Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Intrusion
  • From: Antun Balaz <antun@xxxxxxxxxxxx>
  • Date: Mon, 24 Nov 2003 16:18:58 +0100 (CET)
  • Message-id: <Pine.LNX.4.44.0311241606280.11178-100000@xxxxxxxxxxxxxxxxxxxx>

Hi to all,
it seems that I have a serious problem, although I updated my SuSE 8.1
server quite recently (all security updates were applied).

I have two questions:

1) What to do right now to prevent any misconduct of my server?
2) How to clean up the server?

Description of the problem: one of my users (mvasilic) noticed that
someone from IP 81.196.122.7 logged to his account (that IP originates
from Romania, and we are in Serbia). Close inspection shows that indeed
someone was logged to our server from that IP, and obviously was running
some kind of a rootkit:

------------------------------------------------------------------------
octopus:~ # ps aux | grep mvasilic
mvasilic 6620 0.0 0.2 1644 580 ? S Nov22 0:00 bash
mvasilic 3241 0.0 0.0 1380 4 ? S Nov22 0:00 ./root
root 11279 0.0 0.2 1624 600 pts/1 S 16:10 0:00 grep mvasilic
----------------------------------------------------------------------

In the /tmp directory there are several interesting files:

-----------------------------------------------------------------------
octopus:/tmp # ls -l | grep mvasilic
drwxr-xr-x 3 mvasilic users 72 2003-11-22 20:26
-rw-r--r-- 1 mvasilic users 0 2003-11-22 13:30 982235016-gtkrc-429249277
-rw-r--r-- 1 mvasilic users 4215 2003-11-22 21:08 lstermcap
-rwxr-xr-x 1 mvasilic users 5410 2003-11-22 21:11 own.so
-rw-r--r-- 1 mvasilic users 453 2003-11-22 21:10 report
-rw-r--r-- 1 mvasilic users 58 2003-11-22 21:10 suidprogs
----------------------------------------------------------------------

File report says:

----------------------------------------------------------------------
octopus:/tmp # cat report
RwX Super Linux Xploit report :
========================================

.o. The scanner found /usr/bin/lpr could be xploitable.
.o. The scanner found /usr/X11R6/bin/X could be exploitable.
.o. The scanner found /usr/bin/crontab could be xploitable.
.o. The scanner found /bin/mount could be exploitable.

This script was originally scripted by so1o@xxxxxxxxxxxxxx
Modifications to Linux by Kbyte@xxxxxxxxxxx
2 bugs found.
---------------------------------------------------------------------

There is also the directory ' ', which contains directory s:

---------------------------------------------------------------------
octopus:/tmp/ /s # ls -l
total 48
drwxr-xr-x 3 mvasilic users 144 2003-11-22 20:42 .
drwxr-xr-x 3 mvasilic users 72 2003-11-22 20:26 ..
drwxr-xr-x 9 mvasilic users 376 2003-01-14 14:34 .haos
-rwxr-xr-x 1 mvasilic users 37162 2003-07-19 22:37 c
-rwxr-xr-x 1 mvasilic users 35 2003-05-19 12:40 s
-rwxr-xr-x 1 mvasilic users 29 2003-05-17 04:46 t
--------------------------------------------------------------------

Directory .haos is a very rich one:

-------------------------------------------------------------------
octopus:/tmp/ /s/.haos # ls -l
total 146
drwxr-xr-x 9 mvasilic users 376 2003-01-14 14:34 .
drwxr-xr-x 3 mvasilic users 144 2003-11-22 20:42 ..
drwxr-xr-x 2 mvasilic users 120 2002-05-12 05:16 FTP
-rwxr-xr-x 1 mvasilic users 15633 2002-02-01 04:18 dat1
-rwxr-xr-x 1 mvasilic users 21794 2002-02-01 04:18 dat2
drwxr-xr-x 3 mvasilic users 96 2002-05-11 13:43 haos1
drwxr-xr-x 3 mvasilic users 96 2002-05-11 11:00 haos2
-rwxr-xr-x 1 mvasilic users 14380 2002-02-01 05:24 haosp
-rwxr-xr-x 1 mvasilic users 16500 2002-02-01 05:17 haosv
-rwxr-xr-x 1 mvasilic users 1560 2002-02-01 04:18 haosx
drwxr-xr-x 6 mvasilic users 1920 2002-03-30 05:30 libpcap-0.6.2
drwxr-xr-x 11 mvasilic users 392 2003-01-07 00:26 massrooter
drwxr-xr-x 2 mvasilic users 272 2002-10-02 15:31 nebunu
drwxr-xr-x 2 mvasilic users 408 2002-01-12 18:00 strobe
-rwx------ 1 mvasilic users 64652 2002-04-01 19:45 superwu
----------------------------------------------------------------

And so on.

Please, help!

Best regards,

Antun Balaz
Institute of Physics, Belgrade
Serbia and Montenegro




< Previous Next >