Security Incidents mailing list archives

Re: Compromised...


From: ldavis () FASTQ COM (Lane Davis)
Date: Mon, 7 Feb 2000 23:40:08 -0700


If you're running SunOS it's always easy to tell if your binaries have
been replaced with Folgers Crystals instead of your regular sparc binaries--
as most of the code kiddies out there rebuild them with GCC compiled
executables.

However, I'll be the first to admit you shouldn't count on this (it's just
one of the first things I've noticed during a couple breakins at FastQ).

Just my $0.02.
/l

On 07-Feb-00 Steve Logan wrote:
This morning I tried to ssh to a domain I host on one of my boxes.  I soon
realized the domain wasn't resolving.  I then ssh'd to the ip of the box.
I discovered that named wasn't running.  I restarted it.  I was curious to
find out why it had died.  I started looking through the logs and I soon
realized my machine had been broken into. Several binaries had been
replaced.  (ps, ls, netstat, ...).  I replaced the ps and ls and found
some interesting things.  There was a process running called in,telnetd
(notice the comma).  I found this in "/usr/ /":

rwxr-xr-x   2 root     root         4096 Feb  6 21:41 .
drwxr-xr-x  20 root     root         4096 Feb  6 21:38 ..
-rw-r--r--   1 root     root           39 Feb  6 21:38 .l
-rw-r--r--   1 root     root           44 Feb  6 21:38 .n
-rw-r--r--   1 root     root           31 Feb  6 21:40 .p
-rws--x--x   1 root     root       281416 Feb  6 21:38 .tt
-rwxr-xr-x   1 root     root       373176 Feb  6 21:38 .ttb
-rw-r--r--   1 root     root          698 Feb  6 21:38 .ttf
-rwxr-xr-x   1 root     root         7860 Feb  6 21:38 in,telnetd
-rw-r--r--   1 root     root      2518030 Feb  7 10:52 sniff.log

After running strings on these files it appears they are a shell program
and password files.  The in,telnetd is logging all network traffic to
sniff.log.  All of the log files had been modified.  History was modified.
wtmp was modified.  inetd.conf was changed.  Several other things were
also changed.  There was a directory called ADMROCKS in /var/named.

Has anyone else experienced this?  How did they get in?  At this point I'm
pretty sure it was through named.  How should I go about cleaning it up?
Right now I think I'll just reinstall the RPM's off of the cd.  Will this
be enough (along with upgrading BIND)?  If anyone could share any useful
information please do so.

Thanks,
Steve Logan

+ --                                                                       -- +
| Lane Davis                We have not inherited the earth from our parents, |
| <ldavis () fastq com>        we've borrowed it from our children.              |
| Phone: 602-722-1200                                                         |
+ --                                                                       -- +


Current thread: