Re: Machine compromised

[Petrus Repo <pantheon () sci fi>]

On Wed, 9 Jan 2002, Jan van Rensburg wrote:

> Hi,
> One of our servers that's literally on the other side of the globe has been
> compromised on Saturday, 5 Jan. I'm not sure how the person got in, but it
> has to be either exim (early 2.x version), University of Washington IMAP/POP
> v 1.5.1 or Apache 1.3.9. It could also be that it was through ssh-1.2.26,
> although this is supposed to be firewall filtered, so I doubt it. The base
> machine is RedHat-5.2, but a lot has been changed since the original install
> about 3 years ago. 

Considering that I couldn't find any info of how old UW-IMAP-1.5.1 is
(e.g. http://freshmeat.net/branches/11037/ lists only some "2000x" and
"2001y" versions), I would consider it rather old. Anyhow, I might be
wrong with the age, but if the version you're running is as old as your
sshd, I think it really might have some holes considering Washington
University's reputation with wu-ftpd and Pine.


> But, for example: 
> # mv ssh2d ssh2d_foo
> mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted
>
> As far a I can see lsmod has not been trojaned, and it doesn't look like
> there's any suspicious kernel modules loaded. So why do I get 'Operation not
> permitted' when I try to do anything to the files?

Say "lsattr <path>/ssh2d". If you see an "i" somewhere in the middle of
the dashes, the file has an immutable flag set. This means that even root
cannot modify the file until the flag is removed (by issuing chattr -i).
Read more from the manpages chattr(1) and lsattr(1).

Secondly, if your machine is compromised you cannot trust the output of
e.g. lsmod. I recommend that you recompile your kernel without support for
modules and watch whether you get some unexpected "QM_MODULES: Function
not implemented" messages while booting. This is how you can .try. to find
out if your system attempts to install a kernel module backdoor during the
bootup. You can do it more securely by compiling a kernel on a machine you
know secure and uploading it to the hacked system. Nevertheless, I think
the best and most efficient way to survive from a compromise is to
reinstall the whole system. (And you should not scorn the importance of
security updates although you have services blocked by firewall!)


 -Petrus


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com