Possible compromised service
Hi, A German warez group (from what I have been able to track down) has been uploading files to our server. The problem is that they've been appearing in our ftp incoming directory *but not through our ftp daemon*. Any such connections would have logged and they haven't been. Neither were any ftpd processes seen running at a time when files were actively being uploaded. This (to my untrained eye) points to a compromised network service of some description. First things first is this the right place to discuss such things or would there be somewhere more relavent? I'm running SuSE 7.1 with a self compiled 2.4.2 kernel, and running apache 1.3.19, proftpd 1.2.2rc2, openssh 2.5.1p1, telnet, postfix-20010228pl03-9, qpopper-3.1.2, nfs-2.2, pidentd 3.1a17, samba 2.0.10, lprng 3.7.4, netatalk 1.4.99, portmap 5beta, XFree86 4.0.2 + kdm/kde2 2.1.1. Some of which being compiled from 7.2ftp source rpms but the same exploit was taking place with standard 7.1ftp. As I'm running SuSE packages which have no known exploits that I can see this is worrying for me and a potential worry for other SuSE users. I've spent all day on a wild goose chase but hopefully tomorrow I'll be able to find more information (I'm tcpdumping all network traffic atm, so it just needs correlating the time files are uploaded with the traffic going on at the time, a lengthy process on a busy server ;0). Any help will be greatly appreciated, John Bland -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie
Just a quick update as there's been a lot off private mailing going on. I can't (after a reasonable amount of filesystem and network analysis) find any evidence of how the compromise happened or what was being used to upload the files. The most likely seems to be a trojan app of some sort. If it's a rootkit it's a tricky one. The system will now be heavily firewalled (we don't need overly much access from offsite that secure things like ssh can't provide) and reinstalled. It also gives me a good oppertunity to 'upgrade' to 7.2 anyway ;0). Thanks to anyone who mailed me, you've all given me lots of information and support. JB (just when you think things are going great...) -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie
Hi, Bit late perhaps but have you checked if those files aren't uploaded from a CDR, ZIP or something like that? Other question is it possible to gain local access to you server? Other possible reason as far as I know scp isn't logged by default so if someone has an account he could upload something. And you'r not able to find anything in the logs. Don't know if it helps but ..... DL
On Tue, 17 Jul 2001, d_lord wrote:
Hi,
Bit late perhaps but have you checked if those files aren't uploaded from a CDR, ZIP or something like that? Other question is it possible to gain local access to you server?
Yes, but during the day it would be seen and the place is locked at night. The only really definite thing I do know is that they came in via the network.
Other possible reason as far as I know scp isn't logged by default so if someone has an account he could upload something. And you'r not able to find anything in the logs.
Using scp wouldn't explain the appearance of the files as being owned by ftp.daemon. A normal user wouldn't be able to chown the files, you can't log in as ftp, and if they had root I'd be highly surprised they haven't used it. Cheers, JB -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie
participants (2)
-
d_lord
-
John Bland