Hi. I got this email (below) from someone saying that my server is attacking theirs. They used my IP in the subject line as well.
Is this what happens when a system is rooted? If I suspect that this has happened, is my best option to reinstall?
Matt
--------------- Hello, I am not sure if you are aware that your server is conducting a vulnerability search and is continually hitting my server. I am guessing that you are unaware of it since the attacking IP is riddled with personal pictures of your self and your sister. Could you please look into this ASAP. Grant. ---------------
On Sun, 13 Nov 2005, Matt Graham wrote:
Hunhh? I've never seen a "vulnerability search" that is "riddled with personal pictures" of "your sister".
This looks like crap, did the email contain an attachment with a windows executable format by chance?
And as to the question of what happens when a system is rooted, if it's rooted right you'll never even know.
Regards,
-Don
I wrote to this guy and asked him what he meant. There ARE a lot of pictures of me and my sister on that website. Vacation pics and things.
I ran chkrootkit and the only (possibly) negative results I got were:
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! Searching for suspicious files and dirs, it may take a while... /usr/lib/j2se/1.4/jre/.systemPrefs /usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile /usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock /usr/lib/j2se/1.4/jre/.systemPrefs
I guess that since I even suspect that it's comproimised, I should reinstall.
Matt
On Sun, 13 Nov 2005, Matt Graham wrote:
I wrote to this guy and asked him what he meant. There ARE a lot of pictures of me and my sister on that website. Vacation pics and things.
Ah, so he meant that the website on the attacking IP was riddled with pictures of you and your sister? That at least makes some degree of sense, and assuming that the email was sent to an address that was on the website rather than "webmaster@ip.add.res.ss" these are all good clues as to the legitimacy of the email.
Reinstalling from disc probably won't remove the exploited hole. There's lots of ways to exploit security holes without being root. There's another awstats vulnerability that lets anyone run perl commands on a box that runs it. I'd check the apache logs, grep for awstats and see if anything interesting comes up, if you're running awstats.
What distribution are you running, and do you subscribe to the security mailing list for that distro?
Regards,
-Don
On Sunday 13 November 2005 09:58 am, Matt Graham wrote:
Yea, your sentiments are correct. Unfortunately, you can't really say with certainty that your box is clean once it has been rooted. So, I would first get an idea of what kind of illegal stuff it has been participating in by getting some packet captures like this:
tcpdump -s 1550 -w mydump.bin -i eth1 not port 22
Then open up mydump.bin later on another box with Ethereal. That way you know what you might be accused of in the future and you have documentation.
When you reinstall, be sure you reformat you partitions before you install. Oh, an non-executables are fine to make backups of. They can't usually carry any malicious code. Be careful of your config files though.
On Sun, 13 Nov 2005, Jason Dewayne Clinton wrote:
Yeah, he should probably reinstall, but what evidence do we have that the box has been rooted? I think that it's more likely that the www-data user that runs apache is compromised.
Since the flow of evidence has stopped, I dug around a bit and here's what I think may be happening:
Matt is running a debian box on a local IP, so there's a router port-forwarding www, ssh, ftp and whatnot. This means that _if_ his box was compromised by the linux worm that I referred to in an earlier post, the backdoor it installs on port 7111 or 7222 isn't available to the internet at large.
The worm opens a file called /tmp/lupii. If this file is there, then the worm has got you but the ownership of this file will tell you which user has benn compromised. If Matt runs netstat -lp | grep lupii, then this will tell him if this worm has installed a listening daemon that, because of his specific setup, can essentially only listen to the wall.
The very fact that this backdoor is installed and running from /tmp tells you that this is (almost certainly) not a root exploit. Anybody can write to /tmp on most every box out there, but if you're root there are lots better places to hide things.
Since he's running debian, if reinstalls and upgrades awstats and PHP, he should then be immune from this exploit.
Regards,
-Don
If you can, save the worm-- as evidence and "revenge"... One time I saw someone *trying* to hack my system via an Apache log entry... so I downloaded the script, neutered it, and let it connect to its IRC bot network... just sat there and collected the IPs of systems running the bot and started firing off emails to their administrators alerting them ;)
-
Don Erickson -
Jason Dewayne Clinton -
Luke-Jr -
Matt Graham