Re: exploit or human

[Victor Calzado <vcalzado () gmail com>]

Hi,

Valentin Avram wrote:

> Hello.
>
> Most of the symptoms you describe and the "sudden" falling of more
> systems does point to a rootkit that was installed on the first
> compromised machine (FC2). That machine might have been later used to
> gain access to the other servers in your network.
>
>  
Yes, It sounds like a  script kiddies  compromise with worm infection too.

There are groups of Romanian IRC Script Kiddies  rooting   RedHat  7.3  
servers all over the world for quite a long time.
Is there any of this RedHat 7.3 server running wu-ftpd ftp server or a 
web server with https support?
 

> The segfaults when running usual commands (mostly grep, netstat, ps and
> so on) while some other software runs just fine makes the rootkit
> explaination quite certain. 
Tools and binaries used by this groups are oftenly infected with RST.b 
worm, that infects ELF headers in /bin files,
Red Hat 7.3 binaries get infected but are still functional but RST.b 
infection in Fedora led to unstable binaries that always seg fault, so a 
Fedora
infected system will no longer boot after infection.

> Also the failure to restart the server
> usually is a consequence of that. One way to make that sure is to get
> the hdd from the possibly compromised machine, put it on an offline
> system which has rkhunter (or other rootkit-detection software)
> installed and check it. After the signs you described, it quite very
> probably you'll find a rootkit.
>
> RH's before RHEL are ok (from the stability point of view) as long as
> you keep the exposed services uptodate (recompilation from source).
> Don't use the old software they come with, cause you might just open a
> door to your system.
>
>  
RedHat 7.3 servers should be replaced or updated.


> Kernel error messages may also be a sign of intrusion (local root
> exploit maybe, that breaks something).
>
>  

Yes, maybe a malformed or missused ptrace exploit  could  led to kernel 
instabillity.

> About firewall and passwords, that should have been the first step,
> before making any server accessible from the Internet.
>
> Also, be careful because once any server of yours got compromised, this
> means the attackers may already have the passwords for most of the users
> on that system.
>
>  

It seems that more than one server has been compromised, check every box 
of the network for intrussion evidences.

> About the last 7.3 you spoke about, it's posible (if the attackers
> haven't already got the machine) to see some intrusion trace in the
> system logs (or ssh and other services).
>
>  
You should run any antivirus software, clamav is free software and works 
fine, and search for worms an viri in linux systems.
You should get dd images from at least one of the compromised servers 
that could help to find out who the intruders are and how
could them compromise servers.

I'm sorry but probably you will find more infected systems all over your 
network. You will probably need to reinstall every compromised server
and any content recovered from an "infected" system should be scanned 
for viri and checked for rootkits.

Good luck,
Victor