Well, I'm no expert, but... since you apparently had already been hacked prior to the reinstall (evidenced by the rm -rf /), I would wager that your reload from the image you have here is already rooted. Of course it could also be that the cracker is watching the system and actively rooting it, so that when you re-installed whatever method was previously used to crack the system was used again in short order. So, in either case I think a little research is in order to determine how to keep this particular bad guy out.
-----Original Message----- From: Jonathan Hutchins
... I reformatted the filesystem and restored an image I had here via rsync. By the next morning when someone was available to put it back on-line the restore had completed.
We got the system up and running again, and I restored configuration changes while the client restored HTML. By lunchtime everything was back in good shape.
I haven't done much with it since, but as I was getting ready to reboot after a kernel update this morning, I did a 'ps ax' and saw somethng called "rootedoor" running. (http://vil.mcafeesecurity.com/vil/content/v_128116.htm for info on rootedoor.) I went ahead with the reboot and it vanished, leaving no aparant trace. I immediately started checking for suspicious and modified files.
On Friday 25 February 2005 03:56 pm, Brian Densmore wrote:
since you apparently had already been hacked prior to the reinstall (evidenced by the rm -rf /), I would wager that your reload from the image you have here is already rooted.
Nope. Checked that. The image was several weeks old, and while an exploit may have been planted, then used at a later date, I think this is unlikely. Any traces of the actual cause of the file disappearence was lost with the restore. (Personally, I am a bit suspicious that the primary client may have screwed something up.)
Having made a full restore and run for most of a week, hardware failure dosen't look likely, and the S.M.A.R.T. utils I subsequently installed don't indicate it.
Of course it could also be that the cracker is watching the system and actively rooting it, so that when you re-installed whatever method was previously used to crack the system was used again in short order.
That is a distinct possibility - not exactly short order, but we may be on his list of easy marks. Then again, while there is a certain amusement to be had it simply destroying a system, it's not the way most people spend a lot of their time. I suppose one of the clients on the server could have annoyed someone sufficiently to motivate a repeated attack.
So, in either case I think a little research is in order to determine how to keep this particular bad guy out.
Um, yes. I believe that's implied in my earlier query. In particular, there is the kernel update, and I will be looking for further ways to tighten CGI security, as well as looking for other clues.
One plan I think is rather valuable is to simply run the server and watch it very carefully.
On Fri, 25 Feb 2005, Jonathan Hutchins wrote:
Um, yes. I believe that's implied in my earlier query. In particular, there is the kernel update, and I will be looking for further ways to tighten CGI security, as well as looking for other clues.
If you were running a version of awstats that was older than a couple of weeks, update it. It allows command execution via port 80 as your apache owner. Also, versions of the linux kernel older than 2.4.29 and 2.6.somehting had a bug that allowed a local root exploit. Put these two together, and you've got yourself a remote root exploit.
That's an educated guess, at least. Remote logging is my personal new security enhancement.
Regards,
-Don
-
Brian Densmore -
Don Erickson -
Jonathan Hutchins