Re: possibly hacked

Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> · Sun, 19 Nov 2006 09:47:31 +0100

El Jueves, 16 de Noviembre de 2006 22:56, olga@xxxxxxxxxxxxxx escribió:
> > On Thu, 2006-11-16 at 10:26 -0600, olga@xxxxxxxxxxxxxx wrote:
> >> Hi,
> >>
> >>  I wrote about kernel errors which somebody pointed out was because the
> >> server was running out of memory.
> >>
> >> Now I found the following which makes me think that that server may have
> >> been compromized.
> >>
> >> Here's what I get when I issued: netstat -nap
> >>
> >> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED
> >> 5226/ps x
> >> tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED
> >> 5365/ps x
> >>
> >> About a hundred instances of that program 'ps x' running.
> >>
> >> Also here's what ps -ef produced:
> >>
> >> apache    6323     1  0 10:30 ?        00:00:00 ps x
> >> apache    6324     1  0 10:30 ?        00:00:00 ps x
> >> apache    6326     1  0 10:30 ?        00:00:00 ps x
> >> apache    6328     1  0 10:30 ?        00:00:00 ps x
> >> apache    6330     1  0 10:30 ?        00:00:00 ps x
> >
> > What does ls -l /proc/6323/exe say?  That would be a symlink to the
> > executable for that process.  Normal ps lives in /bin so the link should
> > point at /bin/ps.  If it is connecting out to a remote host, it's likely
> > not the normal ps, just something that's masking itself to make it less
> > likely to get picked up.
> >
> > --
> > David Hollis <dhollis@xxxxxxxxxxxxxx>
>
> apache    3102     1  0 15:53 ?        00:00:00 httpd
> apache    3104     1  0 15:53 ?        00:00:00 httpd
> apache    3106     1  0 15:53 ?        00:00:00 httpd
> apache    3108     1  0 15:53 ?        00:00:00 httpd
> apache    3110     1  0 15:53 ?        00:00:00 httpd
> apache    3112     1  0 15:53 ?        00:00:00 httpd
> apache    3114     1  0 15:53 ?        00:00:00 httpd
> apache    3116     1  0 15:53 ?        00:00:00 httpd
> apache    3118     1  0 15:53 ?        00:00:00 httpd
> apache    3120     1  0 15:53 ?        00:00:00 httpd
> apache    3122     1  0 15:53 ?        00:00:00 httpd
> apache    3125     1  0 15:54 ?        00:00:00 httpd
> apache    3127     1  0 15:54 ?        00:00:00 httpd
> apache    3129     1  0 15:54 ?        00:00:00 httpd
> apache    3131     1  0 15:54 ?        00:00:00 httpd
> apache    3133     1  0 15:54 ?        00:00:00 httpd
> apache    3135     1  0 15:54 ?        00:00:00 httpd
> apache    3137     1  0 15:54 ?        00:00:00 httpd
> apache    3139     1  0 15:54 ?        00:00:00 httpd
> apache    3141     1  0 15:54 ?        00:00:00 httpd
> apache    3143     1  0 15:54 ?        00:00:00 httpd
> apache    3145     1  0 15:54 ?        00:00:00 httpd
> apache    3639     1  0 15:57 ?        00:00:00 ps x
> apache    3642     1  0 15:57 ?        00:00:00 ps x
> apache    3645     1  0 15:58 ?        00:00:00 ps x
> apache    3647     1  0 15:58 ?        00:00:00 ps x
>
>
> I am getting a ton of these...
> Here's what ls -l /proc/3147/exe  says
> lrwxrwxrwx    1 apache   apache          0 Nov 16 15:56 /proc/3147/exe ->
> /usr/bin/perl
>
> When I do netstat -nap I get:
> tcp        0      0 131.x.x.x:44160       72.14.x.x:80 ESTABLISHED -
> tcp        0      0 131.x.x.x:44161       72.14.x.x:80 ESTABLISHED -
> tcp        0      0 131.x.x.x:44162       72.14.x.x:80 ESTABLISHED -
>
> The ip points to google...
>
> And these appeared in the /tmp folder:
>
> drwxrwxrwt    8 root     root         4096 Nov 16 16:00 .
> drwxr-xr-x   23 root     root         4096 Nov 16 14:35 ..
> srwx------    1 root     nobody          0 Nov 16 14:36 .fam_socket
> drwxrwxrwt    2 xfs      xfs          4096 Nov 16 14:35 .font-unix
> srw-rw-rw-    1 root     root            0 Nov 16 14:36 .gdm_socket
> -rw-r--r--    1 apache   apache          0 Nov 15 15:20 .httpd
> drwxrwxrwt    2 root     root         4096 Nov 16 14:36 .ICE-unix
> drwx------    2 root     root         4096 Nov 16 14:59 mc-root
> drwx------    2 root     root        12288 Nov 16 15:16 orbit-root
> -rw-r--r--    1 apache   apache          0 Nov 16 15:58
> sess_azx3a4wq3x1f2aad4a34sxx1w2o52a45
> -rw-r--r--    1 apache   apache      11669 Nov 16 15:43
> sess_rdav631df3a1ddfaa34s1x1wwo521459
> -r--r--r--    1 root     root           11 Nov 16 14:36 .X0-lock
> drwxrwxrwt    2 root     root         4096 Nov 16 14:36 .X11-unix
>
> What is going on?
>

Finally...did they break into your system? Did you find something strange on 
the logs? I wonder what happened, give us some information this thread is 
quite interesting and will help other folks in a near future ;-)
One way or another, if they got shell access (even remote text shell, you 
know...) you should think about reinstalling your system, as far as i know, 
if the left a rootkit you must not trust your system anymore.

By the way, let me give you and advice, installing Babel Enterprise could be a 
nice idea, ( http://babel.sourceforge.net/en/ ), yeah yeah, it's GPL ;-)

Babel is an enterprise-grade auditing system to manage a consistency on 
security policy between different systems in a non-homogeneus architecture. 
Babel allows to manage very different operating systems, like AIX, Solaris, 
Windows 2000, Windows XP, Linux, *BSD or HPUX.

Babel allows administrator team to monitor the hardening level of their 
systems and keep constantly monitored, using periodic policy polling, and of 
course, a WEB Based, graphical reporting, and of course, a centralized 
management for all systems

There's a demo online, try it.

Hope this helps.
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list