[NCLUG] Re: D. Herrington's trouble
johncrout
johncrout at yahoo.com
Sun Jun 1 20:23:33 MDT 2003
Excerpted from Digest:
-- snip
> Daniel> ...rootkit listing output snipped...
>
> Daniel> So obviously, the server has been hacked! This is very
> Daniel> irritating. Now I need to fix it, but I have questions about
> Daniel> what happened:
>
> Daniel> Is anyone familiar with this type of hack? If so, was it
> Daniel> probably done through some service I should've had turned off,
> Daniel> or some other way?
>
> Daniel> This server is running RedHat 7.2. I admit I've been lazy
> Daniel> about installing security fixes. Am I better off just
-- snip
If you are able to peruse your httpd logs, check access_log for connections
that use the "CONNECT" method. I can't swear I recall the details correctly
but
what I recall is that this method will permit a direct connection to
mod_ssl,
which in your case, was vulnerable. I was running the same RH version when
my
firewall was kitted. As for the length of time required to attack:
I was screwing around with Netfilter, so didn't trust my firewall. As a
result,
I shut it down. When I needed to access email -- once every couple of days
while messing with Netfilter -- I opened the interface to traffic. After I
shut
it down each time, I'd browse the log files. As it happened, I shut the
interface
down 20 minutes after the fatal CONNECT method had been sent to Apache. The
detail
I documented over the next 4 hours, while trying to clean the infection,
and over the
next couple of days as I worked on the infected disk, after-the-fact, still
boggles my mind.
For the most info on the web, about what got me, go to
http://www.trendmicro.com/ and
search on "Unix Lion.A".
I zipped up most of the infected directories, then FTPd them to a Windows
box. That night, when
Symantec antivirus ran, it found 26 copies inside the zip archives. The
identified bugs (those I remember)
were: hacktool.rootkit, uboot, pkparser. Fine, or so I thought, until I
went to trendmicro a couple
of days later and their tool found the Unix Lion.A-2 trojan, which
trendmicro doesn't have documented.
(The A-1 variant edits logfiles after the .A variant does its magic.)
Eventually, I also found a boot sector virus on a disk that had been
booting to Windows98, and in the boot sector
was this string: 0123456789ABCDEF. The trendmicro docs said that one of
these trojans (don't recall which) was
designed to launch DOS attacks by repeatedly sending the string
"0123456789ABCDEF".
What wasn't explained in anything I read, was the extensive directory
structure that had been created
on the Linux box. I don't recall where it was but believe it was underneath
/var/tmp. All installed files
were binary and the directories that had been created had bits set by
chattr (if I recall the first two letters correctly). This was my intro to
these other bits, since none of the chmod, chown, chgrp commands
would run on these directories.
My thanks to J Bass for knocking on my door at the ungodly hour, when he
happened to drop by, as he was returning home from one of CWX's hilltops.
Otherwise I would have tossed the machine from the
third story window trying to get chmod to run against those dirs.
Another newbie is initiated...
-- rootkit.j.crout
More information about the NCLUG
mailing list