[opensuse] system seems hacked...
I have just seen something odd on a principal server (suse 10.0) in our DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I saw a different user running ssh_scan. Me thinks, this is not right. So, I started by changing passwords for all, and rebooting. Then I notice on the freshly booted system: root 4137 1 0 14:16 ? 00:00:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid jan 4755 1 0 14:17 ? 00:00:00 /usr/sbin/sshd netstat tells me tcp 0 0 :::22 :::* LISTEN 4137/sshd udp 0 0 0.0.0.0:32775 0.0.0.0:* 4755/sshd So this unexpected sshd has udp port 32775 open. How odd. User jan should not be running anything, let alone sshd. If I kill it. it comes back. I checked the /usr/sbin/sshd and it has a correct checksum compared to an internal machine. So then I looked in inittab and the rc scripts (process 1 is init) to see if anything there looks odd. I do not see anything the gives me a clue as to why this is running. Of course the rc scripts are harder to check as they run programs that run programs, etc. I did a check to see what is different from the installed RPMs. Nothing looked odd. I had a look at http://suseforums.net/index.php?showtopic=31358 which seems to be describing the same thing. Except that in my case, the odd sshd is still running after the reboot. And it will not go away... Anyone seen/heard of this specific exploit? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Feb 21, 2008 at 03:12:09PM +0100, Roger Oberholtzer wrote:
I have just seen something odd on a principal server (suse 10.0) in our DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I saw a different user running ssh_scan. Me thinks, this is not right. So, I started by changing passwords for all, and rebooting. Then I notice on the freshly booted system:
root 4137 1 0 14:16 ? 00:00:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid jan 4755 1 0 14:17 ? 00:00:00 /usr/sbin/sshd
netstat tells me
tcp 0 0 :::22 :::* LISTEN 4137/sshd udp 0 0 0.0.0.0:32775 0.0.0.0:* 4755/sshd
So this unexpected sshd has udp port 32775 open. How odd.
User jan should not be running anything, let alone sshd. If I kill it. it comes back. I checked the /usr/sbin/sshd and it has a correct checksum compared to an internal machine. So then I looked in inittab and the rc scripts (process 1 is init) to see if anything there looks odd. I do not see anything the gives me a clue as to why this is running. Of course the rc scripts are harder to check as they run programs that run programs, etc. I did a check to see what is different from the installed RPMs. Nothing looked odd.
Programs can rename themselves for the process list. What does the symlink /proc/4755/exe point to? It might be some kind of trojan/daemon/services the user is trying to hide from you. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2008-02-21 at 15:16 +0100, Marcus Meissner wrote:
Programs can rename themselves for the process list.
What does the symlink /proc/4755/exe point to?
It might be some kind of trojan/daemon/services the user is trying to hide from you.
You've obviously done this before. I get /home/jan/mds/.font-UNIX/randfiles/.font/emech which will go away in very short time! and it is getting started by the user's cron table. Or it was. I will have a talk with the user who's account was used. They have a tricky password which I bet their windows machine knows about... -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Marcus: forgot to say thanks. So, thanks! -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Roger Oberholtzer wrote:
You've obviously done this before. I get
/home/jan/mds/.font-UNIX/randfiles/.font/emech
Just for the record, emech is energymech* - IRC bot programmed in C, similar to eggdrop*, no exploit or rootkit fortunately. * http://www.energymech.net/ * http://www.eggheads.org/ -- Best Regards / S pozdravom, Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska 1060/12 PGP 0xA6917144 19000 Praha 9, CR prusnak[at]suse.cz http://www.suse.cz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 21 February 2008 08:12:28 am Pavol Rusnak wrote:
Roger Oberholtzer wrote:
You've obviously done this before. I get
/home/jan/mds/.font-UNIX/randfiles/.font/emech
Just for the record, emech is energymech* - IRC bot programmed in C, similar to eggdrop*, no exploit or rootkit fortunately.
...and here I was thinking the users were setting up a mech warrior server on the network to - erm - kill time. that was very interesting reading, thanks! -- kai www.filesite.org || www.4thedadz.com || www.perfectreign.com remember - a turn signal is a statement, not a request -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2008-02-21 at 17:12 +0100, Pavol Rusnak wrote:
Roger Oberholtzer wrote:
You've obviously done this before. I get
/home/jan/mds/.font-UNIX/randfiles/.font/emech
Just for the record, emech is energymech* - IRC bot programmed in C, similar to eggdrop*, no exploit or rootkit fortunately.
Very interesting. What I am trying to figure out is how they got in. The user they were initially using had a very difficult password with mixed letters and numbers all chosen at random. I suspect it was via his windows machine he logs in from. Now that my system has been found, the bot is showing up in other users. So, I am forcing all to set new passwords (passwd -e) and warning them that the passwords need to be difficult. Damned pesky thing. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Tel: Int +46 8-615 60 20 Fax: Int +46 8-31 42 23 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2008-02-21 at 17:12 +0100, Pavol Rusnak wrote:
Roger Oberholtzer wrote:
You've obviously done this before. I get
/home/jan/mds/.font-UNIX/randfiles/.font/emech
Just for the record, emech is energymech* - IRC bot programmed in C, similar to eggdrop*, no exploit or rootkit fortunately.
