This morning, I noticed in my security email, that my entire /usr/bin directory had setuid diff's set on them. I think I've been hacked. So I installed chkrootkit from ports and ran it. It showed not infected for everything, except NETSTAT. NETSTAT showed infected... I ran chkrootkit for another machine (at my office), and it showed not infected for everything. Both machines are running 4.7-STABLE. I can re-install and restore my data, that's not a problem, but I am a little confused... When listing any directories, I see the following: drwxr-xr-x 3 root wheel 18944 f 16:35 dev drwxr-xr-x 2 root wheel 512 f 2002 dist drwxr-xr-x 17 root wheel 4608 f 08:35 etc lrwxr-xr-x 1 root wheel 9 f 2002 home -> /usr/home -r-xr-xr-x 1 root wheel 2326346 f 06:51 kernel -r-xr-xr-x 1 root wheel 3258128 f 2000 kernel.GENERIC -r-xr-xr-x 1 root wheel 2301572 f 2002 kernel.old drwxrwxrwx 2 root wheel 512 f 2002 lib drwxrwxrwx 3 root wheel 512 f 2002 log lrwxr-xr-x 1 root wheel 19 f 2002 logfiles -> /usr/local/www/logs drwxr-xr-x 2 root wheel 512 f 2000 mnt drwxr-xr-x 2 root wheel 4096 f 06:52 modules drwxr-xr-x 2 root wheel 4096 f 06:51 modules.old drwxr-xr-x 2 root wheel 512 f 2002 old dr-xr-xr-x 1 root wheel 512 f 08:37 proc drwxrwxrwx 2 root wheel 512 f 18:58 ris_datalogs drwxr-xr-x 4 root wheel 512 f 2002 root drwxr-xr-x 2 root wheel 2048 f 04:36 sbin drwxr-xr-x 5 root wheel 1024 f 2002 stand lrwxr-xr-x 1 root wheel 11 f 18:04 sys -> usr/src/sys drwxrwxrwt 4 root wheel 512 f 08:36 tmp drwxr-xr-x 19 root wheel 512 f 2002 usr drwxr-xr-x 22 root wheel 512 f 2002 var lrwxr-xr-x 1 root wheel 19 f 2002 www -> /usr/local/www/data Notice the f in place of the date? What does that mean? Does it look like I've been hacked? I've already changed all my passwords. Any insight on the f in the date would be appreciated. Thanks in advance Peter ---------------------------------------------------------------------------------------------------------- Peter Elsner <peter@servplex.com> Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE.
> Notice the f in place of the date? What does that mean?Perhaps someone has installed a different ls command (and, presumably, others). Try doing "truss ls" to see if it is reading any sort of strange file. Rootkits use to have configuration files hidden in weird places. Borja.
Thanks,
Here's the output of truss ls
mmap(0x0,1968,0x3,0x1000,-1,0x0) = 671490048 (0x28062000)
munmap(0x28062000,0x7b0) = 0 (0x0)
__sysctl(0xbfbffab4,0x2,0x280609a8,0xbfbffab0,0x0,0x0) = 0 (0x0)
mmap(0x0,32768,0x3,0x1002,-1,0x0) = 671490048 (0x28062000)
geteuid() = 0 (0x0)
getuid() = 0 (0x0)
getegid() = 0 (0x0)
getgid() = 0 (0x0)
open("/var/run/ld-elf.so.hints",0x0,00) = 3 (0x3)
read(0x3,0xbfbffa94,0x80) = 128 (0x80)
lseek(3,0x80,0) = 128 (0x80)
read(0x3,0x28067000,0x53) = 83 (0x53)
close(3) = 0 (0x0)
access("/usr/lib/libncurses.so.5",0) = 0 (0x0)
open("/usr/lib/libncurses.so.5",0x0,027757775414) = 3 (0x3)
fstat(3,0xbfbffadc) = 0 (0x0)
read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000)
mmap(0x0,266240,0x5,0x2,3,0x0) = 671522816 (0x2806a000)
mmap(0x2809f000,36864,0x3,0x12,3,0x34000) = 671739904 (0x2809f000)
mmap(0x280a8000,12288,0x3,0x1012,-1,0x0) = 671776768 (0x280a8000)
close(3) = 0 (0x0)
access("/usr/lib/libc.so.4",0) = 0 (0x0)
open("/usr/lib/libc.so.4",0x0,027757775414) = 3 (0x3)
fstat(3,0xbfbffadc) = 0 (0x0)
read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000)
mmap(0x0,626688,0x5,0x2,3,0x0) = 671789056 (0x280ab000)
mmap(0x2812c000,20480,0x3,0x12,3,0x80000) = 672317440 (0x2812c000)
mmap(0x28131000,77824,0x3,0x1012,-1,0x0) = 672337920 (0x28131000)
close(3) = 0 (0x0)
mmap(0x0,608,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
munmap(0x28144000,0x260) = 0 (0x0)
mmap(0x0,4576,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
munmap(0x28144000,0x11e0) = 0 (0x0)
mmap(0x0,13304,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
munmap(0x28144000,0x33f8) = 0 (0x0)
sigaction(SIGILL,0xbfbffb34,0xbfbffb1c) = 0 (0x0)
sigprocmask(0x1,0x0,0x280608dc) = 0 (0x0)
sigaction(SIGILL,0xbfbffb1c,0x0) = 0 (0x0)
sigprocmask(0x1,0x280608a0,0xbfbffb5c) = 0 (0x0)
sigprocmask(0x3,0x280608b0,0x0) = 0 (0x0)
readlink("/etc/malloc.conf",0xbfbff3d8,63) ERR#2 'No such
file or
director
y'
mmap(0x0,4096,0x3,0x1002,-1,0x0) = 672415744 (0x28144000)
break(0x804f000) = 0 (0x0)
break(0x8050000) = 0 (0x0)
open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
fstat(3,0xbfbff348) = 0 (0x0)
break(0x8054000) = 0 (0x0)
read(0x3,0x8050000,0x4000) = 70 (0x46)
break(0x8055000) = 0 (0x0)
read(0x3,0x8050000,0x4000) = 0 (0x0)
