[NCLUG] I was hacked!

John L. Bass jbass at dmsd.com
Thu Dec 28 15:37:20 MST 2000 

Our customers have had several systems hacked during the last year, the most
receint earlier this month. Post mortum on them has been interesting.

	Look for other things, as well -- my visitor was running a sniffer, but his 
	(her?) real reason for being here was to install an IRC bot, BNC proxy and 
	a DDoS flooding client.

Ditto for one of our customers Rh6.2 machines which got hacked on 12/2. Didn't
notice it until the bandwidth for the customer went way up due to it flooding
a machine in NY.

	Most of my .bash_history files were symlinked to /dev/null.

Ditto.

	I do hope you have made sure your machine isn't still compromised.  My 
	hacker installed a rootkit that hid his traces rather well.  If I wouldn't 
	have been looking for them, I never would have found them.  For grins, 
	check the md5sum of your /bin/ls file.

On a RedHat systems "rpm -V -a | more" is a better tool. There is quite a bit
of anomolies reported on normal systems, so saving it to a base line file and
diff'ing the current results can be more useful - especially for an automated
monitor. A "tar cvf /dev/null / > tar.baseline" would be useful too. At some
point I would expect the root kit to include md5sum and tar too.

If you want to watch the attack progress, exporting the hacked filesystem with
nfs allows you to leave the machine compromised, but have some visibility besides
watching the traffic with snoop/tcpdump. At least you can count on uncompromised
tools for examining the filesystem ... active processes is a little trickier.

The attackers on our customers systems replaced not only ls, but find, ps, and other
system tools to hide the IRC clients and directory/files. "tar cvf /dev/null /"
was the easy/only way to find the files involved. A number of new ".something"
files/directories appeared on the systems ... in /dev, /root, /usr/sbin, /usr/lib
containing the hackers tools/files ... including an IRC log of over a 100 machines
that were on the compromised network. From info in the IRC log, it appears
they automatically segment the hacked network when it reaches a certain size.
This probably allows for multiple hacked network segments to become compromised
and shutdown ... but authorities never really can take them completely off the air.
Participating machines in the compromised network were largely university machines
(dorms) world wide, with a large number of dsl subscriber machines. Use of public
IRC servers to coordinate the network is an interesting twist ... and easy to
hide participation.

Has anyone in the linux community thought about banding togather to actively hunt
and kill these slobs? Effective coordination would be interestings, especially
to minimize "moles" from diverting/hijacking the effort.

John

FYI - files which got hacked on the last attack follow ... notice the 506/506 and
date/time ... they just pushed a root kit distribution, and bang were in business.
They also added passwords to the lpd and ftp system accounts to telnet in, after
hacking /etc/hosts.allow to include authorization for other networks.

drwxr-xr-x lpd/1212          0 2000-12-09 01:35:37 tmp/. /
drwxr-xr-x lpd/1212          0 2000-12-09 01:36:07 tmp/. /.n/
-rw-r--r-- lpd/1212          5 2000-12-09 01:36:07 tmp/. /.n/.p
-rw------- lpd/1212        892 2000-12-09 01:36:06 tmp/. /.n/.ml
-rwx------ lpd/1212     124026 2000-11-12 01:25:22 tmp/. /.n/wu-nn
-rw-r--r-- lpd/1212        185 2000-11-21 18:44:43 tmp/. /.n/.se
-rw------- lpd/1212        193 2000-12-11 01:43:38 tmp/. /.n/.nc
-rwxr-xr-x 506/506       14201 2000-11-04 18:29:08 bin/bshell
-rwxr-xr-x 506/506       71347 2000-11-04 22:58:29 bin/login
-rwxr-xr-x 506/506      138283 2000-11-02 22:58:32 bin/ls
-rwxr-xr-x 506/506       30968 2000-11-02 22:58:32 bin/netstat
-rwxr-xr-x 506/506       28952 2000-11-02 22:58:32 bin/ps
-rw------- root/root       347 2000-12-13 21:45:28 dev/.own
-rw-r--r-- root/root       482 2000-10-07 04:25:56 etc/group
-rw------- root/root       469 2000-10-07 04:25:49 etc/group-
-r-------- root/root       398 2000-10-07 04:25:56 etc/gshadow
-rw------- root/root       388 2000-10-07 04:25:49 etc/gshadow-
-rwxr-xr-x 506/506         567 2000-11-05 15:21:45 etc/hosts.allow
-rwxr-xr-x 506/506        3375 2000-12-05 01:07:51 etc/inetd.conf
-rw-r--r-- root/root       840 2000-12-02 12:44:08 etc/passwd
-rw-r--r-- root/root       762 2000-10-07 04:50:50 etc/passwd-
-rwxr-xr-x root/root      1283 2000-12-02 12:44:11 etc/rc.d/rc.local
-rw-r--r-- root/root     11376 2000-12-02 12:44:10 etc/services
-r-------- root/root       903 2000-12-02 12:44:08 etc/shadow
-r-------- root/root       768 2000-10-07 04:50:50 etc/shadow-
drwxr-xr-x 506/506           0 2000-12-02 12:44:11 rk/
drwxr-xr-x 506/506           0 2000-12-02 12:44:08 rk/.../
-rw-r--r-- 506/506         121 2000-12-03 14:24:21 rk/.log
-rwxr-xr-x 506/506      138288 2000-11-02 22:58:32 usr/bin/dir
-rwxr-xr-x 506/506      101924 2000-11-02 22:58:32 usr/bin/du
-rwxr-xr-x 506/506       52984 2000-11-02 22:58:32 usr/bin/find
-rwxr-xr-x 506/506        9712 2000-11-02 22:58:32 usr/bin/killall
-rwxr-xr-x 506/506       32281 2000-11-02 22:58:32 usr/bin/pstree
-rwxr-xr-x 506/506       47604 2000-11-02 22:58:32 usr/bin/top
-rwxr-xr-x 506/506      138289 2000-11-02 22:58:32 usr/bin/vdir
-rw-r--r-- 506/506         332 2000-11-26 11:19:33 var/.adr
-rw-r--r-- 506/506         525 2000-11-16 12:11:02 var/.kls
-rw-r--r-- 506/506          65 2000-12-10 07:42:06 var/.prc
-rw-r--r-- 506/506          65 2000-12-10 07:42:06 var/.prc
drwxr-xr-x root/ftp          0 2000-12-02 12:55:02 usr/sbin/.kohd/
-rwxr-xr-x root/ftp      44496 2000-12-02 12:44:09 usr/sbin/.kohd/knight
-rw-r--r-- root/ftp        740 2000-12-09 01:35:25 usr/sbin/.kohd/.log
-rw-r--r-- root/root    250237 2000-12-02 12:54:40 usr/sbin/.kohd/knet.tgz
drwxr-xr-x root/root         0 2000-12-13 22:33:04 usr/sbin/.kohd/knet/
drwxr-xr-x root/root         0 2000-12-02 14:44:43 usr/sbin/.kohd/knet/scripts/
-rw-r--r-- root/root    130028 2000-12-02 14:44:41 usr/sbin/.kohd/knet/scripts/koh.tcl
-rw-r--r-- root/root        11 2000-12-09 07:48:48 usr/sbin/.kohd/knet/.koh.l
-rw-r--r-- root/root      1919 2000-12-02 13:00:05 usr/sbin/.kohd/knet/koh.settings
-rw------- root/root      8353 2000-12-11 01:43:38 usr/sbin/.kohd/knet/.koh.u
-rw-r--r-- root/root         0 2000-12-09 10:00:00 usr/sbin/.kohd/knet/.koh.n
-rw-r--r-- root/root      1544 2000-11-16 11:21:49 usr/sbin/.kohd/knet/.koh.conf
-rw-r--r-- root/root         1 2000-12-09 07:48:48 usr/sbin/.kohd/knet/.koh.s
-rw------- root/root      1997 2000-12-11 01:43:38 usr/sbin/.kohd/knet/.koh.c
-rw-r--r-- root/root      2041 2000-12-02 12:56:14 usr/sbin/.kohd/knet/identd.c
-rwxr-xr-x root/root    444432 2000-11-16 11:21:33 usr/sbin/.kohd/knet/kegg
-rwxr-xr-x root/root     14252 2000-12-02 12:56:33 usr/sbin/.kohd/knet/wuid
-rw-r--r-- root/root    235202 2000-12-10 23:20:57 usr/sbin/.kohd/knet/.koh.log
-rw-r--r-- root/root         5 2000-12-02 13:00:12 usr/sbin/.kohd/knet/pid.cwx
-rw-r--r-- root/root    434257 2000-12-09 10:00:00 usr/sbin/.kohd/knet/.koh.log.yesterday
-rw------- root/root     10425 2000-12-09 00:00:00 usr/sbin/.kohd/knet/.koh.u~bak
lrwxrwxrwx root/ftp          0 2000-12-02 12:44:11 root/.bash_history -> /dev/null

More information about the NCLUG mailing list