CentOS - Dec 2006 - I've been hacked -- what should I do next?

My home system has been hacked.  It's running CentOS 4.4, and I  
recently added an account to play around with Samba shares to back up  
PCs here at home.  I had set a weak password for that account and  
forgot to disable it after my testing.  I could hear the disk being  
accessed constantly, so I knew something was up.  I disabled the port  
forwarding to my CentOS box on my Linksys router (only ports 22 and  
80 were being forwarded).  After some poking around, I found the  
following files in the directory "/var/tmp/  /..   ":

-rw-rw-r--  1 backup backup   9468 Dec  1 00:20 azi2.seen
-rw-rw-r--  1 backup backup   9513 Dec  1 00:20 azi3.seen
-rw-rw-r--  1 backup backup   9513 Dec  1 00:20 azi4.seen
-rwxr-xr-x  1 backup backup 504464 Feb 10  2005 -bash
-rwx--x--x  1 backup backup  22936 Feb 10  2005 kswap.help
-rw-r--r--  1 backup backup   1085 Dec  1 00:00 kswap.levels
-rw-------  1 backup backup      5 Nov 29 17:28 kswap.pid
-rw-r--r--  1 backup backup   1480 Dec  1 00:00 kswap.session
-rw-r--r--  1 backup backup   4731 Dec 25  2005 kswap.set
-rw-r--r--  1 backup backup 165073 Dec  1 00:26 LinkEvents
-rw-r--r--  1 backup backup    258 Dec  1 00:00 mech2.users
-rw-r--r--  1 backup backup    258 Dec  1 00:00 mech3.users
-rw-r--r--  1 backup backup    258 Dec  1 00:00 mech4.users
-rw-r--r--  1 backup backup    258 Jun 28  1999 mech.users
-rwxr-xr-x  1 backup backup 174396 May 17  2004 pico

Anyone recognize this root kit (if that is what it is)?  I've  
disabled the backup account, and re-enabled port forwarding on my  
router (so I can access the system from home).  Other than deleting  
these files, is there anything else I should worry about?  I'd rather  
not re-install the OS...

Alfred

Alfred von Campe wrote:
> My home system has been hacked.  It's running CentOS 4.4, and I 
> recently added an account to play around with Samba shares to back up 
> PCs here at home.  I had set a weak password for that account and 
> forgot to disable it after my testing.  I could hear the disk being 
> accessed constantly, so I knew something was up.  I disabled the port 
> forwarding to my CentOS box on my Linksys router (only ports 22 and 80 
> were being forwarded).  
if for sure only 22 and 80 were forwarded, then it wasn't Samba.  

There's no default account I see here on my 4.4 boxes named backup, was 
that something you'd created?   some package you'd installed?

what was on your website?   any canned php scripting or whatever?


re: cleanup...   look very carefully for directories in odd places with 
. names

I'd run rkhunter to see if tehre's any other well known root kits on 
your system.

Alfred von Campe wrote:
> Anyone recognize this root kit (if that is what it is)?  I've disabled
> the backup account, and re-enabled port forwarding on my router (so I
> can access the system from home).  Other than deleting these files, is
> there anything else I should worry about?  I'd rather not re-install
the
> OS...
My advice is to reinstall too.  Cleaning compromised machine is error
prone job.  Especially if that is something you have never done before.

Have you been running anything like Tripwire on that box?  Without it
(or somethine similar), and without its database that was stored off the
machine or on read-only media (CD/DVD) I'd be very reluctant to even
attempt cleaning the machine.

Anyhow, if you decide to proceed with cleaning attempt (and not
reinstall), boot from into the rescue mode from installation CD.  That
way you'll be using clean kernel and binaries to examine the system.  Do
not chroot into compromised file systems, since this could simply
trigger loading of rootkit (and than you won't see anything).

If you haven't been running tools like Tripwire, you could make fresh
installation on some spare system, undo prelink stuff on both machines
(prelink changes your binary files), create database on clean system,
copy it to the compromised system and run check.  This should find all
changed, added and removed files (if you do it properly), as long as you
run it from rescue mode.

