RE: [SLUG] Suscpicious IRCd connections

Sat, 30 Nov 2002 22:09:54 -0800 

Not good. There're two syslogd binaries:

[root@f1 14:51:31 log]# rpm -qf /usr/bin/syslogd
file /usr/bin/syslogd is not owned by any package
[root@f1 14:51:43 log]# ls -al /usr/bin/syslogd
-rwxr-xr-x    1 root     root      1180858 Feb 25  2002 /usr/bin/syslogd
[root@f1 14:51:50 bin]# file /usr/bin/syslogd
/usr/bin/syslogd: ELF 32-bit LSB executable, Intel 80386, version 1,
statically linked, stripped

[root@f1 14:51:55 log]# rpm -qf /sbin/syslogd
sysklogd-1.4.1-4
[root@f1 14:52:02 log]# ls -al /sbin/syslogd
-rwx------    1 root     root        28324 Aug 16  2001 /sbin/syslogd
[root@f1 14:54:06 bin]# file /sbin/syslogd
/sbin/syslogd: ELF 32-bit LSB executable, Intel 80386, version 1,
dynamically linked (uses shared libs), stripped

I don't know what other trojans they've installed, where they are or what
they're doing, how many modules they've loaded into memory or even what
sensitive data they've accessed. Tripwire didn't come with rh7.2 for some
reason ...

This is good experience but. You only ever start learning lessons when you
get royally fucked. Only problem is, this'll greatly decrease the time I
have to get experience with other things eg. sendmail, apache, perl etc.

One thing's for sure, I can do a lot better to secure the box than what I
have.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Michael Fox
Sent: Sunday, 1 December 2002 13:56
To: Minh Van Le
Cc: Michael Fox; Howard Lowndes; [EMAIL PROTECTED]
Subject: RE: [SLUG] Suscpicious IRCd connections


Quoting Minh Van Le <[EMAIL PROTECTED]>:

> [root@f1 16:35:16 init.d]# ps auxw | grep syslog
> USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
> root       948  0.0  0.2  1476  324 ?        S    Nov26   0:14 syslogd
> -m 0
> root      1617 22.0  0.3  3072  468 ?        S    Nov26 1311:00
> syslogd
> root     31337  0.0  0.4  1732  600 pts/1    S    16:35   0:00 grep -i
> syslog
>
> Doesn't look too good. Two syslogd processes running since the last
> reboot.
>
> I'm taking the box down.
>

And I'd say the one with PID 1617 (getting vast amounts of CPU TIME) is the
bad
one. aka.. the bot for which is joining the irc server you identified.

I'd rebuild it, and be sure to secure the new box a little better then the
one
that you had hacked.

Good Luck

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Reply via email to