I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" cd "`echo -e '\057\150\157\155\145'`" cd "`echo -e '\057'`" cd "`echo -e '\057\166\141\162'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\154\151\145\156\164\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\163\141\155\142\141'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156\057\166\151\162\165\163\155\141\151\154\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\165\160\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.
Joe & Sesil Morris (NTM) wrote:
cd "`echo -e '\057\150\157\155\145\057\152\157\145'`"
that are all cd's to directorys...: echo -e '\057\150\157\155\145\057\152\157\145' gives: /home/joe so it was a cd to /home/joe (maybe intruder account?) you can check by yourself the rest of the cds ;)
BTW, this is SuSE 8.0. I still haven't figured out how they got in.
http://www.suse.de/en/support/download/updates/80_i386.html there you find a list of all security updates for 8.0 (some...)
I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.
how do you try to compile ant whats the error? first of all, you should take the box away from the internet (if you don't have already done ;), then use chrootkit, or if you used tripwire etc. to check which files are changed. Marc's seccheck may also help. HTH Sven
Hi Joe,
I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" cd "`echo -e '\057\150\157\155\145'`" cd "`echo -e '\057'`" cd "`echo -e '\057\166\141\162'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\154\151\145\156\164\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\163\141\155\142\141'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156\057\166\151\162\165\163\155\141\151\154\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\165\160\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`"
I'm not sure what this is supposed to do, but the character sequences expand to /home/joe /home / /var /var/spool /var/spool/clientmqueue /var/spool /var/spool/mqueue /var/spool /var/spool/samba /var/spool /var/spool/vscan /var/spool/vscan/virusmails /var/spool/vscan /var/spool /var/spool/cups /var/spool (the directories that he entered). This does not tell us what happened.
Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.
What services do you have open? Are you sure that everything is blocked? You don't have a single port reachable from the internet? (no sshd, no apache/apache-ssl, portmapper, ...?) Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
On Saturday 27 July 2002 13:08, Joe & Sesil Morris (NTM) wrote:
I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" <snip> Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.
It's not an intrusion, I see loads of messages like that too in my bashhistory on a 8.0 box which isn't connected directly to the internet, I haven't yet investigated it further but I think it's caused by mc (Midnight Commander), do you use that too? -- GertJan
Hello, I think it's a typical output through "Midnight Commander" and no hack. I also use the mc and when I walk through my history such lines appears. Greetings Mario
-----Original Message----- From: Joe & Sesil Morris (NTM) [mailto:Joe_Morris@ntm.org] Sent: Saturday, July 27, 2002 1:08 PM To: suse-security@suse.com Subject: [suse-security] [SLE] Security Help needed
I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" cd "`echo -e '\057\150\157\155\145'`" cd "`echo -e '\057'`" cd "`echo -e '\057\166\141\162'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\154\151\145\ 156\164\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\155\161\165\145\ 165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\163\141\155\142\141'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\ 156\057\166\151\162\165\163\155\141\151\154\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\165\160\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`"
Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.
-- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (5)
-
GertJan Spoelman -
Joe & Sesil Morris (NTM) -
M. Neubert -
Roman Drahtmueller -
Sven 'Darkman' Michels