The rpm in verify mode will find changed files, however it will not find
changes in configuration files.  It also won't be able to find added
files (for example kernel modules that are supposed to hide files from
you and tools such as rpm and/or tripwire).  But it might be good start.
 Again, run rpm from rescue mode, and do not chroot.  You don't want to
use (potentially modified) rpm from the file system, you want to use
clean rpm binary from installation media (it has couple of options to
point it to where the root file system is mounted).

You could also try to remove all kernels, than manually remove kernel
directories in /lib/modules, and reinstall kernel (again from rescue
mode, and avoid chrooting if possible).  This should get rid of
additional kernel modules that were part of rootkit.

There's plethora of other stuff to do or try.  But even if I went along
and made this posting 10 times longer than it already is, you wouldn't
be 100% sure you cleaned the machine.  Again, reinstall is really your
best friend here.  You'll probably spend way more time attempting to
clean up, than if you were simply to reinstall and restore data (and
only data, not config files or anything else, and watch for config files
that might be part of data) from backup.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20061201/5975a0f3/attachment-0001.sig>

On Dec 1, 2006, at 12:45 AM, Alfred von Campe wrote:
> enabled port forwarding on my router (so I can access the system  
> from home).  Other than deleting these files, is there anything  
> else I should worry about?  I'd rather not re-install the OS...
let me add another suggestion to the flood: once you've rebuilt the  
box, install DenyHosts (http://denyhosts.sourceforge.net/).  this  
tool is quite effective at blocking brute-force ssh attacks; not only  
will this make it much harder for an attacker even if you should  
happen to set a weak password on an account in the future, but it  
will also reduce the amount of CPU time and memory wasted on dealing  
with brute-force ssh attacks.

RPMs are available at sourceforge; the python 2.3 RPM works great on  
CentOS 4.

i'm sorry you're having to deal with this. :(

-steve

--
If this were played upon a stage now, I could condemn it as an  
improbable fiction. - Fabian, Twelfth Night, III,v

Scott Silva wrote:
> Aleksandar Milivojevic spake the following on 12/1/2006 12:43 PM:
>> Quoting Alfred von Campe <alfred at 110.net>:
>> 
>>> FWIW, the IP addresses are 172.178.63.167 (acb23fa7.ipt.aol.com)
and
>>> 61.43.153.30.  There is no reverse entry for the latter, so I
don't
>>> know who to contact.  I'll fire off an email to AOL (not that I
>>> think anything will happen).
>> 
>> You can use a whois database to find the info (for example, there's
>> web interface on www.ripe.net).  Info for 61.43.153.30 indicates
>> that this IP address is alocated to an provider in South Korea. 
>> Contact addresses included: 
>> 
>> inetnum:         61.32.0.0 - 61.43.255.255
>> netname:         BORANET-1
>> descr:           DACOM Corp.
>> descr:           Facility-based Telecommunication Service Provider
>> descr:           providing Internet leased-ine, on-line service, BLL
>> etc. country:         KR admin-c:         DB50-AP
>> tech-c:          DB50-AP
>> status:          ALLOCATED PORTABLE "status:" definitions
>> mnt-by:          APNIC-HM
>> mnt-lower:       MNT-KRNIC-AP
>> changed:         hostmaster at apnic.net
>> 20000918
>> source:          APNIC
>> 
>> role:            DACOM BORANET
>> address:         DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku, Seoul
>> country:         KR phone:           +82-2-2089-7755
>> fax-no:          +82-2-2089-0706
>> e-mail:          ipadm at nic.bora.net
>> e-mail:          abuse at bora.net
>> e-mail:          security at bora.net
>> admin-c:         EC115-AP
>> tech-c:          SIJ1-AP
>> nic-hdl:         DB50-AP
>> remarks:         IP address administrator group of NIC team, DACOM
>> Corp. remarks:         If related with spam, send mail to
>> abuse at bora.net
>> remarks:         If related with security, send mail to
>> security at bora.net remarks:         Only for whois information
>> correction, send mail to ipadm at nic.bora.net mnt-by:         
>> MNT-KRNIC-AP 
>> changed:         jeonsi at bora.net 20041105
>> source:          APNIC
> Hacked from Korea! There is a surprise!! ;-D
We're all assuming that the IP address wasn't spoofed...

Mark