.bash_history
> ln -s /dev/null /root/.bash_history
> 
> cd /dev
> ./ryz -f ./s

Quick, how many people just checked their /root/.bash_history file
and for /dev/ryz and /dev/s?

And why didn't everyone else?
 
> /usr/bin/trimite

Same thing here.

(This is a surprisingly unsophisticated rootkit - it should be easy
to automatically check for these fingerprints.)

> echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
> echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
> echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
> echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info

WTF?  Why on earth would any attacker care about this?

> echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info

ditto

> echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info

not the contents of the file, but just the number of entries?!?!

> so, netstat says i have something listening on 25897...what should i do?!
> never benn hacked before....i already turned off ftp and turned on tcp 
> wrappers.

I tend to take a hard line -

1) shutdown the system.  Or just yank the power cord.  You'll see
opinions mixed about 50/50 on that.  Remove the current hard disk,
lock it someplace safe.

2) buy a new hard disk.  Or two.  Over time I've become a *huge* fan
of multiple spindles - one disk contains the OS *only*, and can be
wiped at will.  The second disk contains the user data *only*, and
has the "nosuid, noexec, nodev" flags set unless it's a development
system.  The first disk can be small, but since you can't find small
disks I tend to have huge partitions for /tmp, /var/log, etc. :-)

3) rebuild your system from trusted media.  Disable unnecessary
services, enable TCP wrappers, etc.  Generate a snapshot of what the
system should look like.  (This is one reason I've been working on
tools that can rip the MD5 and SHA1 checksums out of source .deb and
.rpm files.)

You may also want to consider using multiple partitions so you mount
/usr, /bin and /sbin readonly, or doing chattr +i on all files under
these directories and /lib.  This will only briefly slow down an
experienced attacker, but should stop most scripts.

Same theme, all logns and history files should be chattr +a.  (And
a second flag that escapes me that prevents deletion.)

4) depending on whether you want to prosecute the cracker, lawyer's
advice, etc., mount your old disk READ-ONLY to make several sets of
backups.  Lock up the disk again when you're done.

5) restore user data from the backups, but make sure the data has both
noexec flags set on the mount *and* scan the disk for all executables.

What you're looking for in particular are:

  find / -perm +4000 -print  -- any setuid file
  find / -perm +2000 -print  -- any setgid file
  find / -type f -perm +0001 -print  -- executable files
  find / -type f -perm +0010 -print  
  find / -type f -perm +0100 -print  

6) contact Yahoo and let tell them of the suspicious activity on
that account.  But remember that it's possible that this account
was hijacked, so don't expect too much from it.

Bear

More information about the LUG mailing list