I see the string EnergyMech in the emech file. Perhaps it is version 2.8.1. The program that seems to be hiding the real program, cleverly called hide, seems to be: Hide - Process Faker, by Schizoprenic Xnuxer Research (c) 2002 which, in it's help message, uses ./egg as a sample name. I am a bit surprised that these apps have so much information in them. But I guess they are not really doing something wrong. It is more that they are not supposed to be running on MY machine... -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Tel: Int +46 8-615 60 20 Fax: Int +46 8-31 42 23 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Donnerstag, 21. Februar 2008 Pavol Rusnak:
Just for the record, emech is energymech* - IRC bot programmed in C, similar to eggdrop*, no exploit or rootkit fortunately.
Hi Pavol, I think what you say is naive at best. "Botnet" ring a bell?
Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska
You seem to maintain tcpdump, libpcap, iptables and I sincerely hope that you don't take the same easygoing approach with those. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2008-02-22 at 23:17 +0100, Wolfgang Woehl wrote:
Donnerstag, 21. Februar 2008 Pavol Rusnak:
Just for the record, emech is energymech* - IRC bot programmed in C, similar to eggdrop*, no exploit or rootkit fortunately.
Hi Pavol, I think what you say is naive at best. "Botnet" ring a bell?
Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska
You seem to maintain tcpdump, libpcap, iptables and I sincerely hope that you don't take the same easygoing approach with those.
I think the hack is indeed as described. It was not really messing up my system. It used it as a stage to probe other systems. I got a visit from our IT department that there was a complaint about this server from some external site. I was not surprised. It seems that the password changes have resolved the issue. At least for now. I will have to keep watch for something else. But I do not think the system was compromised. In summary, I would say a user let someone use his account to run some unexpected software.
Wolfgang
-- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Tel: Int +46 8-615 60 20 Fax: Int +46 8-31 42 23 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Roger Oberholtzer wrote:
On Fri, 2008-02-22 at 23:17 +0100, Wolfgang Woehl wrote:
Donnerstag, 21. Februar 2008 Pavol Rusnak:
Just for the record, emech is energymech* - IRC bot programmed in C, similar to eggdrop*, no exploit or rootkit fortunately. Hi Pavol, I think what you say is naive at best. "Botnet" ring a bell?
Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska You seem to maintain tcpdump, libpcap, iptables and I sincerely hope that you don't take the same easygoing approach with those.
I think the hack is indeed as described. It was not really messing up my system. It used it as a stage to probe other systems. I got a visit from our IT department that there was a complaint about this server from some external site. I was not surprised. It seems that the password changes have resolved the issue. At least for now. I will have to keep watch for something else. But I do not think the system was compromised. In summary, I would say a user let someone use his account to run some unexpected software.
A user like that needs two weeks unpaid vacation, so that in the future, he can think more clearly at work before "loaning" his account to some who wants to use it for "unexpected software" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I have just seen something odd on a principal server (suse 10.0) in our DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I saw a different user running ssh_scan. Me thinks, this is not right. So, I started by changing passwords for all, and rebooting. Then I notice on the freshly booted system: root 4137 1 0 14:16 ? 00:00:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid jan 4755 1 0 14:17 ? 00:00:00 /usr/sbin/sshd netstat tells me tcp 0 0 :::22 :::* LISTEN 4137/sshd udp 0 0 0.0.0.0:32775 0.0.0.0:* 4755/sshd So this unexpected sshd has udp port 32775 open. How odd. User jan should not be running anything, let alone sshd. If I kill it. it comes back. I checked the /usr/sbin/sshd and it has a correct checksum compared to an internal machine. So then I looked in inittab and the rc scripts (process 1 is init) to see if anything there looks odd. I do not see anything the gives me a clue as to why this is running. Of course the rc scripts are harder to check as they run programs that run programs, etc. I did a check to see what is different from the installed RPMs. Nothing looked odd. I had a look at http://suseforums.net/index.php?showtopic=31358 which seems to be describing the same thing. Except that in my case, the odd sshd is still running after the reboot. And it will not go away... Anyone seen/heard of this specific exploit? -- Roger Oberholtzer </quote> lsof -p PID see where it's located, my best guess would be that it's a perl script forking itself again if you kill it. Find the source file and remove it. -- Best regards, Nick Zeljkovic -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2008-02-21 at 15:22 +0100, Nick Zeljkovic wrote:
lsof -p PID see where it's located, my best guess would be that it's a perl script forking itself again if you kill it. Find the source file and remove it.
Oddly, that listed nothing. I think it is because stdout is redirected to a file, so that would show up as an open file in he parent: init. No other files are listed in /proc for that process. But I see in /proc that it has (had) over 320 sockets open. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
lsof -p PID see where it's located, my best guess would be that it's a perl script forking itself again if you kill it. Find the source file and remove it.
Oddly, that listed nothing. I think it is because stdout is redirected to a file, so that would show up as an open file in he parent: init. No other files are listed in /proc for that process. But I see in /proc that it has (had) over 320 sockets open. -- Roger Oberholtzer </quote> lsof should return same content as it reads from /proc, if it works for other PIDs but not for that one, I'd suspect a root compromise. -- Best regards, Nick Zeljkovic -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (7)
-
Aaron Kulkis
-
Kai Ponte
-
Marcus Meissner
-
Nick Zeljkovic
-
Pavol Rusnak
-
Roger Oberholtzer
-
Wolfgang Woehl