[NCLUG] Re: D. Herrington's trouble

[johncrout]

Excerpted from Digest:

-- snip

> Daniel> ...rootkit listing output snipped...
>
> Daniel> So obviously, the server has been hacked! This is very
> Daniel> irritating. Now I need to fix it, but I have questions about
> Daniel> what happened:
>
> Daniel> Is anyone familiar with this type of hack? If so, was it
> Daniel> probably done through some service I should've had turned off,
> Daniel> or some other way?
>
> Daniel> This server is running RedHat 7.2. I admit I've been lazy
> Daniel> about installing security fixes. Am I better off just

-- snip

If you are able to peruse your httpd logs, check access_log for connections
that use the "CONNECT" method. I can't swear I recall the details correctly 
but
what I recall is that this method will permit a direct connection to 
mod_ssl,
which in your case, was vulnerable. I was running the same RH version when 
my
firewall was kitted. As for the length of time required to attack:

I was screwing around with Netfilter, so didn't trust my firewall. As a 
result,
I shut it down. When I needed to access email -- once every couple of days
while messing with Netfilter -- I opened the interface to traffic. After I 
shut
it down each time, I'd browse the log files. As it happened, I shut the 
interface
down 20 minutes after the fatal CONNECT method had been sent to Apache. The 
detail
I documented over the next 4 hours, while trying to clean the infection, 
and over the
next couple of days as I worked on the infected disk, after-the-fact, still 
boggles my mind.

For the most info on the web, about what got me, go to 
http://www.trendmicro.com/ and
search on "Unix Lion.A".

I zipped up most of the infected directories, then FTPd them to a Windows 
box. That night, when
Symantec antivirus ran, it found 26 copies inside the zip archives. The 
identified bugs (those I remember)
were:	hacktool.rootkit, uboot, pkparser. Fine, or so I thought, until I 
went to trendmicro a couple
of days later and their tool found the Unix Lion.A-2 trojan, which 
trendmicro doesn't have documented.
(The A-1 variant edits logfiles after the .A variant does its magic.)

Eventually, I also found a boot sector virus on a disk that had been 
booting to Windows98, and in the boot sector
was this string: 0123456789ABCDEF. The trendmicro docs said that one of 
these trojans (don't recall which) was
designed to launch DOS attacks by repeatedly sending the string 
"0123456789ABCDEF".

What wasn't explained in anything I read, was the extensive directory 
structure that had been created
on the Linux box. I don't recall where it was but believe it was underneath 
/var/tmp. All installed files
were binary and the directories that had been created had bits set by 
chattr (if I recall the first two letters correctly). This was my intro to 
these other bits, since none of the chmod, chown, chgrp commands
would run on these directories.

My thanks to J Bass for knocking on my door at the ungodly hour, when he 
happened to drop by, as he was returning home from one of CWX's hilltops. 
Otherwise I would have tossed the machine from the
third story window trying to get chmod to run against those dirs.

Another newbie is initiated...
-- rootkit.j.crout