Re: [suse-security] [SLE] Security Help needed

Hi Joe,

I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" cd "`echo -e '\057\150\157\155\145'`" cd "`echo -e '\057'`" cd "`echo -e '\057\166\141\162'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\154\151\145\156\164\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\163\141\155\142\141'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156\057\166\151\162\165\163\155\141\151\154\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\165\160\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`"

I'm not sure what this is supposed to do, but the character sequences expand to /home/joe /home / /var /var/spool /var/spool/clientmqueue /var/spool /var/spool/mqueue /var/spool /var/spool/samba /var/spool /var/spool/vscan /var/spool/vscan/virusmails /var/spool/vscan /var/spool /var/spool/cups /var/spool (the directories that he entered). This does not tell us what happened.

Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.

What services do you have open? Are you sure that everything is blocked? You don't have a single port reachable from the internet? (no sshd, no apache/apache-ssl, portmapper, ...?) Roman. -- - - | Roman Drahtmüller // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -