[NCLUG] how was I hacked?

Michael Milligan milli at acmeps.com
Sun Jun 1 15:51:35 MDT 2003 

jbass at dmsd.com wrote:
> I would like a tar file of the tool kit files and kernel modules attacked
> in this round .... moving the sniffer and back door into kernel modules
> (guess on my part) is certainly the next round in root kits as they can
> leave the filesystem clean for tripwire with only the running kernel memory
> compromised.

A buddy of mine, also running a "left alone" Redhat box, was hit with an 
LKM root kit well over a year ago through a vulnerable FTP daemon, so 
these attacks are nothing new.  I found a rogue sshd had been installed 
(showing that "using passwords over ssh is safe" is really not all that 
safe), and multiple IRC servers were running to pass collected passwords 
somewhere...  the log files of the chats from ircd that I could find 
were in Dutch.  None of these running processes showed up on "ps" output 
on the box itself, but using a known good "ps" showed the rogue sshd. 
As I recall, a loadable kernel module (hence LKM root) was used to hide 
the ircd's (by modifying the /proc syscalls I'm sure).

Even in this case, tripwire still would have been effective since the ps 
command (and others) had been modified.  It was actually a rather sloppy 
rooting job IMHO.  ;-)  LKM attacks, like you said, can be done without 
touching any sensitive areas of the file system.  Unfortunately, a 
reboot will kill it too, at least, I can't think of a way for the kit to 
become active upon reboot without having compromised something on the 
file system.

This experience prompted me to keep a fresh, bootable Debian 
install/rescue CD handy just in case something like this ever hits me 
(fingers crossed).  All the forensic sites will tell you to have a "jump 
disk" available to boot from so you can examine the system and/or take a 
snapshot for use in court when you sue the pants off some hacker...

See http://www.porcupine.org/forensics/tct.html
Also, http://www.chkrootkit.org/

Regards,
Mike

-- 
Michael Milligan  --  Free Agent  --  milli at acmeps.com

More information about the NCLUG mailing list