close(3) = 0 (0x0)
ioctl(1,TIOCGETA,0xbfbff54c) = 0 (0x0)
ioctl(1,TIOCGWINSZ,0xbfbff5b0) = 0 (0x0)
getuid() = 0 (0x0)
stat(".",0xbfbff498) = 0 (0x0)
open(".",0x0,00) = 3 (0x3)
fchdir(0x3) = 0 (0x0)
open(".",0x0,00) = 4 (0x4)
stat(".",0xbfbff448) = 0 (0x0)
open(".",0x4,05001215475) = 5 (0x5)
fstat(5,0xbfbff448) = 0 (0x0)
fcntl(0x5,0x2,0x1) = 0 (0x0)
__sysctl(0xbfbff300,0x2,0x28142300,0xbfbff2fc,0x0,0x0) = 0 (0x0)
fstatfs(0x5,0xbfbff348) = 0 (0x0)
getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 1024 (0x400)
break(0x8056000) = 0 (0x0)
getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 0 (0x0)
lseek(5,0x0,0) = 0 (0x0)
close(5) = 0 (0x0)
fchdir(0x4) = 0 (0x0)
close(4) = 0 (0x0)
fstat(1,0xbfbff278) = 0 (0x0)
break(0x8057000) = 0 (0x0)
ioctl(1,TIOCGETA,0xbfbff2ac) = 0 (0x0)
._Lonetar cgi kernel.GENERIC modules.old sys
write(1,0x8056000,46) = 46 (0x2e)
.cshrc compat kernel.old old tmp
write(1,0x8056000,36) = 36 (0x24)
.profile dev lib proc usr
write(1,0x8056000,29) = 29 (0x1d)
COPYRIGHT dist log ris_datalogs var
write(1,0x8056000,38) = 38 (0x26)
bin etc logfiles root www
write(1,0x8056000,29) = 29 (0x1d)
boot home mnt sbin
write(1,0x8056000,22) = 22 (0x16)
cdrom kernel modules stand
write(1,0x8056000,30) = 30 (0x1e)
exit(0x0) process exit, rval = 0
I'm not exactly sure what I'm looking at... Do you see anything out of
the
ordinary?
Thanks again...
PS: I also did an md5 /usr/bin/netstat and got back the following:
MD5 (/usr/bin/netstat) = b008226a10f92a397b2d3a045116343c
Then I went back to my other box (at the office), and did the same thing...
MD5 (/usr/bin/netstat) = 9fdb023cf58ded3cb03fabe0acf04145
They are different... I also just noticed that one of our customers got the
same security email this morning,
with the setuid differences... Also running 4.7-RELEASE...
Peter
At 03:46 PM 5/9/2003 +0200, you wrote:>>Notice the f in place of the date? What does that mean?
>
> Perhaps someone has installed a different ls command (and,
> presumably, others). Try doing "truss ls" to see if it is reading
any
> sort of strange file. Rootkits use to have configuration files hidden in
> weird places.
>
>
>
>
> Borja.
----------------------------------------------------------------------------------------------------------
Peter Elsner <peter@servplex.com>
Vice President Of Customer Service (And System Administrator)
1835 S. Carrier Parkway
Grand Prairie, Texas 75051
(972) 263-2080 - Voice
(972) 263-2082 - Fax
(972) 489-4838 - Cell Phone
(425) 988-8061 - eFax
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
Unix IS user friendly... It's just selective about who its friends are.
System Administration - It's a dirty job, but somebody said I had to do it.
If you receive something that says 'Send this to everyone you know,
pretend you don't know me.
Standard $500/message proofreading fee applies for UCE.
On Fri, 9 May 2003, Borja Marcos wrote:> > Notice the f in place of the date? What does that mean? > > Perhaps someone has installed a different ls command (and, presumably, > others). Try doing "truss ls" to see if it is reading any sort of > strange file. Rootkits use to have configuration files hidden in weird > places.this asumes that truss is ok ;-) perhaps take the truss from your other 4.7 machine ... -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/
At 08:25 AM 5/9/2003, Bjoern A. Zeeb wrote:>this asumes that truss is ok ;-) perhaps take the truss from your >other 4.7 machine ...Yes, you do have to be careful of this. I recently investigated a machine that had been "owned," and when truss was applied to some commands (e.g. netstat) it produced no output. --Brett
On Fri, 09 May 2003 10:45:20 -0500 Peter Elsner wrote:> here's what's in /dev/fd/.99 > > # cd /dev/fd/.99 > # ll > -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 > > The contents of that file are: > > # more .ttyf00 > .99 > .ttyf00 > .ttyp00 > in.inetd > sshd > /sbin/sshd > /usr/sbin/in.inetd > .fx > > I have already restored my ls and now my dates are back to normal... I > have also restored netstat. > > I am now going to do a complete re-install of all binaries... > > Before I do, let me know if there's anything else you need... > > Peter >Doing a complete reeinstall is all good and well, but Installing a rootkit means that the cracker used a hole to gain the required permissions to do so. Whcih in praticality means that you will need to patch the hole as well, unfortunatly I cannot offer any advice on finding the hole, but mayhaps some other security guru on this list may be able to steer you in the right direction? Adam